{ "id": "c7266b72-7ae3-4f87-a312-c41b41c4196b", "created_at": "2026-04-06T00:21:01.077068Z", "updated_at": "2026-04-10T03:22:39.467834Z", "deleted_at": null, "sha1_hash": "26e91765203bac654e095e12371f73f15a07685f", "title": "Cryptocurrency Lures \u0026 Pupy RAT: UTG-Q-010 Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1770290, "plain_text": "Cryptocurrency Lures \u0026 Pupy RAT: UTG-Q-010 Campaign\r\nPublished: 2024-08-14 · Archived: 2026-04-05 16:00:21 UTC\r\nCyble analyzes the latest UTG-Q-010 campaign, targeting Chinese entities using an updated DLL loader and the open-source Pupy RAT.\r\nKey Takeaways \r\nCyble Research and Intelligence Labs (CRIL) recently identified a campaign utilizing a Windows shortcut (LNK)\r\nfile, which has been linked to the UTG-Q-010 group. \r\nThis group, a financially motivated Advanced Persistent Threat (APT) actor originating from East Asia, is known\r\nfor its strategic and targeted operations. \r\nThe campaign was directed at cryptocurrency enthusiasts and human resource departments, suggesting a\r\ncalculated effort to exploit specific interests and organizational roles. By focusing on these particular groups, the\r\nThreat Actor (TA) demonstrated a keen understanding of their targets’ vulnerabilities and the potential for high-value returns. \r\nSpear phishing emails with malicious attachments likely served as the campaign’s initial infection vector. The TA\r\nemployed advanced social engineering tactics, using enticing themes related to cryptocurrency and job resumes to\r\nlure victims into interacting with the malicious content. This approach indicates a sophisticated level of planning\r\nand execution aimed at maximizing the success rate of their phishing attempts. \r\nThe UTG-Q-010 group is notorious for abusing legitimate Windows processes, specifically “WerFault.exe”, to\r\nsideload a malicious DLL file named “faultrep.dll.” This technique allows the group to execute malicious code\r\nwhile evading detection by security software. \r\nThe malicious LNK file has an embedded Loader DLL encrypted using XOR operation. The loader DLL file has\r\nchecks to detect sandbox environments and methods to execute code without writing to disk. These techniques\r\nunderscore the group’s advanced capabilities in bypassing traditional security measures. \r\nThe campaign’s ultimate goal was to deliver and execute Pupy RAT, a powerful remote access tool, using\r\nsophisticated methods such as in-memory execution and reflective DLL loading. These techniques significantly\r\nreduce the likelihood of detection and leave a minimal footprint, making the campaign highly effective and\r\ndifficult to trace. \r\nExecutive Summary \r\nIn May 2024, QiAnXin Threat Intelligence Centre identified a campaign from a financially motivated advanced persistent\r\nthreat (APT) group from East Asia, which they named UTG-Q-010. According to the researchers, UTG-Q-010’s activities\r\ndate back to late 2022, and the lures were related to the pharmaceutical industry.  \r\nUTG-Q-010 has previously executed sophisticated phishing campaigns, meticulously crafting emails with logically\r\nstructured content focused on game developer recruitment by major gaming companies and AI technology in China.\r\nThese emails aimed to lure HR departments into opening attachments containing malicious LNK files. Furthermore, the\r\ngroup employed deceptive watering hole sites in the cryptocurrency and AI sectors to entice victims into downloading\r\nmalicious APKs, which were distributed on domestic forums. One particular attack site targeted the cryptocurrency\r\ncommunity specifically, deploying the Ermac malware family to exploit unsuspecting users. \r\nhttps://cyble.com/blog/analysing-the-utg-q-010-campaign/\r\nPage 1 of 10\n\nCRIL recently came across samples related to UTG-Q-010 targeting cryptocurrency enthusiasts by employing a\r\nsophisticated phishing attack involving a zip file containing a malicious LNK file. This LNK file, disguised as an enticing\r\nevent invitation for a cryptocurrency-related conference in collaboration with Michelin, executes commands to decrypt\r\nand drop a loader DLL in the system. The loader, equipped with advanced evasion techniques, detects sandbox\r\nenvironments and ensures a stable internet connection before downloading and decrypting the final payload, which is\r\nidentified as Open Source PupyRAT. This campaign was also identified by StrikeReady Labs and shared on X. \r\nWorld's Best AI-Native Threat Intelligence\r\nTechnical Details \r\nDuring our research, we came across a suspicious URL: hxxp://malaithai.co/MichelinNight[.]zip. This URL hosts a zip\r\nfile named “MichelinNight.zip,” which contains a malicious LNK file masquerading as a PDF called\r\n“MichelinNight.lnk.”  \r\nUpon further analysis, we found that the LNK file is programmed to execute several malicious commands.  Although the\r\nexact source of the initial infection remains uncertain, the nature of the lure suggests that it likely originated from a\r\nphishing email or a phishing link.   \r\nUpon executing the LNK file, the Command Prompt (cmd.exe) is invoked with the /c switch to execute a series of\r\ncommands and then terminate. First, the command copies the legitimate Windows Error Reporting tool (WerFault.exe)\r\nfrom its default location in C:\\Windows\\system32 to the Temp directory\r\n(C:\\Users\\MALWOR~1\\AppData\\Local\\Temp\\WerFault.exe). The command then uses PowerShell in hidden mode to\r\nexecute a PowerShell script. The script begins by searching for LNK files in the current directory that have a specific size\r\n(0x0009DBFB bytes).  \r\nThe identified LNK file’s content is read as a byte array. The script then decrypts this content using a bitwise XOR\r\noperation with the key 0x71. The decrypted content is saved as a DLL file named “faultrep.dll” in the Temp directory. The\r\nhttps://cyble.com/blog/analysing-the-utg-q-010-campaign/\r\nPage 2 of 10\n\nscript skips the first 12238 bytes of the decrypted data before saving, which is used to remove non-essential data. Finally,\r\nthe script executes the copied WerFault.exe file from the Temp directory, which performs a DLL-sideloading operation.\r\nThe figure below shows the specific commands executed by the LNK file. \r\nFigure 1 – LNK File Commands \r\nThe “faultrep.dll” file acts as a malicious loader DLL and includes an embedded PDF document used as a lure. Upon\r\nexecution, the DLL drops this PDF file onto the system and opens it. This document is designed to appear legitimate or\r\nenticing, often to distract the user from the malicious activities occurring in the background. By presenting a seemingly\r\nharmless document, the malware attempts to reduce suspicion and keep the user engaged while it continues to execute its\r\nhidden malicious operations. The figure below shows the strings related to the embedded PDF file in the faultrap.dll file. \r\nFigure 2 – PDF file Embedded in faultrep.dll \r\nThis specific campaign employs a lure themed around a fictional event called “Michelin Night: Coin Circle Friendship\r\nFeast.” At first glance, the lure appears to be an invitation to a cryptocurrency promotional event. This suggests that the\r\ncampaign is likely targeting individuals involved in cryptocurrency trading or those with an interest in the cryptocurrency\r\nsector. By using an enticing and seemingly legitimate invitation, the TA aims to capture the attention of its targets,\r\nincreasing the likelihood of interaction with the malicious content. The figure below shows the lure. \r\nhttps://cyble.com/blog/analysing-the-utg-q-010-campaign/\r\nPage 3 of 10\n\nFigure 3 – Lure Related to Cryptocurrency \r\nIn previous campaigns, the TAs targeted the HR departments within the gaming industry by using resumes of candidates\r\nwith game development experience. In their recent campaign, they shifted focus to targeting the HR departments of\r\nChinese IT firms, using resumes of candidates with software development experience. The figure below shows the latest\r\nresume-based lures targeting HR departments.  \r\nFigure 4 – Other UTG-Q-010 Campaigns \r\nLoader DLL Details \r\nThe loader DLLs from previous campaigns lacked defense evasion mechanisms. However, the new loader DLL exhibits\r\nadvanced defense evasion mechanisms, indicating that UTG-Q-010 is continuously evolving its tools.  \r\nThe “faultrep.dll” loader is equipped with routines designed to detect if it is operating within a sandbox environment. To\r\nachieve this, the loader checks the system’s username against known usernames associated with popular sandbox vendors.\r\nBy matching the username to those commonly used in sandbox environments, the loader can identify if it is being\r\nanalyzed in a controlled or virtualized setting. The figure below shows the routine to check for well-known sandbox\r\nusernames. \r\nhttps://cyble.com/blog/analysing-the-utg-q-010-campaign/\r\nPage 4 of 10\n\nFigure 5 – Sandbox Usernames \r\nThe malicious DLL includes a routine to examine the victim’s system’s MAC addresses. It has hardcoded specific MAC\r\naddress prefixes commonly associated with virtual environments. By checking if the system’s MAC addresses match\r\nthese predefined prefixes, the DLL can determine whether the infected system is running in a virtualized environment.\r\nThe figure below shows the hardcoded MAC address prefixes.  \r\nFigure 6 – Hardcoded MAC Adress Prefixes \r\nThe loader DLL contains a hardcoded list of services, DLLs, and executables that are commonly associated with virtual\r\nenvironments. This list includes specific artifacts related to virtualization platforms such as VMware and VirtualBox. By\r\nscanning for these elements on the victim’s system, the malware can determine if it is running on a virtual machine. The\r\nfigure below shows the hardcoded artifacts related to virtualization tools. \r\nhttps://cyble.com/blog/analysing-the-utg-q-010-campaign/\r\nPage 5 of 10\n\nFigure 7 – Hardcoded Virtualization Related Files \r\nThe loader also verifies whether the infected system has an active internet connection. To perform this check, the DLL\r\nattempts to connect to the URL `https://www.baidu.com`, a popular search engine website. By attempting to access this\r\nURL, the malware can confirm whether the system can reach the Internet. The figure below shows the routine for\r\nchecking the internet connection. \r\nFigure 8 – Routine to Check Internet Connection \r\nAfter confirming an active internet connection, the loader attempts to download the encrypted payload from the URL\r\n`hxxps://chemdl.gangtao[.]live/down_xia.php` and tries to temporarily store it as rname.dat in the Temp folder. The figure\r\nbelow shows the routine to download the encrypted payload. \r\nhttps://cyble.com/blog/analysing-the-utg-q-010-campaign/\r\nPage 6 of 10\n\nFigure 9 – Routine to Download the Encrypted Payload \r\n Once the payload is successfully downloaded, the loader decrypts it to execute the malicious final payload. The figure\r\nbelow shows the routine to decrypt the payload. \r\nFigure 10 – Decryption Loop of Loader DLL \r\nThe decrypted payload is a Pupy RAT DLL file, which includes three export functions. The figure below compares the\r\nencrypted payload and Pupy RAT DLL. \r\nhttps://cyble.com/blog/analysing-the-utg-q-010-campaign/\r\nPage 7 of 10\n\nFigure 11 – Comparison Between Encrypted and Decrypted Payload \r\nPupy RAT \r\nPupy is a versatile, cross-platform Remote Access Trojan (RAT) and post-exploitation tool, primarily developed in\r\nPython. It operates stealthily with an in-memory execution model, leaving minimal traces on host systems. Pupy supports\r\nmultiple communication means of transport, enabling adaptability to diverse network environments and evasion of\r\ndetection. It uses reflective injection to execute within legitimate processes, enhancing its concealment. Pupy can load\r\nand execute remote Python code, packages, and C-extensions directly from memory, allowing dynamic capability\r\nexpansion without disk writes. Its features include in-memory execution, cross-platform compatibility, reflective process\r\ninjection, remote import capabilities, and interactive access, making it a potent tool for maintaining control over\r\ncompromised systems. \r\nConclusion \r\nthe UTG-Q-010 group’s latest campaign underscores their continued evolution as a highly skilled and financially\r\nmotivated APT actor. By leveraging advanced social engineering techniques, exploiting legitimate Windows processes,\r\nand employing sophisticated malware delivery methods, they have demonstrated a deep understanding of their target’s\r\nvulnerabilities. The focus on cryptocurrency enthusiasts and HR departments, combined with the use of tools like the\r\nPupy RAT, highlights the group’s strategic approach to maximizing the impact of their operations. Their ability to evade\r\ndetection through techniques such as in-memory execution and reflective DLL loading further cements their reputation as\r\na formidable threat in the cyber landscape. We observed that the TAs are evolving the loader DLL by adding defense\r\nevasion capabilities. \r\nRecommendations \r\nTo defend against campaigns like UTG-Q-010, organizations should consider the following recommendations: \r\nImplement advanced email filtering solutions to detect and block spear phishing emails. Look for signs of\r\nmalicious attachments, particularly LNK files, and employ sandboxing technologies to analyze attachments before\r\nthey reach end users. \r\nTrain employees, especially those in cryptocurrency and human resources departments, to recognize phishing\r\nattempts and avoid interacting with suspicious emails and attachments. \r\nhttps://cyble.com/blog/analysing-the-utg-q-010-campaign/\r\nPage 8 of 10\n\nDeploy endpoint detection and response (EDR) solutions capable of monitoring and detecting abnormal behaviors\r\nsuch as the execution of LNK files, unauthorized DLL sideloading, and the abuse of legitimate processes like\r\n`WerFault.exe`. \r\nSet up detection rules to identify unusual activity, such as in-memory execution, reflective DLL loading, and the\r\nuse of XOR encryption in binaries, which are common techniques used by advanced attackers to evade detection. \r\nMonitor for signs of sandbox evasion techniques, which may indicate that an attacker is attempting to bypass\r\nautomated threat analysis systems. \r\nRestrict the use of administrative privileges on endpoints to prevent attackers from gaining elevated access and\r\nexecuting malicious code. Employ least-privilege access principles to minimize the impact of a successful\r\nintrusion. \r\nSegment your network to limit lateral movement in case of a breach. This can help contain the damage if an\r\nattacker manages to infiltrate one part of your network. \r\nStay informed about the latest threat intelligence reports related to APT groups like UTG-Q-010. Understanding\r\ntheir tactics, techniques, and procedures (TTPs) will allow you to anticipate and mitigate potential threats. \r\nMITRE ATT\u0026CK® Techniques \r\nTactics  Techniques  Procedure  \r\nInitial Access (TA0001)  Phishing (T1566) \r\nTAs potentially reach users\r\nvia phishing emails. \r\nExecution (TA0002) \r\nUser Execution: Malicious File\r\n(T1204.002) \r\nThe phishing URL contains\r\nthe malicious ZIP file with\r\nthe LNK payload. \r\nExecution (TA0002) \r\nCommand and Scripting Interpreter:\r\nPowerShell (T1059.001) \r\nThe use of PowerShell to\r\nexecute scripts that decrypt\r\nand load the malicious\r\npayload. \r\nPersistence (TA0003) and\r\nPrivilege\r\nEscalation (TA0003) \r\nHijack Execution Flow: DLL Side-Loading (T1574.002) \r\nThe loader DLL is placed in\r\na location where legitimate\r\nprocesses could execute it. \r\nDefence Evasion\r\n(TA0005) \r\nObfuscated Files or\r\nInformation: Encrypted/Encoded\r\nFile (T1027.013) \r\nThe DLL uses XOR\r\nencryption to obfuscate the\r\npayload. \r\nDefence Evasion\r\n(TA0005) \r\nVirtualization/Sandbox Evasion\r\n(T1497) \r\nThe DLL contains checks to\r\ndetect sandbox\r\nenvironments and virtual\r\nmachines to avoid analysis. \r\nCommand and Control\r\n(TA0011) \r\nApplication Layer Protocol: Web\r\nProtocols (T1071.001) \r\nuse of HTTPS for\r\ndownloading files \r\nIndicators of Compromise (IOCs) \r\nhttps://cyble.com/blog/analysing-the-utg-q-010-campaign/\r\nPage 9 of 10\n\nIndicators \r\nIndicator\r\nType \r\nDescription \r\nf2db556b6e0865783b1d45a7cc40d115ceb04fe2ad145df367ac6f5d8eca901d  SHA256  MichelinNight.zip \r\n54368d528214df1ed436e4c82a65ccaf2daf517359a1361b736faab7253e54f6  SHA256  Pupy RAT \r\na69693dc1a62e49853ba5eb40999f24e340faf1a087e56f9a21c4622d297c861  SHA256  MichelinNight.lnk \r\n9db229a5de265081dc4145be84f23d2f71744967c044b2f10d4a934ec28166db  SHA256  lzh.zip \r\n732a6bf2345e9cc40b9a6a1164dc2e823955cbc56a5d3750e675d1c4db7f7415  SHA256  LNK File \r\na4abc9c7e3a287641856a069355b02e36226c2ab94cc0807516b86dd66fe1cf5  SHA256 \r\nfaultrep.dll Loader\r\nDLL \r\nc9c5bb8acb89ba11e7813b59aad5d3de6d0d4f38839d4a7a74636ce9c9c6ecea  SHA256 \r\nEncrypted\r\nPayload \r\n0fbb21dd4fd0e0305b57e64f18129682a0416cf852d6bc88b53960e6b48603eb  SHA256 \r\nfaultrep.dll Loader\r\nDLL \r\nhxxps://malaithai[.]co/MichelinNight.zip  URL  Download URL \r\nhxxps://chemdl.gangtao[.]live/down_xia.php  URL \r\nEncrypted\r\nPayload \r\nhxxps://malaithai[.]co/lzh.zip  URL  Download URL \r\nhxxps://chemdl.gangtao.live/down_xia.php  URL \r\nEncrypted\r\nPayload \r\n103.79.76[.]40  IP  C\u0026C \r\nReferences  \r\nhttps://ti.qianxin.com/blog/articles/UTG-Q-010-Targeted-Attack-Campaign-Against-the-AI-and-Gaming-Industry-EN/ \r\nhttps://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/ \r\nhttps://x.com/StrikeReadyLabs/status/1818827583410389431 \r\nhttps://github.com/n1nj4sec/pupy \r\nSource: https://cyble.com/blog/analysing-the-utg-q-010-campaign/\r\nhttps://cyble.com/blog/analysing-the-utg-q-010-campaign/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cyble.com/blog/analysing-the-utg-q-010-campaign/" ], "report_names": [ "analysing-the-utg-q-010-campaign" ], "threat_actors": [ { "id": "ab42b06b-ceff-4220-ba65-57207bb9d051", "created_at": "2024-09-20T02:00:04.593228Z", "updated_at": "2026-04-10T02:00:03.705254Z", "deleted_at": null, "main_name": "UTG-Q-010", "aliases": [], "source_name": "MISPGALAXY:UTG-Q-010", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434861, "ts_updated_at": 1775791359, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26e91765203bac654e095e12371f73f15a07685f.pdf", "text": "https://archive.orkl.eu/26e91765203bac654e095e12371f73f15a07685f.txt", "img": "https://archive.orkl.eu/26e91765203bac654e095e12371f73f15a07685f.jpg" } }