🇨🇳 CN6 malware families

LuoYu

Also known asluoyu

LuoYu is a Chinese-origin threat actor described as a Chinese APT group. Reporting in the provided content associates LuoYu with the WinDealer and ReverseWindow malware families, and also notes use of XDealer, ShadowPad, PlugX, and WinDealer. The content further cites LuoYu as one of several advanced threat actors observed leveraging compromised SOHO devices as proxying infrastructure. Known alias in the provided content: luoyu.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

WinDealerIn a research paper presented by TeamT5, XDealer was shown to be associated with Luoyu, a threat actor with Chinese origins that used the WinDealer and ReverseWindow malware families.3May 31, 2026

SpyDealerOur colleague, who was previously involved in the research of Luoyu, shared with us the insights on this association, particularly the sharing of an encryption key between an old XDealer sample and a SpyDealer sample — suggesting a connection between both malware families.2May 31, 2026

XDealerSince 2023, the Earth Krahang shifted to another backdoor (named XDealer by TeamT5 and DinodasRAT by ESET). Compared to RESHELL, XDealer provides more comprehensive backdoor capabilities.2May 31, 2026

PlugXThey said LuoYu have newly used the following malware since JSAC2021: Malware: XDealer, ShadowPad, PlugX1Mar 18, 2026

ReverseWindowIn a research paper presented by TeamT5, XDealer was shown to be associated with Luoyu, a threat actor with Chinese origins that used the WinDealer and ReverseWindow malware families.1May 31, 2026

1 additional family tracked in Mallory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

harfanglab insidethelabNews

Mar 4, 2025

2024 Threatscape report - HarfangLab

Advanced threat actor referenced as compromising SOHO devices and using them as proxying infrastructure for stealth/deniable operations.

trend micro researchNews

Mar 18, 2024

Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks

Chinese-origin threat actor referenced for its association with XDealer and prior use of WinDealer and ReverseWindow malware families.

jpcert blogNews

Mar 22, 2022

JSAC 2022 -Day 1-

Espionage-focused operations (noted as a Chinese APT) targeting Japan and additional countries/industries, using multiple backdoors including WinDealer and others.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.