Proprietary 2021-11-23 · 266 days ·Backdoor, Remote Access, Data Theft

MiMi installers carried Iron Tiger backdoors

Iron Tiger compromised MiMi's official desktop installers. Windows builds carried HyperBro, while macOS and Linux installers delivered rshell for cross-platform remote access.

Story

MiMi was an Electron chat application distributed from the vendor's own site. Trend Micro reported that attackers replaced or built official desktop packages with malware for Windows, macOS, and Linux, so users received a working chat client and a covert access channel.

The Windows compromise was closest to the build. Trend Micro found backdoor code inserted before the main MiMi window was created, then compiled into MiMi 2.2.0 and 2.2.1. The added loader started HyperBro and passed control back to the application.

The macOS and Linux path delivered rshell. SEKOIA documented a MiMi 2.3.0 DMG hosted at mimi.mimi3.org on 2022-05-26, with the payload placed under MiMi.app/Contents/Resources/rshell. The implant collected host data and opened a remote shell.

Public reporting attributed the operation to Iron Tiger, also tracked as LuckyMouse or APT27. The campaign was espionage-focused and cross-platform; public sources did not give a reliable victim count.

Affected Artifacts

MiMi

macos dmg · mimi.mimi3.org · Binary Archive
Observed
2022-05-26 to 2022-08-16
Compromised Versions
Fixed
Not listed
Hashes
  • sha256:f6e0e5c9b9d43e008805644d937770b399f859cbba475ad837805d9adec13a2c
  • sha256:4742c1987fdd968d7f094dc5a3ea3e9b5340b47e5a61846ac6ac7ae03fc7288f
  • sha256:64e771c894616100202e83f3574f8accc8453138af6709367c99157e33bb613a
  • +1 more
Evidence
distribution: mimi.mimi3.org/mimi/mimi-mac.dmg, mirror: blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos, family: rshell, path: /Volumes/MiMi 2.3.0/MiMi.app/Contents/Resources/rshell , +2 more
  • SEKOIA observed the MiMi 2.3.0 DMG on the official MiMi site with a 2022-05-26 timestamp.

Incident Context

Motive
Espionage
Attribution
State
Cause
Website Compromise
Transitive
No
Actor
Iron Tiger
Actor Country
China

Indicators

  • familyHyperBro
  • familyrshell
  • groupIron Tiger
  • groupLuckyMouse
  • groupAPT27
  • urlhttps://mimi.mimi3.org:443/mimi/mimi-mac.dmg
  • filemimi32.exe
  • filemimi32 2.exe
  • filershell
  • path/Volumes/MiMi 2.3.0/MiMi.app/Contents/Resources/rshell
  • ip139.180.216.65
  • ip103.79.76.88
  • ip103.79.77.178

External References

Source record: proprietary/mimi/meta.yaml