Erudite Mogwai

Erudite Mogwai is an Asian/China-nexus threat actor also referred to in the provided content as Space Pirates and Webworm. The group has been observed targeting Russian organizations, including Russian government-sector entities and Russian IT organizations/companies. Reported activity includes attacks against the IT infrastructure of a Russian government organization, Russian IT companies, and a spring 2025 compromise of a government-sector organization whose infrastructure was assessed as likely compromised by Erudite Mogwai. The actor has been linked in the content to deployment of LuckyStrike Agent, a multifunctional .NET backdoor, and to NetDraft, which Solar refers to as LuckyStrike Agent in this context. LuckyStrike Agent was observed using AppDomain Manager Injection to load into the legitimate Microsoft UE-V component UevAppMonitor.exe and using Microsoft OneDrive via Microsoft Graph API as command-and-control. The malware supports shell execution, file upload/download, directory browsing, plugin execution, arbitrary .NET assembly execution, host metadata collection, RSA-encrypted data transmission, and task retrieval from OneDrive folders. The content also notes LuckyStrike Agent appears professionally developed and may be a commercial or closed-market malware product. In the spring 2025 investigation, Erudite Mogwai was associated with a broader intrusion set on a compromised Microsoft Exchange server that had been exposed via the ProxyShell chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). Investigators found multiple malware families co-resident on the server, including ShadowPad, Shadowpad Light/Deed RAT, Donnect, Mythic Agent, and a previously undocumented modular backdoor named ShadowRelay. ShadowRelay was described as a plugin-based implant capable of client/server operation, optional process injection, anti-analysis checks, Windows service installation, self-removal, AES-encrypted communications, and port-reuse/packet-diversion using WinDivert to relay communications and hide C2 traffic. The content also states Erudite Mogwai has operational similarities with other China-aligned activity clusters but does not confirm identity overlap. ESET noted similarities between LongNosedGoblin and Erudite Mogwai, while also stating it could not confirm they are the same group due to differences in TTPs. A Rostelecom security team report cited Erudite Mogwai (Space Pirates) as one of at least three APT groups present on a Russian organization’s network, alongside Obstinate Mogwai and GOFFEE.