Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
Malware

Luckycat

LuckyCat is malware/campaign infrastructure identified by Trend Micro in March 2012 as part of a Chinese cyber campaign. According to the provided content, LuckyCat targeted U.S.-based activists and organizations, Indian and Japanese military research entities, and Tibetan activists. The content also states that infrastructure associated with later Tibetan-targeting malware campaigns overlapped with LuckyCat infrastructure, including historic phishing activity using the sender account tseringkanyaq@yahoo[.]com and later links between a LuckyCat Android RAT variant and ExileRAT-related operations. Based on the supplied material, LuckyCat is associated with Chinese-linked targeting of Tibetan interests and other geopolitical targets, but specific technical details on its capabilities, infection vector, or standalone indicators of compromise are not provided here beyond the noted infrastructure sharing and campaign targeting.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1587.001MalwareEvidence1

“The National Defense University discovered Chinese malware in its computer systems.” / “Chinese hackers used malware, known as ‘Sykipot’…” / “Luckycat…”

Initial Access

1 technique
T1566PhishingEvidence1

In March 2020, Proofpoint researchers observed a phishing campaign impersonating the World Health Organization’s (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed “Sepulcher”.

Execution

2 techniques
T1204User ExecutionEvidence1

“The National Defense University discovered Chinese malware in its computer systems.” / “Chinese hackers used malware, known as ‘Sykipot’…” / “Trend Micro uncovered…‘Luckycat’…”

T1204.002Malicious FileEvidence1

“January 2007: The National Defense University discovered Chinese malware in its computer systems.” / “September 2013… used malware, known as ‘Sykipot’…” / “March 2012… campaign, dubbed ‘Luckycat’…”

Persistence

1 technique
T1543Create or Modify System ProcessEvidence1

"The National Defense University discovered Chinese malware in its computer systems." and repeated references to intrusions involving malware (e.g., Luckycat; Sykipot; malware spread to foreign government websites).

Privilege Escalation

1 technique
T1543Create or Modify System ProcessEvidence1

"The National Defense University discovered Chinese malware in its computer systems." and repeated references to intrusions involving malware (e.g., Luckycat; Sykipot; malware spread to foreign government websites).

Collection

1 technique
T1005Data from Local SystemEvidence1

Repeated throughout: “stole trade secret information…”, “stole sensitive military information…”, “stole weapons systems designs…”, “stole personal information…”

Exfiltration

2 techniques
T1020Automated ExfiltrationEvidence1

Numerous entries: “exfiltrated information…”, “stole data…”, “downloaded 10 to 20 terabytes of data…”, “stole 614 gigabytes of material…”

T1041Exfiltration Over C2 ChannelEvidence1

“exfiltrated information…” / “downloading 10 to 20 terabytes of data.” / “stole personal information…” / “exfiltrated Call Detail Records (CDRs)…”

ACTIVITY FEED

Recent activity

47 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

47 SOURCESView more in app
csis chinese espionageNews
Mar 4, 2026
Survey of Chinese Espionage in the United States Since 2000 | Strategic Technologies Program | CSIS

Named China-linked cyber-espionage campaign (as described) targeting activists and military research; the content does not provide a specific malware family name used within the campaign.

Read more
csis chinese espionageNews
Mar 4, 2026
Survey of Chinese Espionage in the United States Since 2000 | Strategic Technologies Program | CSIS

A named China-linked cyber-espionage campaign (as described) targeting activists and military research entities; the specific malware family used is not detailed in the provided content.

Read more
csis chinese espionageNews
Mar 3, 2026
Survey of Chinese Espionage in the United States Since 2000 | Strategic Technologies Program | CSIS

A China-attributed cyber-espionage campaign targeting activists and military-research-related entities, including Tibetan activist communities and Indian/Japanese military research.

Read more
csis chinese espionageNews
Mar 3, 2026
Survey of Chinese Espionage in the United States Since 2000 | Strategic Technologies Program | CSIS

A named China-linked cyber-espionage campaign (as described) targeting activists and military research; the specific malware family/tooling used is not detailed in the provided content.

Read more
+43 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.