Threat Group Cards: A Threat Actor Encyclopedia

APT group: Space Pirates

Names	Space Pirates (Positive Technologies) Webworm (Symantec) Erudite Mogwai (Solar)
Country	China
Motivation	Information theft and espionage
First seen	2017
Description	(BleepingComputer) A previously unknown Chinese hacking group known as 'Space Pirates' targets enterprises in the Russian aerospace industry with phishing emails to install novel malware on their systems. The threat group is believed to have started operating in 2017, and while it has links to known groups like APT 41 (Winnti), Mustang Panda, Bronze President, and Emissary Panda, APT 27, LuckyMouse, Bronze Union, it is thought to be a new cluster of malicious activity. Russian threat analysts at Positive Technologies named the group 'Space Pirates' due to their espionage operations focusing on stealing confidential information from companies in the aerospace field.
Observed	Sectors: Aerospace, Energy, IT. Countries: Georgia, Mongolia, Serbia, Russia.
Tools used	9002 RAT, BH_A006, Deed RAT, Gh0st RAT, MyKLoadClient, PCShare, PlugX, Poison Ivy, ShadowPad Winnti, Trochilus RAT, Zupdax.
Operations performed	Sep 2022	Webworm: Espionage Attackers Testing and Using Older Modified RATs <https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats>
	Nov 2024	Space Pirates Targets Russian IT Firms With New LuckyStrike Agent Malware <https://thehackernews.com/2025/02/space-pirates-targets-russian-it-firms.html>
Information	<https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/> <https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/space-pirates-tools-and-connections/> <https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/>

Last change to this card: 02 March 2025

Download this actor card in PDF or JSON format