Several sectors in China, Hong Kong and Pakistan are targeted by threat activity clusters tracked as UNG0002 (aka unknown group 0002) as part of a broader cyber espionage activity.
“This threat entity shows a strong preference for using shortcut files (LNK), VBScript, and post-explosion tools such as cobalt strikes and metasplots, but consistently deploys CV-themed decoy documents to seduce victims.
This activity includes two major campaigns called Operation Cobalt Whisper, which took place between May and September 2024, and what is called Operation Ambermist, which took place between January and May 2025.
The goals of these campaigns include defense, electrical engineering, energy, civil aviation, academia, healthcare, cybersecurity, gaming and software development sectors.
Operation Cobalt Whisper detailed the use of ZIP archives, first documented by Seqrite Labs in late October 2024, propagated through spear phishing attacks to provide the post-explosion framework, Cobalt Strike Beacons, using LNK and visual basic scripts as interim payloads.
“The scope and complexity of the campaign, coupled with customized lures, strongly proposes targeting efforts by the APT Group to compromise on sensitive research and intellectual property in these industries,” the company said at the time.
The Amber Mast Attack Chain has been found to use spear phishing email as a starting point to deliver and resume LNK files decorated in curriculum vitae and unleash the multi-stage infection process that leads to the deployment of INET rats and blister DLL loaders.
The alternative attack sequence detected in January 2025 has been found to redirect email recipients to fake landing pages that fake Pakistan’s Ministry of Maritime (MOMA) website.
Released via DLL sideload, Shadow Rat can establish contact with the remote server and wait for further commands. Although INET rats are rated as a modified version of the shadow rat, the Blister DLL implant acts as a shellcode loader, ultimately paving the way for an inverse shell-based implant.
The exact origin of the threat actor remains unknown, but evidence indicates that it is a group focused on espionage in Southeast Asia.
“UNG0002 represents a sophisticated and enduring threat entity in South Asia that has maintained a consistent operation across multiple Asian jurisdictions since at least May 2024,” Singa said. “This group continues to evolve its toolset, demonstrating its high adaptability and technical capabilities while maintaining consistent tactics, techniques and procedures.”
Source link
