Skip to main content
Mallory
Back to threat actors
🇨🇳 CN1 malware family

Luckycat

Also known asluckycat

Luckycat is the name Trend Micro gave to a Chinese cyber campaign disclosed in March 2012. Based on the provided content, the campaign targeted U.S.-based activists and organizations, Indian and Japanese military research entities, and Tibetan activists. No additional high-confidence details on tooling, specific TTPs, sub-groups, or further aliases beyond “Luckycat” are present in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics9 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1593
Search Open Websites/Domains
TA0042
Resource Development
1 technique
T1587
Develop Capabilities
T1587.001
Malware
TA0002
Execution
1 technique
T1204
User Execution
TA0009
Collection
3 techniques
T1005
Data from Local System
T1185
Browser Session Hijacking
T1213
Data from Information Repositories
TA0010
Exfiltration
2 techniques
T1020
Automated Exfiltration
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ScanBoxProofpoint and PwC Threat Intelligence have jointly identified a cyber espionage campaign, active since April 2022 through June, delivering the ScanBox exploitation framework to targets who visit a malicious domain posing as an Australian news website.1Mar 18, 2026
ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
csis chinese espionageNews
Mar 5, 2026
Survey of Chinese Espionage in the United States Since 2000 | Strategic Technologies Program | CSIS

China-linked cyber-espionage campaign targeting activists and military research organizations, including Tibetan activists and Indian/Japanese military research, for intelligence collection.

Read more
csis chinese espionageNews
Mar 4, 2026
Survey of Chinese Espionage in the United States Since 2000 | Strategic Technologies Program | CSIS

Cyber-espionage campaign targeting activists and military research organizations, including Tibetan activists and Indian/Japanese military research, consistent with intelligence collection objectives.

Read more
csis chinese espionageNews
Mar 4, 2026
Survey of Chinese Espionage in the United States Since 2000 | Strategic Technologies Program | CSIS

China-attributed cyber-espionage campaign targeting activists and military research entities, including Tibetan activist communities and military research in India and Japan.

Read more
csis chinese espionageNews
Mar 4, 2026
Survey of Chinese Espionage in the United States Since 2000 | Strategic Technologies Program | CSIS

China-linked cyber-espionage campaign targeting activists and military research entities, including Tibetan activists and Indian/Japanese military research, for intelligence collection.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.