{"id":12279,"date":"2018-09-10T13:24:00","date_gmt":"2018-09-10T13:24:00","guid":{"rendered":"http:\/\/8d8d6c84-31d5-4f55-9da6-c717bb56dd2d"},"modified":"2018-09-10T13:24:00","modified_gmt":"2018-09-10T13:24:00","slug":"luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/","title":{"rendered":"LuckyMouse uses malicious NDISProxy Windows driver to target gov&#8217;t entities"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/zdnet3.cbsistatic.com\/hub\/i\/r\/2018\/09\/10\/64165b94-aec8-4515-a962-cb0d6f518c58\/thumbnail\/770x578\/751059e02c54c08f01ad2f04bc02db0b\/screen-shot-2018-09-10-at-12-50-53.png\" class=\"ff-og-image-inserted\"\/><\/div>\n<p>The LuckyMouse advanced persistent threat (APT) is back with a twist in tactics that harnesses LeagSoft certificates to spread Trojans by way of malicious NDISProxy drivers.<\/p>\n<div class=\"relatedContent alignRight\">\n<h3 class=\"heading\"><span class=\"int\">More security news<\/span><\/h3>\n<\/div>\n<p><a href=\"https:\/\/www.zdnet.com\/article\/luckymouse-campaign-strikes-national-data-center-to-snag-government-targets\/\">It was back in June<\/a> that researchers discovered that LuckyMouse, also known as EmissaryPanda and APT27, had targeted a national data center containing Asian government resources.<\/p>\n<p>In this previous campaign, LuckyMouse used malicious documents embedded with macros which exploited a widely-known Microsoft Word vulnerability. The Chinese-speaking threat group chose the center in order to steal a &#8220;wide range of government resources at one fell swoop.&#8221;<\/p>\n<p>However, in a fresh twist, the APT is back which uses seemingly legitimate security certificates issued by VeriSign to Chinese security software developer LeagSoft.<\/p>\n<p>Kaspersky researchers <a href=\"https:\/\/securelist.com\/luckymouse-ndisproxy-driver\/87914\/\" target=\"_blank\" rel=\"noopener noreferrer\">said on Monday<\/a> that LuckyMouse has harnessed the certificates belonging to the Shenzhen, Guangdong-based firm since March 2018. It appears they have been stolen.<\/p>\n<p>By utilizing these certificates, the threat actors have launched a new campaign which aims to exploits the Windows network filtering driver NDISProxy, in both 32- and 64-bit versions, depending on the target machine.<\/p>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/drivers\/network\/ndproxy-overview\" target=\"_blank\" rel=\"noopener noreferrer\">NDISProxy<\/a>, also known as Ndproxy.sys, is legitimate driver software which brings together NDISWAN and CoNDIS WAN drivers with TAPI services.<\/p>\n<section class=\"sharethrough-top\" data-component=\"medusaContentRecommendation\" data-medusa-content-recommendation-options=\"{&quot;promo&quot;:&quot;promo_ZD_recommendation_sharethrough_top_in_article_desktop&quot;,&quot;spot&quot;:&quot;dfp-in-article&quot;}\">\n<\/section>\n<p>By compromising this Windows component by the use of a malicious NDISProxy tool signed off with a legitimate certificate, the driver tool can be used to infect lsass.exe system process memory.<\/p>\n<p>The Trojan payload, which was previously unrecorded, consists of three main modules. The first is a custom C++ installer which creates a Windows autorun service for Trojan persistency. In addition, the module is able to drop the encrypted Trojan into the system registry.<\/p>\n<p>Instead of using Windows executable file loaders, the remote access Trojan (RAT) is decrypted by the NDISProxy driver from the system registry and injected into the lsass.exe process memory through the use of Shellcode.<\/p>\n<p><strong>See also: <a href=\"https:\/\/www.zdnet.com\/article\/top-mac-anti-adware-software-in-apple-app-store-steals-your-browsing-history\/\">Top Mac anti-adware software in App Store steals your browsing history<\/a><\/strong><\/p>\n<p>The second module filters port 3389 traffic to hide the Trojan&#8217;s malicious network activities within. This step ensures the malware is able to communicate with its command-and-control (C2) server without detection.<\/p>\n<p>The final module is a custom C++ Trojan which acts as an HTTPS server and platform for C2 communications.<\/p>\n<p>&#8220;These modules allow attackers to silently move laterally in the infected infrastructure, but don&#8217;t allow them to communicate with an external C2 if the new infected host only has a LAN IP,&#8221; the researchers say. &#8220;Because of this, the operators used an Earthworm SOCKS tunneler in order to connect the LAN of the infected host to the external C2.&#8221;<\/p>\n<p>The Trojans will listen in and install keyloggers in order to harvest administrator credentials. If successful, the Scanline network scanner is also used in order to spread the malware via file sharing across a corporate network.<\/p>\n<p><strong>CNET: <a href=\"https:\/\/www.cnet.com\/news\/justice-department-charges-north-korean-hacker-linked-to-wannacry-2014-sony-hack\/\" target=\"_blank\" rel=\"noopener noreferrer\">Justice Department charges North Korean over WannaCry, Sony hack<\/a><\/strong><\/p>\n<p>The Trojan is able to complete many of the tasks of a typical member of this malware family; including command execution and keylogging, as well as downloading and uploading files.<\/p>\n<p>LuckyMouse&#8217;s NDISProxy tool also makes use of a variety of other third-party components and open-source code, such as the <a href=\"https:\/\/github.com\/DarthTon\/Blackbone\" target=\"_blank\" rel=\"noopener noreferrer\">Blackbone<\/a> Windows hacking library hosted on GitHub.<\/p>\n<p><strong>TechRepublic: <a href=\"https:\/\/www.techrepublic.com\/article\/how-you-can-get-low-tech-hacked\/\" target=\"_blank\" rel=\"noopener noreferrer\">How you can get low-tech hacked<\/a><\/strong><\/p>\n<p>The researchers say that no phishing campaigns have been detected which use the Trojan dropper. Instead, it is currently believed that the malware is currently only spreading in networks which are already compromised in some way.<\/p>\n<p>The latest LuckyMouse attacks have focused on government entities in the middle of Asia and took place at the same time as a &#8220;high-level meeting,&#8221; although it has not been disclosed exactly what political situation was at hand.<\/p>\n<p>While attribution is difficult, Kaspersky researchers believe that politics, in some manner, is at the heart of the campaign.<\/p>\n<p>&#8220;This campaign appears to demonstrate once again LuckyMouse&#8217;s interest in Central Asia and the political agenda surrounding the Shanghai Cooperation Organization,&#8221; the firm says.<\/p>\n<p>The Shanghai Cooperation Organization (SCO) is a pact made up of countries including China, Russia, and European entities to discuss global political, economic, and security issues.<\/p>\n<p>Kaspersky has made LeagSoft aware of the issue via CN-CERT. ZDNet has also attempted to contact the company and Verisign and will update if we hear back.<\/p>\n<h3>Previous and related coverage<\/h3>\n<p>READ MORE <a href=\"https:\/\/www.zdnet.com\/article\/luckymouse-targets-govt-entities-through-malicious-ndisproxy-driver\/#ftag=RSSbaffb68\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The hacking group is covertly infecting Windows machines with Trojans by way of stolen certificates belonging to a Chinese security company.<br \/>\nREAD MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":12280,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[62],"tags":[],"class_list":["post-12279","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zdnet-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>LuckyMouse uses malicious NDISProxy Windows driver to target gov&#039;t entities 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LuckyMouse uses malicious NDISProxy Windows driver to target gov&#039;t entities 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2018-09-10T13:24:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/09\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities.png\" \/>\n\t<meta property=\"og:image:width\" content=\"770\" \/>\n\t<meta property=\"og:image:height\" content=\"578\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"LuckyMouse uses malicious NDISProxy Windows driver to target gov&#8217;t entities\",\"datePublished\":\"2018-09-10T13:24:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/\"},\"wordCount\":729,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/09\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities.png\",\"articleSection\":[\"ZDNet | Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/\",\"name\":\"LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/09\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities.png\",\"datePublished\":\"2018-09-10T13:24:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/09\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities.png\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/09\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities.png\",\"width\":770,\"height\":578},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"LuckyMouse uses malicious NDISProxy Windows driver to target gov&#8217;t entities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/","og_locale":"en_US","og_type":"article","og_title":"LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2018-09-10T13:24:00+00:00","og_image":[{"width":770,"height":578,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/09\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"LuckyMouse uses malicious NDISProxy Windows driver to target gov&#8217;t entities","datePublished":"2018-09-10T13:24:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/"},"wordCount":729,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/09\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities.png","articleSection":["ZDNet | Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/","url":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/","name":"LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/09\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities.png","datePublished":"2018-09-10T13:24:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/09\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/09\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities.png","width":770,"height":578},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/luckymouse-uses-malicious-ndisproxy-windows-driver-to-target-govt-entities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"LuckyMouse uses malicious NDISProxy Windows driver to target gov&#8217;t entities"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/12279","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=12279"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/12279\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/12280"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=12279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=12279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=12279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}