Cybersecurity researchers at Seqrite Labs have identified and tracked a sophisticated espionage group known as UNG0002, which has been conducting targeted cyberattacks across multiple Asian jurisdictions, including China, Hong Kong, and Pakistan, since May 2024.

The threat actor demonstrates advanced technical capabilities while maintaining consistent operational patterns across two major campaigns: Operation Cobalt Whisper and the more recent Operation AmberMist.

Advanced Multi-Stage Attack Methodology

UNG0002 employs a sophisticated infection chain beginning with weaponized shortcut files (LNK) embedded within CV-themed decoy documents.

The attack progression follows a deliberate sequence: malicious LNK files execute VBScript code, which then triggers batch scripts and PowerShell commands to deploy custom Remote Access Trojans (RATs).

The group has evolved from primarily using established frameworks, such as Cobalt Strike and Metasploit, to developing custom implants, including Shadow RAT, INET RAT, and Blister DLL.

Technical analysis reveals telling artifacts in the malware’s Program Database (PDB) paths, such as “C:\Users\The Freelancer\source\repos\JAN25\mustang\x64\Release\mustang.pdb” for Shadow RAT, indicating potential code names that may reference other known threat groups.

This suggests the actors deliberately mimic techniques from established threat actor playbooks to complicate attribution efforts.

Innovative Social Engineering and Evasion Techniques

The threat group has demonstrated significant innovation in social engineering tactics, notably implementing the ClickFix technique during Operation AmberMist.

This method involves creating fake CAPTCHA verification pages that trick victims into executing malicious PowerShell scripts, including instances where they spoofed Pakistan’s Ministry of Maritime Affairs website.

UNG0002 consistently abuses DLL sideloading techniques, leveraging legitimate Windows applications such as Rasphone and Node-Webkit binaries to execute malicious payloads while evading detection systems.

The group maintains persistent command and control infrastructure with consistent naming patterns, demonstrating sophisticated operational security across campaigns spanning over a year.

Their targeting strategy focuses systematically on high-value sectors including defense, electrotechnical engineering, civil aviation, gaming, software development, and academic institutions.

The use of realistic resume documents featuring fake profiles of game UI designers and computer science students from prestigious institutions shows careful reconnaissance and social engineering preparation.

Attribution and Future Implications

Seqrite Labs assesses with high confidence that UNG0002 originates from South-East Asia and focuses primarily on espionage activities.

The group’s evolution from Operation Cobalt Whisper’s 20 observed infection chains targeting defense and engineering sectors to Operation AmberMist’s expanded focus on gaming and software development indicates growing operational scope and technical sophistication.

The threat actor’s adaptability and persistent infrastructure maintenance suggest continued evolution of their capabilities, warranting ongoing monitoring by cybersecurity professionals across targeted regions and industries.

IOCs

• Non-PE [Script-Based Files, Shortcut, C2-Config, Encrypted Shellcode blobs]