Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ LuminousMoth

🌐LuminousMoth

🌐 LuminousMoth is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 28 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1014) ↗
14Use cases
0Articles
28Techniques
0IOCs

About this actor (MITRE)

[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between [LuminousMoth](https://attack.mitre.org/groups/G1014) and [Mustang Panda](https://attack.mitre.org/groups/G0129) based on similar targeting and TTPs, as well as network infrastructu

Known aliases

LuminousMoth

Top techniques

T1005 · Data from Local SystemT1030 · Data Transfer Size LimitsT1033 · System Owner/User Discovery

All other tracked techniques

T1036.005 · Match Legitimate Resource Name or LocationT1041 · Exfiltration Over C2 ChannelT1053.005 · Scheduled TaskT1071.001 · Web ProtocolsT1083 · File and Directory DiscoveryT1091 · Replication Through Removable MediaT1105 · Ingress Tool TransferT1112 · Modify RegistryT1204.001 · Malicious LinkT1539 · Steal Web Session CookieT1547.001 · Registry Run Keys / Startup FolderT1553.002 · Code SigningT1557.002 · ARP Cache PoisoningT1560 · Archive Collected DataT1564.001 · Hidden Files and DirectoriesT1566.002 · Spearphishing LinkT1567.002 · Exfiltration to Cloud StorageT1574.001 · DLLT1587.001 · MalwareT1588.001 · MalwareT1588.002 · ToolT1588.004 · Digital CertificatesT1608.001 · Upload MalwareT1608.004 · Drive-by TargetT1608.005 · Link Target

Detection use cases (14)

LuminousMoth DLL side-loading via signed Zoom/Office binary from non-install path AI · profile SΣ LuminousMoth USB worm trio — EXE+DLL+LNK dropped to removable drive root AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match Package-manager install hook spawns interpreter that beacons to non-registry host within 120s MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match