Press releases

Avast Identifies APT Group Targeting Government Agencies in East Asia

The research indicates that the APT group LuckyMouse could be behind the attack, and was found using new and advanced tactics to access sensitive government data

The research indicates that the APT group LuckyMouse could be behind the attack, and was found using new and advanced tactics to access sensitive government data


Prague, Czech Republic, December 9, 2020 — Avast (LSE:AVST), a global leader in digital security and privacy products, has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia. 

Avast Threat Intelligence researchers found that the APT group planted backdoors and keyloggers to gain long-term access to government networks belonging to the government of Mongolia. Avast researchers consider LuckyMouse, also known as EmissaryPanda and APT27, is likely to be behind the APT campaign. The group, which has previously attacked targets in the area, is well-known for going after national resources and political information on near neighbors. 

Following research and analysis, Avast researchers noticed the group has updated their tactics. For this attack, the group used both keyloggers and backdoors to upload a variety of tools that they used to scan the target network and dump credentials. They used this to access sensitive government data.

The tactics used by the APT group to access the infrastructure of government institutions  include accessing a vulnerable company who were providing services to the government, and through a malicious email attachment that was using weaponized documents via an unpatched CVE-2017-11882 vulnerability. 

“The APT group Lucky Mouse has been active since Autumn 2017 and has been able to avoid Avast attention in the last two years due to their evolving techniques and marked change of tactics. We were able to detect their new tactics to discover this campaign targeting the Mongolian government, showing how they’ve scaled their operations to be more advanced to gain longer term access to sensitive data.” says Luigino Camastra, malware researcher at Avast. 

A detailed technical summary can be found on the Avast Threat Intelligence blog Decoded.