That cant be legal, latest hack targets law firms

Mar 02 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s pumping like a Peloton.

Today’s hottest cyber security stories:

  • Hacker malfeasance targets SIX law firms
  • China linked to ‘spear-phishing’ attack on Belgian MP
  • (Not so) ‘Lucky Mouse’ malware in the house


Threat actors (cyber-speak for naughty hackers!) targeted not one but six defendants – sorry – law firms during January and February 2023.

MAL-BO: First Blood

The first strike, which targeted employees of legal firms, sought to infect victims’ machines with GootLoader, a malware family known for installing the Cobalt Strike implant, REvil ransomware, and GootKit remote access trojan (RAT). Spoiler alert, none of those are good.

There’s a silver lining here, though, folks. None of the detected GootLoader infections in 2022 released ransomware, eSentire (cybersecurity firm that discovered and announced the hacks) claims that the ‘motions’ (more where that came from) appear to be concentrated on spying and exfiltration efforts.

Does this SEO smell like chloroform to you?

The attackers used SEO poisoning to gain initial access by adding blog articles to an actual WordPress website that had been hijacked.

Legal keywords were used on the GootLoader-infected blogs to draw legal recruits and boost their search engine ranks.

The GootLoader virus was provided to visitors routed to a bogus forum website that encouraged them to download a purported agreement or contract template. This is Gootloader’s bread and butter – contracts and legal agreements that appear in google searches and look legitimate. Classic Goot, that is.

eSentire’s tweet:

The absence of ransomware suggests that some of these GootLoader attacks may be politically motivated and, worst case scenario, may be, for example, Russian or Chinese operatives looking to carry out espionage on the West.

Objection, your Honour! Sustained, this has been happening a lot over the last few years…

As well as avoiding dodgy downloads, you should also keep an eye out for warning indications like:

·       JavaScript file being run by Wscript.

·       There is a file called “*agreement*.js”

Stay safe out there… The jury’s still out on who exactly is responsible. But here’s hoping when the perpetrators are brought to justice, the judge brings down the gavel hard and really throws the eBook at them.


Gotta love the cyber terminology, right? So, we’ve mentioned this once or twice before but for the fresh phish, here’s a brief explanation of spear-phishing:

Spear-phishing is when a phishing campaign targets a specific individual or organisation, rather than just casting a wide net and hoping for the best. It’s a bit like targeted advertising in that respect. Except evil. Or eviller (more evil?), should we say? STOP SPYING ON US FACEBOOK AND GOOGLE AND YOUTUBE! Ahem, sorry about that.

So yeah, Belgian MP Samuel Cogolati was named by authorities last month as being the subject of a cyberattack around January 2021 when he wrote a resolution to warn of “crimes against humanity” against Uyghur Muslims in China.

Needless to say, China didn’t like Cogolati’s resolution. Just like China (government, not Chinese people) doesn’t like Muslims. And China’s leader, Xi Jinping, banned Winnie the Pooh because he doesn’t like people saying he looks like him. No joke. We think it’s Winnie who should be offended!

Balls of steel, Belgium!

The meat of this story, IMO, though is the David versus Goliath element at play here…

Indeed, Belgium’s foreign ministry last year took the unusual step of asking China’s government to rein in its malicious cyber activity. Why is this noteworthy?

Well, according to Christopher Ahlberg (co-founder of cyber intelligence firm Recorded Future): “For a small country like Belgium, it’s pretty gutsy. It was pretty much non-existent for European countries to attribute attacks to China four to five years ago. The consistent complaints have become harder for China to ignore.

Go on, Belgium! Keep piling that political pressure on. Shine on you crazy diamond!


It’s Lucky Mouse malware, to be precise, and you won’t be feeling too lucky if this creepy little creature scurries across your carpet. Cyber carpet, that is. It’s a metaphor, dammit.

So, here’s the scoop. Lucky Mouse has developed a Linux (third most popular operating system after Windows and macOS) version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system.

The oldest version of the updated artifact dates back to July 2022, with the malware incorporating new features designed to evade security software and resist reverse engineering. It’s learning…

Cybersecurity company Trend Micro said it observed the equivalent Windows variant in June 2022, nearly one month after the command-and-control (C2) infrastructure was set up.

Other monikers for Lucky Mouse:

  • APT27
  • Bronze Union
  • Emissary Panda
  • Iron Tiger

It’s known to utilize a variety of malware such as:

  • SysUpdate
  • HyperBro
  • PlugX
  • Linux backdoor dubbed rshell

There’s some good news, though. Well, depending on where you’re reading this from… Lucky Mouse’s latest string of attacks seem to be limited to Southeast Asia – gambling sites, to be precise.

So, unless you’re a Southeast Asian gambling addict, rest easy. For now…

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles