Space Pirates

Space Pirates is a China-linked, likely Chinese-speaking cyber-espionage threat cluster first named by Positive Technologies. The group has been active since at least 2017 and primarily targets government institutions and organizations in the aerospace, IT, and electric power sectors, with victims identified in Russia, Georgia, and Mongolia. Reporting also notes related targeting of Russian organizations following the invasion of Ukraine, and some activity against Chinese financial companies. Positive Technologies assessed the group’s primary objectives as espionage and theft of confidential information; in successful intrusions, the actors maintained long-term persistence, compromised numerous hosts and servers, and stole more than 1,500 internal documents and employee account information. Space Pirates has been associated with spearphishing and phishing emails delivering malicious Office and RTF documents, including Royal Road-built lures and documents exploiting CVE-2018-0798. The group has used DLL side-loading, reflective loading, UAC bypass, COM hijacking, scheduled persistence, custom encrypted or encoded command-and-control protocols, signed binaries, and stolen certificates. Infrastructure has included DDNS-based command-and-control with deeply nested subdomains. Its malware arsenal includes group-specific or closely associated families such as MyKLoadClient, BH_A006, and Deed RAT, as well as Zupdax, PlugX, ShadowPad, Poison Ivy, a modified PcShare variant referred to as RtlShare, ReVBShell, dog-tunnel, and Bisonal RAT. MyKLoadClient has been delivered through spearphishing using SFX archives and DLL side-loading or via a custom dropper; it supports shell access, disk enumeration, file transfer, and proxying. Zupdax is described as a long-running backdoor used in related activity. Reporting also states that a malicious DLL used in later China-linked intrusions had previously been used in attacks linked to Space Pirates. Attribution remains complicated by tool sharing and operational overlap. Public reporting describes overlaps with TA428, Bronze Union/APT27, Winnti/APT41, RedFoxtrot, Mustang Panda, Night Dragon-linked activity, FishMonger (Aquatic Panda), SixLittleMonkeys, Kelp/Salt Typhoon, and Earth Longzhi. Positive Technologies highlighted especially strong overlap with TA428 and Bronze Union/APT27, while other reporting noted tactical overlap with China-aligned clusters including FishMonger, SixLittleMonkeys, and UnsolicitedBooker. Despite these overlaps, multiple sources describe Space Pirates itself as a China-based or China-linked threat actor.