MiMi installers carried Iron Tiger backdoors
Iron Tiger compromised MiMi's official desktop installers. Windows builds carried HyperBro, while macOS and Linux installers delivered rshell for cross-platform remote access.
Story
MiMi was an Electron chat application distributed from the vendor's own site. Trend Micro reported that attackers replaced or built official desktop packages with malware for Windows, macOS, and Linux, so users received a working chat client and a covert access channel.
The Windows compromise was closest to the build. Trend Micro found backdoor code inserted before the main MiMi window was created, then compiled into MiMi 2.2.0 and 2.2.1. The added loader started HyperBro and passed control back to the application.
The macOS and Linux path delivered rshell. SEKOIA documented a MiMi 2.3.0 DMG hosted at mimi.mimi3.org on 2022-05-26, with the payload placed under MiMi.app/Contents/Resources/rshell. The implant collected host data and opened a remote shell.
Public reporting attributed the operation to Iron Tiger, also tracked as LuckyMouse or APT27. The campaign was espionage-focused and cross-platform; public sources did not give a reliable victim count.
Affected Artifacts
- Observed
- 2021-11-23 to 2022-08-16
- Fixed
- Not listed
- Evidence
- distribution: mimi.mimi3.org, mirror: trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html, family: HyperBro, file_sha1: mimi32.exe f0dce203dcdb9619e83b66b0de6fec711b0df9e1 , +3 more
- Trend Micro reported that the Windows backdoor code was present in MiMi 2.2.0 and 2.2.1 before compilation.
- Observed
- 2022-05-26 to 2022-08-16
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- sha256:f6e0e5c9b9d43e008805644d937770b399f859cbba475ad837805d9adec13a2c
- sha256:4742c1987fdd968d7f094dc5a3ea3e9b5340b47e5a61846ac6ac7ae03fc7288f
- sha256:64e771c894616100202e83f3574f8accc8453138af6709367c99157e33bb613a
- +1 more
- Evidence
- distribution: mimi.mimi3.org/mimi/mimi-mac.dmg, mirror: blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos, family: rshell, path: /Volumes/MiMi 2.3.0/MiMi.app/Contents/Resources/rshell , +2 more
- SEKOIA observed the MiMi 2.3.0 DMG on the official MiMi site with a 2022-05-26 timestamp.
- Observed
- 2022-05-26 to 2022-08-16
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Evidence
- distribution: mimi.mimi3.org, mirror: trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html, family: rshell, file_sha256: rshell d0fec5c5e2687e76af07a4a3c6e2e2b02789838c0b802f5041443ab482bc3498 , +5 more
- Public sources did not name a specific affected Linux package version.
Incident Context
- Motive
- Espionage
- Attribution
- State
- Cause
- Website Compromise
- Transitive
- No
- Actor
- Iron Tiger
- Actor Country
- China
Indicators
- familyHyperBro
- familyrshell
- groupIron Tiger
- groupLuckyMouse
- groupAPT27
- urlhttps://mimi.mimi3.org:443/mimi/mimi-mac.dmg
- filemimi32.exe
- filemimi32 2.exe
- filershell
- path/Volumes/MiMi 2.3.0/MiMi.app/Contents/Resources/rshell
- ip139.180.216.65
- ip103.79.76.88
- ip103.79.77.178
External References
- Iron Tiger Compromises Chat Application MiMi, Targets Windows, Mac, and Linux Userstrendmicro.com
- Iron Tiger APT is behind a supply chain attack that employed messaging app MiMisecurityaffairs.com
- Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux, macOS Usersthehackernews.com
- Chinese Hacker Compromised MiMi Chat App Supply Chaininfosecurity-magazine.com
- Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux, macOS Userscybersecuritynews.com
- LuckyMouse uses a backdoored Electron App to target macOSblog.sekoia.io
Source record: proprietary/mimi/meta.yaml