Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux, macOS Users

A pair of reports from cybersecurity firms SEKOIA and Trend Micro sheds light on a new campaign undertaken by a Chinese threat actor named Lucky Mouse that involves leveraging a trojanized version of a cross-platform messaging app to backdoor systems.

Infection chains leverage a chat application called MiMi, with its installer files compromised to download and install HyperBro samples for the Windows operating system and rshell artifacts for Linux and macOS.

As many as 13 different entities located in Taiwan and the Philippines have been at the receiving end of the attacks, eight of whom have been hit with rshell. The first victim of rshell was reported in mid-July 2021.

Lucky Mouse, also called APT27, Bronze Union, Emissary Panda, and Iron Tiger, is known to be active since 2013 and has a history of gaining access to targeted networks in pursuit of its political and military intelligence-collection objectives aligned with China.


The advanced persistent threat actor (APT) is also adept at exfiltrating high-value information using a wide range of custom implants such as SysUpdateHyperBro, and PlugX.

The latest development is significant, not least because it marks the threat actor’s introductory attempt at targeting macOS alongside Windows and Linux.

MiMi Chat App

The campaign has all the hallmarks of a supply chain attack in that the backend servers hosting the app installers of MiMi are controlled by Lucky Mouse, thus making it possible to tweak the app to retrieve the backdoors from a remote server.

This is borne out by the fact that the app’s macOS version 2.3.0 was tampered to insert the malicious JavaScript code on May 26, 2022. While this may have been the first compromised macOS variant, versions 2.2.0 and 2.2.1 built for Windows have been found to incorporate similar additions as early as November 23, 2021.

rshell, for its part, is a standard backdoor that comes with all the usual bells-and-whistles, allowing for the execution of arbitrary commands received from a command-and-control (C2) server and transmitting the results of the execution back to the server.

Leave a Reply

Your email address will not be published.