Threat Actor Profile
High APT
Description

LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)

Confidence Score
90%
Known Aliases
LuminousMoth
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (28)
T1005 - Data from Local System
Collection
T1560 - Archive Collected Data
Collection
T1071.001 - Web Protocols
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1539 - Steal Web Session Cookie
Credential Access
T1557.002 - ARP Cache Poisoning
Credential Access
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1564.001 - Hidden Files and Directories
Defense Evasion
T1033 - System Owner/User Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1053.005 - Scheduled Task
Execution
T1204.001 - Malicious Link
Execution
T1030 - Data Transfer Size Limits
Exfiltration
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1566.002 - Spearphishing Link
Initial Access
T1091 - Replication Through Removable Media
Lateral Movement
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1574.001 - DLL
Persistence
T1587.001 - Malware
Resource Development
T1588.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
T1588.004 - Digital Certificates
Resource Development
T1608.001 - Upload Malware
Resource Development
T1608.004 - Drive-by Target
Resource Development
T1608.005 - Link Target
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['LuminousMoth'],
 'created': '2023-02-23T15:31:38.829Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[LuminousMoth](https://attack.mitre.org/groups/G1014) is a '
                'Chinese-speaking cyber espionage group that has been active '
                'since at least October 2020. '
                '[LuminousMoth](https://attack.mitre.org/groups/G1014) has '
                'targeted high-profile organizations, including government '
                'entities, in Myanmar, the Philippines, Thailand, and other '
                'parts of Southeast Asia. Some security researchers have '
                'concluded there is a connection between '
                '[LuminousMoth](https://attack.mitre.org/groups/G1014) and '
                '[Mustang Panda](https://attack.mitre.org/groups/G0129) based '
                'on similar targeting and TTPs, as well as network '
                'infrastructure overlaps.(Citation: Kaspersky LuminousMoth '
                'July 2021)(Citation: Bitdefender LuminousMoth July 2021)',
 'external_references': [{'external_id': 'G1014',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1014'},
                         {'description': 'Botezatu, B and etl. (2021, July '
                                         '21). LuminousMoth - PlugX, File '
                                         'Exfiltration and Persistence '
                                         'Revisited. Retrieved October 20, '
                                         '2022.',
                          'source_name': 'Bitdefender LuminousMoth July 2021',
                          'url': 'https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited'},
                         {'description': 'Lechtik, M, and etl. (2021, July '
                                         '14). LuminousMoth APT: Sweeping '
                                         'attacks for the chosen few. '
                                         'Retrieved October 20, 2022.',
                          'source_name': 'Kaspersky LuminousMoth July 2021',
                          'url': 'https://securelist.com/apt-luminousmoth/103332/'}],
 'id': 'intrusion-set--b7f627e2-0817-4cd5-8d50-e75f8aa85cc6',
 'modified': '2025-04-16T20:37:32.806Z',
 'name': 'LuminousMoth',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Kyaw Pyiyt Htet, @KyawPyiytHtet',
                          'Zaw Min Htun, @Z3TAE'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (28)
Data from Local System
Collection
Archive Collected Data
Collection
Web Protocols
Command and Control
Ingress Tool Transfer
Command and Control
Steal Web Session Cookie
Credential Access
View All 28 TTPs
Back to Threat Actors
Dashboard Home