FriarFox is a malicious Mozilla Firefox browser extension deployed by TA413 in 2021. Disguised as an Adobe Flash Player update, it grants attackers near-total access to a target's Gmail account — including the ability to read, delete, forward, archive, and send email — as well as access to browser data for all websites. It also retrieves the Scanbox reconnaissance framework from a command-and-control server.

TA413 / Lucky Cat | Threat Actor Profile

Q: What is the Sepulcher malware?

Sepulcher is a remote access trojan (RAT) custom to TA413, first observed in 2020. It is delivered via the Royal Road RTF weaponizer and supports reconnaissance on infected hosts, reverse command shell, and file read/write. It was used in campaigns targeting both Tibetan dissidents and, briefly, European diplomatic and legislative entities during the COVID-19 pandemic.

Q: Why does TA413 keep using burned infrastructure?

Proofpoint analysts noted that unlike many APT groups, public disclosure of TA413's campaigns, tools, and infrastructure has not led to significant operational changes. The group has continued using the same sender Gmail accounts that impersonate the Dalai Lama's office for years after public exposure, suggesting either a low threat model against its target population or deliberate disregard for concealment.

A Chinese state-aligned APT group with a singular decade-long focus: surveillance of the global Tibetan diaspora. TA413 delivers spyware through spear-phishing emails impersonating the Bureau of His Holiness the Dalai Lama and Tibetan civil society organizations, targeting communities where trust in those institutions is deeply established. A defining operational trait — public disclosure of TA413's tools and infrastructure has not led to meaningful operational changes, with the same sender Gmail accounts and social engineering templates reused across years of exposure.

attributed origin China

suspected sponsor Chinese Communist Party — state interest alignment

first observed ~2011 (Lucky Cat documented 2012; TA413 tracking from 2020)

primary motivation Civil dissident surveillance / Espionage

primary targets Tibetan diaspora, Tibetan government-in-exile, Tibetan civil society

known campaigns 6+ confirmed

mitre att&ck group Not formally catalogued (see G0081 / Tropic Trooper overlap notes)

target regions South Asia, Europe (secondary), India, Japan (historical)

threat level HIGH

Overview

TA413 is a Chinese state-aligned advanced persistent threat group first formally tracked by Proofpoint in September 2020, though its operational history predates that attribution by nearly a decade. The group's earliest publicly documented activity appears under the Lucky Cat designation, documented by Trend Micro in 2012 in connection with attacks against Indian military research, aerospace, shipping, and Tibetan activist networks. Infrastructure and email sender domains associated with ExileRAT campaigns targeting Tibetan entities in 2019 link that activity to the same cluster, establishing continuity across the Lucky Cat, ExileRAT, Sepulcher, FriarFox, and LOWZERO toolchains under the TA413 umbrella.

Recorded Future and other researchers assess that TA413 likely conducts cyber espionage on behalf of the Chinese state, based on its persistent and exclusive focus on Tibetan community surveillance, its use of custom capabilities shared across known Chinese state-sponsored groups, and observable infrastructure overlaps. The group is assessed to be a consumer of a shared capability development pipeline serving multiple Chinese state-sponsored actors — exemplified by its continued use of the Royal Road RTF weaponizer, its access to the Sophos Firewall zero-day CVE-2022-1040 (which at least three separate Chinese groups exploited before public disclosure), and its historical access to shared malware families such as TClient. There is also documented infrastructure overlap with Tropic Trooper (KeyBoy), though analysts note that these may represent shared pipelines rather than identical group membership.

What distinguishes TA413 from many peer APT groups is its operational persistence despite repeated exposure. Proofpoint noted that public disclosure of TA413's campaigns, tools, and infrastructure has not led to significant operational changes. The group has continued deploying the same sender Gmail accounts — including accounts that directly impersonate the Bureau of His Holiness the Dalai Lama in India — for years after those accounts were publicly named in threat intelligence reports. This either reflects a deliberate calculation that targets within the Tibetan diaspora will not act on technical disclosures, or an institutional tolerance for burned infrastructure that is unusual even among well-resourced APT groups.

Secondary targeting has emerged in periods of Chinese strategic interest — most notably a brief pivot in early 2020 to European diplomatic, legislative, and economic affairs organizations during the COVID-19 pandemic, using WHO-impersonation lures and the newly observed Sepulcher malware. This realignment was assessed to be a short-term intelligence collection priority before the group returned to its primary Tibetan surveillance mission.

Target Profile

TA413 maintains one of the narrowest and most consistent targeting profiles of any documented Chinese APT. Its primary mission is surveillance of the global Tibetan diaspora and associated civil society. Secondary targeting reflects Chinese state intelligence priorities at specific moments.

Tibetan diaspora communities: Individuals, activists, journalists, religious leaders, and community members connected to the global Tibetan diaspora are the core and enduring target. Spear-phishing lures are crafted to appear as trusted communications from within the community itself.
Tibetan government-in-exile: Organizations associated with the Central Tibetan Administration and institutions connected to the Dalai Lama are directly targeted, including through impersonation of the Bureau of His Holiness the Dalai Lama in India.
Tibetan civil society organizations: The Tibetan Women's Association, Tibetan National Congress, Tibet Times, and similar organizations are impersonated in spear-phishing delivery and directly targeted for access.
European diplomatic and legislative entities: Briefly targeted in March 2020 via COVID-19 themed lures delivering Sepulcher malware. Targets included non-profit policy research organizations and global bodies dealing with economic affairs. This targeting was assessed as a temporary realignment.
Indian military research and shipping (historical): The original Lucky Cat campaign documented by Trend Micro in 2012 targeted Indian military research and development, aerospace, engineering firms, and South Asian shipping organizations alongside Tibetan activist networks.

Tactics, Techniques & Procedures

Documented TTPs are based on Proofpoint research (2020, 2021), Recorded Future's 2022 technical analysis, and historical Trend Micro reporting on the Lucky Cat campaign.

mitre id	technique	description
T1566.001	Spear-phishing Attachment	Malicious RTF documents delivered via targeted spear-phishing emails to Tibetan organizations. The Royal Road RTF weaponizer exploits Microsoft Equation Editor flaws (CVE-2017-11882 and related) to drop payloads. PowerPoint (PPSX) attachments were used in the July 2020 Tibetan dissident campaign.
T1566.002	Spear-phishing Link	Phishing emails contain malicious URLs impersonating trusted domains — including YouTube impersonation (you-tube[.]tv) — that redirect victims to fake Adobe Flash Player update pages designed to deliver the FriarFox browser extension or other payloads.
T1036	Masquerading / Sender Impersonation	TA413 uses sender email addresses that impersonate the Bureau of His Holiness the Dalai Lama in India, the Tibetan Women's Association, and other Tibetan organizations. The same impersonation Gmail accounts have been reused for years after public exposure, demonstrating deliberate continuity despite disclosure.
T1176	Browser Extension (Malicious)	FriarFox is a trojanized Firefox extension based on modified open-source Gmail Notifier code, disguised as an Adobe Flash component. It grants near-total Gmail access (read, delete, forward, archive, label, send) and full browser data access for all websites. It also retrieves the Scanbox reconnaissance framework from a C2 server.
T1189	Drive-by / Watering Hole	TA413 has leveraged watering hole attacks against Tibetan-themed websites, including a campaign that redirected users from tibet[.]net via the domain tibct[.]net to Scanbox delivery infrastructure. Victims arriving at compromised or spoofed Tibetan media domains are profiled and served payloads.
T1059.007	JavaScript Execution / Scanbox	Scanbox is a PHP and JavaScript-based fileless reconnaissance framework dating to 2014, shared across Chinese APT groups. TA413 deploys it via FriarFox and watering holes to track site visitors, perform keylogging, collect browser and system data, and profile targets for future intrusion attempts.
T1190	Exploit Public-Facing Application	In 2022, TA413 exploited CVE-2022-1040 (Sophos Firewall zero-day RCE) and CVE-2022-30190 (Microsoft Office Follina RCE) to deliver the LOWZERO backdoor. At least three Chinese state-sponsored groups exploited the Sophos zero-day, reflecting shared exploit pipeline access prior to public disclosure.
T1071.001	C2 over HTTP/S	Sepulcher and LOWZERO communicate with C2 infrastructure over standard web protocols. TA413 has used hosting providers including Forewin Telecom, Choopa/Vultr, and Linode for C2 infrastructure. Domain registrations exhibit a consistent pattern of using the registrant organization string "asfasf" (a keyboard walk of the left-hand home row keys) and GoDaddy as registrar.
T1083	File and Directory Discovery	ExileRAT, Sepulcher, and LOWZERO all include host reconnaissance capabilities. ExileRAT collects computer name, username, drive listing, network adapter information, and running processes. Sepulcher adds directory path enumeration and running service enumeration to the reconnaissance footprint.

Known Campaigns

Confirmed or highly attributed operations linked to TA413 / Lucky Cat, spanning over a decade of documented activity.

Lucky Cat — Indian Military & Tibetan Activist Targeting 2011–2012

Documented by Trend Micro in 2012, the Lucky Cat campaign targeted Indian military research and development, aerospace, engineering, and South Asian shipping organizations, alongside Tibetan activist networks. The campaign demonstrated a minimum-effort approach — simple malware delivered via spear-phishing attachments — achieving high effectiveness against targets with minimal technical defenses. Infrastructure and operator email addresses from this campaign are traced through subsequent TA413-attributed activity.

ExileRAT Tibetan Targeting 2019

A January 2019 campaign targeting Tibetan organizations delivered ExileRAT via malicious PowerPoint attachments. The same type of PPSX attachments and operator email addresses later appeared in the July 2020 Sepulcher campaign, providing linkage that Proofpoint used to attribute both to TA413. ExileRAT is a simple remote access trojan that collects system data, transfers files, and executes or terminates processes on compromised hosts.

Sepulcher — COVID-19 European Pivot & Tibetan Resumption March – July 2020

In March 2020, TA413 deployed a new malware family — Sepulcher — via WHO-impersonation phishing targeting European diplomatic, legislative, and economic affairs organizations, reflecting a short-term CCP intelligence priority around COVID-19's economic impact. By July 2020, the group had returned to Tibetan dissident targeting, delivering the same Sepulcher payload via a malicious PowerPoint named "TIBETANS BEING HIT BY DEADLY VIRUS THAT CARRIES A GUN AND SPEAKS CHINESE.ppsx," with the sender impersonating the Women's Association Tibetan. C2 traffic matched patterns from earlier ExileRAT operations, confirming the TA413 attribution.

FriarFox — Gmail Takeover via Malicious Browser Extension January – February 2021

In January 2021, TA413 spear-phished multiple Tibetan organizations using a sender account that had impersonated the Bureau of His Holiness the Dalai Lama for several years. The phishing email contained a URL impersonating YouTube (you-tube[.]tv) that redirected victims to a fake Adobe Flash Player update page. Victims using Firefox with an active Gmail session were silently served FriarFox, a trojanized browser extension granting near-total Gmail access and retrieval of the Scanbox framework. Proofpoint noted that the same Gmail impersonation account had been publicly documented in prior reporting and remained operational without change.

LOWZERO — Sophos Firewall Zero-Day & Follina Delivery 2022

In the first half of 2022, TA413 rapidly adopted two newly disclosed vulnerabilities to deliver a previously unknown custom backdoor tracked as LOWZERO. CVE-2022-1040 (Sophos Firewall zero-day RCE) was exploited before public patch availability — a vulnerability shared with at least two other Chinese state-sponsored groups. CVE-2022-30190 (Follina, Microsoft Office RCE) was weaponized shortly after its public disclosure in a spear-phishing email sent to a Tibetan target in late May 2022, with a Word attachment hosted on Google Firebase executing a PowerShell command to download LOWZERO. Recorded Future assessed that LOWZERO can retrieve additional modules from its C2 server based on attacker interest in the compromised host.

Tools & Malware

The TA413 toolchain spans over a decade and mixes custom malware, modified open-source tools, and shared Chinese APT capabilities.

LuckyCat (Android APK): Android-targeting malware associated with the original Lucky Cat campaign. Used to surveil mobile devices belonging to Tibetan activists and targets in India.
ExileRAT: A simple Windows remote access trojan used in 2019 Tibetan targeting. Collects computer name, username, drive listing, network adapter information, and running process names. Supports file get/push and process execution and termination. Delivered via PPSX attachments.
Royal Road RTF Weaponizer: A shared RTF document builder used across multiple Chinese state-sponsored groups to exploit Microsoft Equation Editor vulnerabilities. TA413 uses it as the primary delivery vehicle for Sepulcher and LOWZERO in spear-phishing campaigns.
Sepulcher: A custom remote access trojan first observed in March 2020. Supports host reconnaissance (drive info, directory paths, directory contents, running processes and services), reverse command shell, and file read/write. Delivered via Royal Road RTF weaponizer and PPSX attachments.
FriarFox: A malicious Firefox browser extension based on modified open-source Gmail Notifier code. Disguised as an Adobe Flash component. Grants attackers the ability to search, archive, read, delete, forward, label, mark as spam, and send email from the victim's Gmail account. Also accesses browser tabs, modifies Firefox privacy settings, and accesses user data for all websites. Contacts C2 to retrieve Scanbox.
Scanbox: A PHP and JavaScript-based fileless reconnaissance framework dating to 2014, shared across Chinese APT groups. Deployed via FriarFox and watering hole attacks. Tracks visitors to specific websites, performs keylogging, and collects user data for use in future intrusion attempts.
LOWZERO: A custom backdoor first observed in 2022. Delivered via both the Royal Road RTF weaponizer (exploiting Equation Editor flaws) and direct vulnerability exploitation (Follina, Sophos Firewall CVE-2022-1040). Can retrieve additional capability modules from its C2 server based on attacker interest in the compromised host.
TClient: A backdoor shared across Chinese state-sponsored groups. Infrastructure overlap between TClient activity and TA413 campaigns has been documented, supporting the assessment that TA413 accesses a shared capability pipeline. A URI string (/qqqzqa) was observed in both TA413 and Tropic Trooper-attributed activity.

Indicators of Compromise

Select publicly disclosed IOCs from Proofpoint and Recorded Future reporting. Verify currency — some of these indicators have been active across multiple years, which is itself anomalous.

warning

TA413 has demonstrated unusual persistence with burned infrastructure. Some indicators below have remained active long after public disclosure. Cross-reference with live threat intel feeds before operational use.

indicators of compromise — ta413 / lucky cat

domain (spoof) you-tube[.]tv — YouTube impersonation used in FriarFox delivery (January 2021)

domain (spoof) tibct[.]net — spoofed Tibet.net used in Scanbox watering hole delivery

domain (c2) dalailamatrustindia.ddns[.]net — Sepulcher C2 domain (July 2020 campaign)

ip (c2) 118.99.13[.]4 — Sepulcher C2 IP, port 1234; URI /qqqzqa also observed in Tropic Trooper activity

cve — sophos rce CVE-2022-1040 (Sophos Firewall — authentication bypass + RCE, CVSS 9.8, zero-day exploited before patch)

cve — office rce CVE-2022-30190 (Microsoft Office Follina — MSDT remote code execution, CVSS 7.8)

registrar pattern Registrant organization "asfasf" (left-hand home row keyboard walk) + GoDaddy registrar — consistent TA413 infrastructure registration pattern

hosting pattern Forewin Telecom (IP 118.99.13[.]68), Choopa/Vultr, Linode — commonly used TA413 hosting providers

note

The registrant organization "asfasf" pattern and consistent GoDaddy registrar use provide a relatively durable infrastructure fingerprint for hunting TA413-registered domains in passive DNS and WHOIS datasets, even when individual domains are rotated.

Mitigation & Defense

Recommended controls for organizations and individuals in TA413's target profile, with particular attention to the unique threat model facing diaspora communities and NGOs.

Train on sender impersonation — specifically named institutions: TA413 does not use generic phishing lures. It impersonates specific, trusted institutions by name — the Bureau of His Holiness the Dalai Lama, the Tibetan Women's Association — that targets already trust. Community-specific awareness training that names these impersonation patterns is more effective than generic phishing education.
Audit and restrict browser extensions: FriarFox was delivered as a browser extension disguised as an Adobe Flash update. Organizations and high-risk individuals should enforce allowlists for browser extensions, disable extension installation from non-official stores, and audit extensions currently installed on devices used for organizational communications.
Switch from Firefox/Gmail to hardened alternatives for sensitive communications: FriarFox specifically targeted Firefox users logged into Gmail. High-risk individuals within the Tibetan community should consider using security-hardened browsers, hardware security keys for Gmail accounts, and evaluating end-to-end encrypted email alternatives for sensitive communications.
Patch Sophos and Microsoft Office immediately: CVE-2022-1040 (Sophos Firewall) and CVE-2022-30190 (Follina) were rapidly weaponized by TA413. Organizations using Sophos products and Microsoft Office should ensure patch currency and apply vendor mitigations for future Equation Editor and MSDT vulnerabilities promptly.
Block Royal Road RTF artifacts at the email gateway: Royal Road weaponized RTF documents have a detectable file structure. Email gateways and endpoint detection tools should maintain detection rules for Royal Road RTF artifacts, which have been in continuous use by TA413 and peer Chinese APT groups since at least 2020.
Hunt for "asfasf" registrant pattern in DNS: The consistent TA413 infrastructure registration pattern — registrant organization "asfasf," GoDaddy registrar — can be used to hunt for newly registered TA413 infrastructure in passive DNS and WHOIS monitoring, providing early warning of new campaign infrastructure before active use.
Apply Citizen Lab and Proofpoint disclosure feeds: The Citizen Lab has extensively documented Chinese state surveillance of the Tibetan community. Organizations serving diaspora communities should subscribe to and act on Citizen Lab, Proofpoint, and Recorded Future disclosures, as these provide the most timely and operationally relevant intelligence for this specific threat.

Frequently Asked Questions

What is TA413 / Lucky Cat?

TA413 (also known as Lucky Cat) is a Chinese state-aligned advanced persistent threat group whose primary mission is the surveillance of the global Tibetan diaspora. Active for over a decade, the group delivers spyware through spear-phishing emails impersonating the Bureau of His Holiness the Dalai Lama, the Tibetan Women's Association, and other trusted Tibetan civil society organizations. It was first formally tracked by Proofpoint in September 2020 and is historically linked to the Lucky Cat campaign documented by Trend Micro in 2012.

What is FriarFox?

FriarFox is a malicious Mozilla Firefox browser extension deployed by TA413 in early 2021. Disguised as an Adobe Flash Player update, it is based on modified code from the open-source Gmail Notifier extension. Once installed, it grants attackers near-total access to a victim's Gmail account — including reading, deleting, forwarding, archiving, labeling, and sending email — as well as access to browser tab data and privacy settings for all websites. It also contacts a command-and-control server to retrieve the Scanbox reconnaissance framework.

What is the Sepulcher malware?

Sepulcher is a custom remote access trojan unique to TA413, first observed in 2020. Delivered via the Royal Road RTF weaponizer, it provides host reconnaissance (drives, directories, running processes and services), a reverse command shell, and file read/write capabilities. It was used against both Tibetan dissident communities and, briefly, European diplomatic entities during the COVID-19 pandemic.

Why does TA413 keep using burned infrastructure?

Proofpoint analysts observed that unlike many APT groups, public disclosure of TA413's campaigns, tools, and infrastructure has not led to significant operational changes. The group continued deploying the same sender Gmail accounts that impersonate the Dalai Lama's office for years after those accounts were publicly named in threat intelligence reports. This likely reflects a calculated assessment that the group's target population — diaspora communities and NGOs with limited technical security resources — will not act on technical disclosures in ways that disrupt operations.

What CVEs has TA413 exploited?

TA413 has exploited CVE-2022-1040 (Sophos Firewall zero-day RCE, exploited before patch availability), CVE-2022-30190 (Microsoft Office Follina RCE, weaponized shortly after public disclosure), and flaws in Microsoft Equation Editor via the Royal Road RTF weaponizer. The group's rapid adoption of newly disclosed and zero-day vulnerabilities is consistent with access to a shared Chinese state-sponsored exploit pipeline, with CVE-2022-1040 observed in use by at least three separate Chinese groups before it was publicly patched.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile