UNG0002 Actors Weaponize LNK Files via ClickFix Fake CAPTCHA Pages
Cybersecurity researchers at Seqrite Labs have identified a sophisticated espionage group designated as UNG0002 (Unknown Group 0002) that has been conducting persistent campaigns across multiple Asian jurisdictions since May 2024.
The threat actors have demonstrated remarkable adaptability by integrating social engineering techniques with advanced malware deployment methods, specifically targeting organizations in China, Hong Kong, and Pakistan through carefully orchestrated operations.
Multi-Campaign Espionage Operations
UNG0002 has orchestrated two major campaign clusters: Operation Cobalt Whisper, which ran from May to September 2024, and the more recent Operation AmberMist, active from January to May 2025.
During Operation Cobalt Whisper, researchers observed 20 distinct infection chains primarily targeting defense contractors, electrotechnical engineering firms, and civil aviation organizations.
The group initially relied heavily on established frameworks including Cobalt Strike and Metasploit for their post-exploitation activities.
The evolution became apparent with Operation AmberMist, where UNG0002 expanded their target scope to include gaming companies, software development firms, and academic institutions.
This campaign demonstrated significant technical advancement through the deployment of custom-developed implants including Shadow RAT, Blister DLL Implant, and INET RAT.
The threat actors have shown particular sophistication in their use of CV-themed decoy documents, creating realistic resume profiles including fake credentials for game UI designers and computer science students from prestigious institutions to establish credibility with potential victims.
ClickFix Technique
Perhaps the most concerning development in UNG0002’s tactics is their adoption of the ClickFix social engineering technique, which leverages fake CAPTCHA verification pages to manipulate victims into executing malicious PowerShell scripts.
The group has demonstrated particular audacity by spoofing official government websites, including Pakistan’s Ministry of Maritime Affairs, to create convincing authentication scenarios that bypass traditional security awareness training.
The infection methodology typically begins with malicious LNK shortcut files distributed through targeted phishing campaigns.
These shortcuts initiate complex multi-stage attack chains incorporating VBScript, batch scripts, and PowerShell components designed to deploy custom RAT implants while maintaining persistence on compromised systems.
The group has shown consistent preference for DLL sideloading techniques, particularly exploiting legitimate Windows applications such as Rasphone and Node-Webkit binaries to execute malicious payloads while evading endpoint detection systems.
Technical artifacts recovered during the investigation reveal interesting insights into the group’s operational security practices.
PDB paths discovered in their custom malware indicate development environments with usernames like “The Freelancer” and “Shockwave,” suggesting possible code names or references to existing threat groups.
According to the Report, This pattern aligns with Seqrite Labs’ assessment that UNG0002 deliberately mimics techniques from established threat actor playbooks to complicate attribution efforts and misdirect security researchers.
Based on comprehensive analysis of targeting patterns, infrastructure usage, and operational timing, researchers assess with high confidence that UNG0002 originates from South-East Asia and maintains a strategic focus on intelligence gathering activities typical of state-sponsored or state-aligned espionage operations.
The group’s persistent infrastructure management and consistent naming conventions across multiple campaigns demonstrate sophisticated operational planning and resource allocation capabilities that suggest sustained organizational backing.
Indicators of Compromise
| File Type | Hash (SHA-256) | Malware Type | Notes |
|---|---|---|---|
| LNK | 4ca4f673e4389a352854f5feb0793dac43519ade8049b5dd9356d0cbe0f06148 | Shortcut | Initial infection vector |
| VBS | ad97b1c79735b1b97c4c4432cacac2fce6316889eafb41a0d97f2b0e565ee850 | VBScript | Stage 2 payload |
| PE | c3ccfe415c3d3b89bde029669f42b7f04df72ad2da4bd15d82495b58ebde46d6 | Blister DLL | Operation AmberMist implant |
| PE | 2bdd086a5fce1f32ea41be86febfb4be7782c997cfcb028d2f58fee5dd4b0f8a | INET RAT | Advanced persistence tool |
| PE | 90c9e0ee1d74b596a0acf1e04b41c2c5f15d16b2acd39d3dc8f90b071888ac99 | Shadow RAT | Custom espionage implant |
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
Source link
