An advanced persistent threat campaign has targeted at least 1,400 victims in the Philippines, Kaspersky has uncovered.
The campaign, dubbed LuminousMoth by Kaspersky, has been described as a wide-scale cyberespionage campaign that initially targeted entities in Myanmar before it switched focus to the Philippines. The campaign has been operating since at least October 2020.
Of the 1,400 Philippine victims, some are government offices and entities. The infection starts with a spearphishing email containing a Dropbox link, which has a Word document that’s actually a RAR archive in disguise.
When opened, the archive extracts malware that steals data and spreads it to other machines via USB drives. The malware also uses a fake version of Zoom and steals cookies from the Google Chrome browser for lateral movement.
Kaspersky believes the HoneyMyte threat group is behind the LuminousMoth campaign. HoneyMyte is a group of Chinese threat actors who have been observed to gather geopolitical and economic intelligence from Asian and African countries.