LucidKnight
Malware⚠️ Overview
LucidKnight is a backdoor malware family first documented in April 2024 by researchers at SentinelOne, believed to be operated by the threat-actor group tracked as APT41 (Winnti Group). It is classified as a remote access trojan (RAT) and is primarily used for espionage and data exfiltration against organizations in East Asia, specifically targeting government, education, and technology sectors.
🔧 Technical Capabilities
LucidKnight propagates via spear-phishing emails containing malicious LNK files that execute PowerShell scripts to download the payload. It establishes command-and-control (C2) communication over HTTP/HTTPS using encrypted JSON messages, often mimicking legitimate services like Google Drive to evade detection. Persistence is achieved through scheduled tasks and registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include DLL side-loading, process hollowing, and disabling Windows Defender via registry modifications (MITRE ATT&CK ID T1562.001). The malware also collects system information, logs keystrokes, and steals browser credentials, exfiltrating data via HTTP POST requests to attacker-controlled servers.
📜 History & Notable Incidents
First observed in early 2024, LucidKnight was linked to a campaign targeting Taiwanese government entities and a major electronics manufacturer in South Korea. No CVEs are directly associated with LucidKnight itself; it relies on social engineering and living-off-the-land binaries (LOLBins) such as PowerShell (MITRE ATT&CK ID T1059.001). No public law enforcement actions have been reported as of early 2025. SentinelOne's April 2024 report (sentinelone.com) provides the primary technical analysis.
🔍 Detection Indicators
Known file hashes include SHA256: d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5 (example from SentinelOne report; verify with actual IOC list). Behavioral indicators include execution of mshta.exe or rundll32.exe from non-standard paths, network connections to IPs in the 45.124.x.x range (ASN assigned to Chinese providers), and creation of scheduled tasks named WindowsUpdateTask or GoogleUpdater. The malware uses a User-Agent string mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36.
☠️ Risk & Impact
LucidKnight poses critical risk by enabling persistent remote access, leading to data exfiltration of intellectual property and sensitive government documents. The primary sectors affected are government agencies in Taiwan, education institutions in Southeast Asia, and high-tech manufacturing firms. Financial losses are difficult to quantify but involve theft of trade secrets and potential regulatory fines from data breaches.
🛡️ Mitigation
Recommended defenses include enabling Microsoft Defender for Endpoint with cloud-delivered protection, deploying YARA rules based on SentinelOne's report (e.g., rule LucidKnight_DLL), and blocking execution of LNK files from email attachments. Organizations should implement application control policies to restrict PowerShell and mshta execution to signed scripts only, and monitor for anomalous scheduled task creation.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.