Space Pirates Hackers Attacking IT Organizations With LuckyStrike Using OneDrive

A recent investigation by cybersecurity experts has unveiled a series of advanced cyberattacks orchestrated by the notorious Advanced Persistent Threat (APT) group known as “Space Pirates.”

Leveraging their customized malware arsenal, including the LuckyStrike Agent backdoor, the group has been targeting IT organizations and government agencies across Russia and neighboring regions.

The attacks have been marked by their innovative use of Microsoft’s OneDrive platform as a command-and-control (C2) channel, enabling stealthy communication and data exfiltration.

The Space Pirates, also referred to as “Erudite Mogwai” in certain reports, have a history of cyber espionage campaigns dating back to 2017.

Their latest activities were detected in November 2024 during an investigation into compromised IT infrastructure.

The attackers demonstrated a high degree of technical sophistication by adapting open-source tools like Stowaway and ShadowPad Light to suit their needs.

These tools were modified to evade detection and facilitate lateral movement within victim networks.

LuckyStrike: A Multifunctional Backdoor

At the core of the Space Pirates’ toolkit is the LuckyStrike Agent, a .NET-based backdoor with capabilities not previously observed in similar malware.

This tool exploits OneDrive as a C2 platform, allowing attackers to issue commands, retrieve sensitive data, and maintain persistence without raising suspicion.

The use of OneDrive provides an additional layer of obfuscation, as traffic to cloud services is often considered benign by traditional security solutions.

LuckyStrike’s functionality includes remote task execution, reconnaissance, and data exfiltration.

The malware’s design reflects the group’s focus on espionage, with targeted attacks aimed at extracting confidential information from high-value sectors such as aerospace, energy, and public administration.

Technical Innovations in Stowaway Fork

The Space Pirates have also developed a custom version of the Stowaway proxy tool, originally designed for penetration testing.

Their modifications include traffic compression using LZ4, encryption via the XXTEA algorithm, and support for the QUIC protocol.

According to Solar Report, these enhancements enable secure and efficient communication between compromised systems while complicating detection efforts.

The attackers employed Stowaway primarily as a SOCKS5 proxy to route malicious traffic through victim networks.

By stripping unnecessary features from the original tool and introducing unique protocol structures, they minimized detection signatures.

The group’s ability to adapt open-source utilities underscores their technical expertise and resourcefulness.

The attack campaign began no later than March 2023 when Space Pirates gained initial access through publicly exposed web services.

Over 19 months, they gradually infiltrated deeper into victim networks before being detected in late 2024.

During this period, they deployed over 20 different tools for reconnaissance, lateral movement, and persistence.

The compromised systems included critical infrastructure components such as Active Directory servers and administrative workstations.

In several cases, attackers used brute-force techniques to gain access to sensitive accounts.

Despite their extensive efforts, the attackers were ultimately identified through coordinated incident response measures.

The Space Pirates’ campaign highlights the growing threat posed by APT groups leveraging legitimate cloud services like OneDrive for malicious purposes.

Their ability to adapt open-source tools into highly effective malware demonstrates the need for advanced detection capabilities and proactive defense strategies within IT organizations.

Enhanced monitoring of cloud activity and robust network segmentation are essential measures to counter such sophisticated threats.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free