Skip to main content
Mallory
Back to threat actors
2 malware families

SinisterEye

Also known assinistereye

SinisterEye, also referred to as LuoYu and Cascade Panda in the provided content, is an unattributed but China-aligned cyber espionage threat actor with confirmed Chinese-speaking operators and analytically contested attribution. The group has been described as using ISP-level or backbone-level interception on ChinaNet AS4134 to deliver the WinDealer and SpyDealer malware families against foreign entities operating inside China. Reporting in the provided content also states that SinisterEye uses adversary-in-the-middle (AiTM) techniques to hijack legitimate software update mechanisms, and that China-aligned groups including SinisterEye have used this technique for both initial access and lateral movement. ESET reporting cited in the content specifically lists SinisterEye (aka LuoYu), alongside PlushDaemon, Evasive Panda, and Blackwood, as examples of China-aligned actors using DNS-hijacking-based update interception for initial access. The content characterizes the actor as part of broader China-aligned activity advancing Beijing’s geopolitical objectives.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration
  • Military
  • Software & Services
  • Academia & Research

Where they target

Geographies tied to known operations.

  • 🇨🇳 China
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics4 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1195
Supply Chain Compromise
TA0006
Credential Access
1 technique
T1557×2
Adversary-in-the-Middle
TA0007
Discovery
1 technique
T1018
Remote System Discovery
TA0009
Collection
1 technique
T1557×2
Adversary-in-the-Middle
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
SpyDealerConfirmed also via malicious mobile applications distributing SpyDealer for Android... Malware and Tools: WinDealer (Windows backdoor primary implant), SpyDealer (Android surveillance malware), custom passive MOTS injection framework operating at network infrastructure level.2May 26, 2026
WinDealerTarget Technologies: Windows operating system update mechanisms, specifically Windows software update traffic intercepted and manipulated via adversary-in-the-middle to deliver WinDealer... Malware and Tools: WinDealer (Windows backdoor primary implant), SpyDealer (Android surveillance malware), custom passive MOTS injection framework operating at network infrastructure level.2May 26, 2026
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cyfirma otherNews
Apr 22, 2026
CHINA CYBERSECURITY THREAT INTELLIGENCE REPORT - CYFIRMA

Unattributed espionage group focused on foreign diplomatic organizations, foreign companies, and foreign nationals inside China, notable for ISP/backbone-level interception and passive malware delivery.

Read more
the hacker newsNews
Nov 7, 2025
From Log4j to IIS, China's Hackers Turn Legacy Bugs into Global Espionage Tools

China-aligned actor using adversary-in-the-middle positioning to hijack legitimate software update mechanisms, delivering Windows and Android malware families.

Read more
eset welivesecurity blogNews
Nov 6, 2025
ESET APT Activity Report Q2 2025–Q3 2025

SinisterEye is a China-aligned APT group using adversary-in-the-middle techniques for both initial access and lateral movement.

Read more
help net securityNews
Nov 6, 2025
Russia-linked hackers intensify attacks as global APT activity shifts

China-linked actor using adversary-in-the-middle (AiTM) to hijack software update mechanisms and enable stealthy malware implantation and lateral movement.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.

SinisterEye | Mallory