{
  "name": "APT Meets GPT: Targeted Operations with Untamed LLMs",
  "slug": "apt-meets-gpt-targeted-operations-with-untamed-llms",
  "description": "Over the course of three months, Volexity observed UTA0388 using various themes and fictional identities across dozens of spear phishing campaigns. As time passed, Volexity observed UTA0388 broaden their targeting and send emails in a variety of different languages, including English, Chinese, Japanese, French, and German. In most cases, the initial email sent by UTA0388 contained a link to phishing content hosted on a cloud-based service that would lead to malware.",
  "published": "2025-10-08T14:08:44+00:00",
  "created_at": "2025-10-08T14:08:44+00:00",
  "modified_at": "2025-10-08T14:11:00+00:00",
  "created_at_opencti": "2025-10-08T14:08:44+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-10-08",
    "archive file",
    "govershell",
    "govershell c2",
    "llms",
    "persistence",
    "phishing",
    "powershell",
    "randomdir8char",
    "rar",
    "uta0388",
    "websocket",
    "zip"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "82.118.16.173"
      },
      {
        "id": "",
        "name": "80.85.157.117"
      },
      {
        "id": "",
        "name": "74.119.193.175"
      },
      {
        "id": "",
        "name": "31.192.234.22"
      },
      {
        "id": "",
        "name": "104.194.152.152"
      },
      {
        "id": "",
        "name": "104.194.152.137"
      },
      {
        "id": "",
        "name": "185.144.28.68"
      },
      {
        "id": "",
        "name": "80.85.156.234"
      },
      {
        "id": "",
        "name": "80.85.154.48"
      },
      {
        "id": "",
        "name": "45.141.139.222"
      },
      {
        "id": "",
        "name": "https://app-site-association.cdn-apple.info:443/updates.rss"
      },
      {
        "id": "",
        "name": "http://outlook.windows-app.store/ws"
      },
      {
        "id": "",
        "name": "http://onedrive.azure-app.store/ws"
      },
      {
        "id": "",
        "name": "http://api.twmoc.info/ws"
      },
      {
        "id": "",
        "name": "http://82.118.16.173:443"
      },
      {
        "id": "",
        "name": "http://80.85.157.117:443"
      },
      {
        "id": "",
        "name": "http://80.85.154.48:443"
      },
      {
        "id": "",
        "name": "https://aesthetic-donut-1af43s2.netlify.app/index/file/A_Introduction_Docs_v00546823.rar"
      },
      {
        "id": "",
        "name": "https://aesthetic-donut-1af43s2.netlify.app/file/rar"
      },
      {
        "id": "",
        "name": "www.twmoc.info"
      },
      {
        "id": "",
        "name": "outlook.windows-app.store"
      },
      {
        "id": "",
        "name": "onedrive.azure-app.store"
      },
      {
        "id": "",
        "name": "app-site-association.cdn-apple.info"
      },
      {
        "id": "",
        "name": "api.twmoc.info"
      },
      {
        "id": "",
        "name": "windows-app.store"
      },
      {
        "id": "",
        "name": "twmoc.info"
      },
      {
        "id": "",
        "name": "sliddeshare.online"
      },
      {
        "id": "",
        "name": "doccloude.info"
      },
      {
        "id": "",
        "name": "cdn-apple.info"
      },
      {
        "id": "",
        "name": "azure-app.store"
      },
      {
        "id": "",
        "name": "fbade9d8a040ed643b68e25e19cba9562d2bd3c51d38693fe4be72e01da39861"
      },
      {
        "id": "",
        "name": "ad5718f6810714bc6527cc86d71d34d8c556fe48706d18b5d14f0261eb27d942"
      },
      {
        "id": "",
        "name": "a5ee55a78d420dbba6dec0b87ffd7ad6252628fd4130ed4b1531ede960706d2d"
      },
      {
        "id": "",
        "name": "998e314a8babf6db11145687be18dc3b8652a3dd4b36c115778b7ca5f240aae4"
      },
      {
        "id": "",
        "name": "88782d26f05d82acd084861d6a4b9397d5738e951c722ec5afed8d0f6b07f95e"
      },
      {
        "id": "",
        "name": "7d7d75e4d524e32fc471ef2d36fd6f7972c05674a9f2bac909a07dfd3e19dd18"
      },
      {
        "id": "",
        "name": "53af82811514992241e232e5c04e5258e506f9bc2361b5a5b718b4e4b5690040"
      },
      {
        "id": "",
        "name": "2ffe1e4f4df34e1aca3b8a8e93eee34bfc4b7876cedd1a0b6ca5d63d89a26301"
      },
      {
        "id": "",
        "name": "4c041c7c0d5216422d5d22164f83762be1e70f39fb8a791d758a816cdf3779a9"
      },
      {
        "id": "",
        "name": "126c3d21a1dae94df2b7a7d0b2f0213eeeec3557c21717e02ffaed690c4b1dbd"
      },
      {
        "id": "",
        "name": "0414217624404930137ec8f6a26aebd8a3605fe089dbfb9f5aaaa37a9e2bad2e"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:8ff0215d78a5eab7",
        "name": "UTA0388",
        "slug": "uta0388"
      },
      {
        "id": "legacy:malware:ec9bf84ba9d59467",
        "name": "govershell",
        "slug": "govershell"
      }
    ],
    "intrusion_sets": [
      {
        "id": "e13ec89f-54ae-4bbc-b586-f8c9830c1f03",
        "name": "UTA0388",
        "slug": "uta0388"
      }
    ],
    "attack_patterns": [
      {
        "id": "f48eade0-2f45-4ff7-aa61-8ba887887f81",
        "name": "T1123"
      },
      {
        "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40",
        "name": "T1574"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "14da8ebf-e0b0-4d4e-9c83-56277980f266",
        "name": "T1134"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/",
    "https://otx.alienvault.com/pulse/68e68c8d506e04cc0474a83b"
  ]
}