The Budworm APT group [1] [3] [4] [5] [6] [7], also known as LuckyMouse or APT27 [3] [4] [6] [7], has been actively developing its cyber-espionage toolkit [4] [7]. In a recent campaign in August 2023 [1], they targeted a telecommunications organization in the Middle East and an Asian government using an updated version of their SysUpdate backdoor [7]. This improved text provides a detailed description of the attack and highlights the ongoing activity and development of Budworm.


Since 2020 [1] [2], Budworm has been associated with the remote communication trojan (RAT) called SysUpdate [1]. This RAT is capable of executing commands, retrieving data [1], and capturing screenshots on infected systems [1]. In their recent campaign [1], Budworm used an updated version of their SysUpdate backdoor [4], specifically the SysUpdate DLL ‘inicore_v2.3.30.dll’ [3] [4] [6], to target their victims.

To deliver the backdoor, Budworm takes advantage of the official executable ‘INISafeWebSSO.exe’ by loading SysUpdate within this software process [1]. This technique allows the attackers to evade detection by security tools. The use of this unique backdoor demonstrates Budworm’s sophistication and customized approach.

Although the primary focus of the attack was credential harvesting, it was stopped early in its tracks. Budworm’s attack arsenal includes custom malware as well as publicly available tools like AdFind [4], Curl [1] [2], SecretsDump [1] [2], and PasswordDumper [1] [2]. These tools enable various malicious activities, including credential dumping [1] [2], network mapping [1] [2], and data theft [1] [2] [4] [6] [7].

The SysUpdate backdoor provides attackers with capabilities such as service manipulation and command execution [4] [6] [7]. Budworm has been active since at least 2013 and primarily targets high-value victims in government [4] [6] [7], technology [4] [6] [7], and defense sectors [4] [6] [7]. This latest campaign aligns with their typical targets and emphasizes intelligence gathering [4] [6] [7].

The discovery of the updated SysUpdate tool further underscores Budworm’s ongoing activity and development [4] [6] [7]. Organizations vulnerable to Budworm’s targeting should remain vigilant and adapt their defenses [4] [6] [7]. It is worth noting that state-sponsored and APT hacking groups commonly target telecommunication companies. Recent incidents have involved the installation of custom malware named HTTPSnoop and LuaDream [2], which provide backdoor access to networks [2].


The Budworm APT group’s recent campaign highlights the need for organizations to remain vigilant and adapt their defenses against sophisticated cyber-espionage attacks. The ongoing activity and development of Budworm underscore the importance of proactive security measures. Telecommunication companies [2], in particular, should be aware of the common targeting by state-sponsored and APT hacking groups. Mitigations should include monitoring for the installation of custom malware and securing against backdoor access to networks. The Budworm APT group’s activities have significant implications for the security landscape, emphasizing the need for continued research and defense advancements.