Intel Name: Moonshine exploit kit and darknimbus backdoor enabling earth minotaur’s multi-platform attacks
Date of Scan: December 6, 2024
Impact: High
Summary: Since 2019, we have been monitoring the activity of the MOONSHINE exploit kit. During our research, we uncovered a server with poor operational security, exposing its toolkits, operation logs, potential victim data, and the tactics of the threat actor Earth Minotaur. Initially targeting the Tibetan and Uyghur communities, MOONSHINE exploits vulnerabilities in Android instant messaging apps to implant backdoors. By 2024, at least 55 MOONSHINE exploit kit servers were identified, featuring updated vulnerabilities and enhanced protection against analysis, and it remains actively used by threat actors.