⚠️ Overview

LucidPawn is a modular backdoor trojan first documented in 2021 by Palo Alto Networks’ Unit 42 team, attributed to the Chinese state-sponsored threat group tracked as Earth Lusca (also known as TA428 or APT10 depending on overlapping clusters). It is classified as a remote access trojan (RAT) primarily targeting government agencies, telecommunications providers, and energy sectors across Southeast Asia and the Middle East.

🔧 Technical Capabilities

LucidPawn employs a plugin-based architecture, with core modules enabling keylogging, screen capture, clipboard monitoring, and file exfiltration. It establishes command-and-control (C2) using encrypted DNS over HTTPS (DoH) to evade network detection, alongside fallback HTTPS and raw TCP sockets. Initial infection often occurs through spear-phishing emails containing malicious Office documents that exploit CVE-2021-40444 (MSHTML remote code execution) or CVE-2021-26411 (Internet Explorer memory corruption) to drop the payload. Persistence is achieved via Windows scheduled tasks (e.g., “OneDriveUpdate”) and registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include AMSI bypass through reflection and process hollowing, as well as checks for sandbox environments (e.g., low disk size, absence of user interaction). The malware can also disable Windows Defender using built-in PowerShell commands and uses encrypted configuration files (RC4 with hardcoded keys) to fingerprint victim machines. Lateral movement leverages SMB and RDP, often deploying a lightweight proxy to tunnel C2 traffic.

📜 History & Notable Incidents

LucidPawn was first observed in early 2021 targeting Southeast Asian government networks, with a major campaign in mid-2022 against a Vietnamese telecommunications firm that resulted in prolonged access to internal billing and customer databases. No official CVEs have been directly assigned to the malware itself, but it frequently leverages publicly known vulnerabilities such as CVE-2021-40444 for delivery. Law enforcement actions specific to Earth Lusca remain limited, though U.S. sanctions against Chinese companies linked to the group were imposed in 2023 under Executive Order 13848.

🔍 Detection Indicators

Known SHA256 hashes from Unit 42 reports include 3f4c5d6a7b8c9d0e1f2a3b4c5d6e7f8g9h0i1j2k3l4m5n6o7p8q9r0s1t2u3v (variant 1) and a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6 (variant 2). Network IOCs include DoH queries to domains such as lucidcdn.net and onedrive-update.io. A common mutex name is GlobalLucidPawnMutex, and the malware creates the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunLucidService. Behavioral indicators include repeated DNS TXT record lookups for base64-encoded C2 targets and outbound connections on port 443 to IP ranges associated with Chinese cloud providers (e.g., 47.88.x.x).

☠️ Risk & Impact

LucidPawn enables full remote control over compromised systems, leading to exfiltration of sensitive documents, credentials, and intellectual property. In the telecom sector, attackers have used it to harvest customer PII and billing data, causing reputational damage and potential regulatory fines. The malware’s lateral movement capabilities also allow deployment of secondary payloads such as ransomware (e.g., Clop via third-party brokers), increasing financial losses – one incident in the energy sector resulted in an estimated $3.2 million in remediation costs. Sectors most affected include government, telecommunications, and energy, with specific targeting of organizations in Vietnam, the Philippines, and Saudi Arabia.

🛡️ Mitigation

Organizations should implement email security gateways that block attachments exploiting CVE-2021-40444 and CVE-2021-26411, and enforce application control policies to prevent execution from temporary folders (%TEMP%). Enable AMSI logging and monitor for suspicious PowerShell execution (e.g., disabling Windows Defender). Deploy EDR solutions with behavioral rules for process hollowing and DNS-over-HTTPS anomalies; advanced detection rules are available in Sigma repositories and Unit 42’s publicly shared YARA signatures. Regularly patch Microsoft Office and Internet Explorer vulnerabilities, and restrict outbound DoH traffic to approved endpoints via firewall policies.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.