UNG0002, a cyber espionage threat activity cluster, has targeted sectors in China, Hong Kong, and Pakistan. It utilizes shortcut files, VBScript, and tools like Cobalt Strike. This encompasses Operation Cobalt Whisper and Operation AmberMist, which focus on delivering malware through tailored spear-phishing attacks to sectors including defense and academia. The campaigns attempt to exploit sensitive research and intellectual property. Notably, the AmberMist attack utilizes fraudulent emails with LNK files designed to mimic resumes, initiating a multi-stage infection process.
This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed decoy documents to lure victims.
The scope and complexity of the campaign, coupled with the tailored lures, strongly suggest a targeted effort by an APT group to compromise sensitive research and intellectual property in these industries.
Operation Cobalt Whisper was first documented by Seqrite Labs in late October 2024, detailing the use of ZIP archives propagated via spear-phishing attacks to deliver Cobalt Strike beacons.
The AmberMist attack chains have been found to leverage spear-phishing emails as a starting point to deliver LNK files masquerading as curriculum vitae and resumes.
Collection
[
|
...
]