Space Pirates

Space Pirates is a China-linked espionage threat cluster named by Positive Technologies (PT ESC), which stated it could not unambiguously link the activity to a previously known group and therefore assigned the new name “Space Pirates.” PT ESC reported the group has been active since at least 2017 and primarily targets government institutions and organizations in the aerospace, IT, and electric power sectors in Russia, Georgia, and Mongolia. PT ESC also noted some attacks against Chinese financial services companies, suggesting possible financial motivation in addition to espionage. At least two intrusions against Russian organizations were reported as successful, including long-term persistence, compromise of at least 20 servers in one case, theft of more than 1,500 internal documents, and access to employee account information. According to PT ESC, Space Pirates’ malware arsenal includes unique or cluster-specific families such as MyKLoadClient, BH_A006, and Deed RAT, as well as Zupdax, PlugX, ShadowPad, Poison Ivy, a modified PcShare variant referred to as RtlShare, ReVBShell, and dog-tunnel. Reported tradecraft includes spearphishing, SFX archives, DLL side-loading, reflective loading, UAC bypass, COM hijacking, modular plugin architectures, custom encrypted or encoded command-and-control protocols, use of signed binaries, and use of stolen certificates. PT ESC described core infrastructure as relying on a small number of IP addresses referenced by DDNS domains, including deeply nested subdomains. PT ESC assessed the actor as likely of Asian, probably Chinese-speaking, origin based on Chinese-language artifacts, PDB paths, and tooling. Multiple sources in the provided content explicitly describe Space Pirates as China-based or China-linked. However, the content also states that attribution is complicated by extensive tool sharing and operational overlap with other China-nexus clusters, including Winnti/APT41, Bronze Union/APT27, TA428, RedFoxtrot, Mustang Panda, Night Dragon-linked activity, FishMonger (Aquatic Panda), SixLittleMonkeys, Kelp/Salt Typhoon, and Earth Longzhi. PT ESC highlighted especially strong overlap with TA428 and Bronze Union/APT27, including shared infrastructure, malware-loading chains, and overlap in the Able Desktop supply-chain compromise context. The content also notes that Webworm overlaps with FishMonger, SixLittleMonkeys, and Space Pirates, and that UnsolicitedBooker showed tactical overlaps with Space Pirates. The content further states that a malicious DLL used in a 2025 China-linked intrusion had previously been used in attacks linked to Space Pirates, and that DLL sideloading via the legitimate VipreAV component vetysafe.exe loading sbamres.dll is among techniques associated with activity overlapping Space Pirates.