UNG0002 (Unknown Group 0002): Espionage Campaigns Uncovered
Essential information
- Published
- 16/07/2025 15:25
- Modified
- 16/07/2025 19:21
- Tags
- 2025-07-16 blister dll implant clickfix custom malware dll sideloading inet rat multi-stage attacks rat implants shadow rat social engineering
- Related entities
- 16 observables, 1 intrusion sets (apt), 18 techniques (mitre), 10 others
Description
UNG0002, an espionage-focused threat group, has been conducting campaigns across Asian jurisdictions including China, Hong Kong, and Pakistan. The group employs sophisticated multi-stage attacks using LNK files, VBScript, and custom RAT implants. Their operations span two major campaigns: Operation Cobalt Whisper and Operation AmberMist, targeting various sectors such as defense, aviation, gaming, and academia. UNG0002 utilizes social engineering techniques like ClickFix and abuses DLL sideloading to evade detection. The group demonstrates high adaptability, evolving from using Cobalt Strike to developing custom implants like Shadow RAT and INET RAT. Attribution challenges persist, but the group is assessed to originate from South-East Asia with a focus on espionage activities.