- Cyber espionage campaigns targeted organizations in China, Hong Kong, and Pakistan between May 2024 and May 2025.
- The threat group known as UNG0002 used spear-phishing emails and decoy files to deliver Malware.
- Major sectors affected include defense, engineering, energy, civil aviation, academia, and software development.
- The group relied on tools like LNK files, VBScript, Cobalt Strike, and Metasploit for attacks.
- Researchers suspect the attacker is a sophisticated group from South Asia with evolving tactics.
Multiple industries in China, Hong Kong, and Pakistan were targeted in a cyber espionage operation carried out by a threat group called UNG0002 from May 2024 to May 2025. The attacks used spear-phishing emails with decoy documents to gain entry and deliver malicious software to victims.
According to Seqrite Labs researcher Subhajeet Singha, the campaigns included the use of shortcut files (LNK), VBScript, and post-infection frameworks such as Cobalt Strike and Metasploit. Targets included sectors like defense, electrotechnical engineering, energy, civil aviation, medical institutions, academia, and gaming.
The campaign was split into two operations: Operation Cobalt Whisper, which ran from May to September 2024, and Operation AmberMist, active from January to May 2025. Seqrite Labs first reported Operation Cobalt Whisper in October 2024. Attackers distributed ZIP archives via spear-phishing, which contained malicious LNK and Visual Basic Scripts leading to Cobalt Strike deployment.
Singha stated, “This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed decoy documents to lure victims.” More information is available in the official report.
In Operation AmberMist, spear-phishing emails delivered LNK files disguised as resumes, starting a series of malware infections involving INET RAT and Blister DLL loader. Some attack paths also led victims to fake websites copying Pakistan’s Ministry of Maritime Affairs, tricking them into running PowerShell commands, which executed Shadow RAT malware.
Shadow RAT connects with remote servers to receive commands. The variant INET RAT is believed to be a modified version of Shadow RAT. The Blister DLL loader delivers malicious code and sets up further access with a reverse-shell implant.
Researchers believe UNG0002 is a persistent and adaptable group, likely from South Asia. Singha concluded, “UNG0002 represents a sophisticated and persistent threat entity from South Asia that has maintained consistent operations targeting multiple Asian jurisdictions since at least May 2024.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Aave to Launch Centrally-Controlled Version on Kraken’s Ink
- Illinois Moves to Regulate Crypto, Boost Consumer Protections
- Ethereum Soars to Six-Month High, Nears $3,700 Amid ETF Optimism
- Hackers Target TeleMessage App via CVE-2025-48927 Vulnerability
- China’s Massistant Tool Targets Seized Phones for Data Extraction
