Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign.
“This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed decoy documents to lure victims,” Seqrite Labs researcher Subhajeet Singha said in a report published this week.
The activity encompasses two major campaigns, one called Operation Cobalt Whisper which took place between May and September 2024, and Operation AmberMist that occurred between January and May 2025.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Targets of these campaigns include defense, electrotechnical engineering, energy, civil aviation, academia, medical institutions, cybersecurity, gaming, and software development sectors.
Operation Cobalt Whisper was first documented by Seqrite Labs in late October 2024, detailing the use of ZIP archives propagated via spear-phishing attacks to deliver Cobalt Strike beacons, a post-exploitation framework, using LNK and Visual Basic Scripts as interim payloads.
“The scope and complexity of the campaign, coupled with the tailored lures, strongly suggest a targeted effort by an APT group to compromise sensitive research and intellectual property in these industries,” the company noted at the time.
The AmberMist attack chains have been found to leverage spear-phishing emails as a starting point to deliver LNK files masquerading as curriculum vitae and resumes to unleash a multi-stage infection process that results in the deployment of INET RAT and Blister DLL loader.
Alternate attack sequences detected in January 2025 have been found to redirect email recipients to fake landing pages spoofing Pakistan’s Ministry of Maritime Affairs (MoMA) website to serve fake CAPTCHA verification checks that employ ClickFix tactics to launch PowerShell commands, which are used to execute Shadow RAT.
Shadow RAT, launched via DLL side-loading, is capable of establishing contact with a remote server to await further commands. INET RAT is assessed to be a modified version of Shadow RAT, whereas the Blister DLL implant functions as a shellcode loader, eventually paving the way for a reverse-shell based implant.
The exact origins of the threat actor remain unclear, but evidence points to it being an espionage-focused group from Southeast Asia.
“UNG0002 represents a sophisticated and persistent threat entity from South Asia that has maintained consistent operations targeting multiple Asian jurisdictions since at least May 2024,” Singha said. “The group demonstrates high adaptability and technical proficiency, continuously evolving their toolset while maintaining consistent tactics, techniques, and procedures.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks