UNG0002 Actors Deploys Weaponize LNK Files Using ClickFix Fake CAPTCHA Verification Pages

A sophisticated espionage campaign targeting multiple Asian jurisdictions has emerged, utilizing weaponized shortcut files and deceptive social engineering techniques to infiltrate high-value targets across China, Hong Kong, and Pakistan.

The threat actor, designated UNG0002 (Unknown Group 0002), has demonstrated remarkable persistence and technical evolution throughout two major operational phases spanning from May 2024 to the present.

The malicious campaign employs a multi-stage infection chain beginning with weaponized LNK files embedded within CV-themed decoy documents, progressing through VBScript execution, batch processing, and culminating in PowerShell-based payload deployment.

This sophisticated approach allows the threat actors to bypass traditional security measures while maintaining a low detection profile throughout the infection process.

Seqrite analysts identified that UNG0002 has significantly evolved their tactics during Operation AmberMist, their most recent campaign running from January 2025 to May 2025.

The threat group has expanded their targeting beyond traditional defense and civil aviation sectors to include gaming companies, software development firms, and academic institutions, indicating a broader intelligence collection mandate.

The campaign’s most notable innovation involves the abuse of the ClickFix technique, a social engineering method that presents victims with fake CAPTCHA verification pages designed to trick them into executing malicious PowerShell scripts.

Security researchers have observed instances where the threat actors specifically spoofed Pakistan’s Ministry of Maritime Affairs website to enhance the legitimacy of their deceptive pages.

Advanced Infection Mechanism and Persistence Tactics

The infection mechanism demonstrates remarkable sophistication through its multi-layered approach to system compromise.

The attack begins when victims receive CV-themed ZIP archives containing malicious LNK files disguised as legitimate PDF documents. Upon execution, these shortcut files initiate a complex chain involving VBScript interpretation, batch script processing, and PowerShell execution.

Technical analysis reveals that UNG0002 employs DLL sideloading techniques, particularly targeting legitimate Windows applications such as Rasphone.exe and Node-Webkit binaries.

The malware leverages these trusted processes to execute malicious payloads while evading detection mechanisms.

Program Database (PDB) paths discovered during analysis indicate internal code names “Mustang” and “ShockWave,” suggesting organized development practices with C:UsersThe FreelancersourcereposJAN25mustangx64Releasemustang.pdb and C:UsersShockwavesourcereposmemcomx64Releasememcom.pdb paths embedded within Shadow RAT and INET RAT respectively.

The persistent infrastructure maintains consistent command and control operations, deploying custom implants including Shadow RAT, INET RAT, and Blister DLL loaders.

These tools provide comprehensive system access, enabling data exfiltration, remote command execution, and lateral movement capabilities across compromised networks, establishing UNG0002 as a formidable threat to regional cybersecurity.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now