Ddos 
In a threat intelligence report, the Qi’anxin Threat Intelligence Center has exposed a series of highly targeted attacks launched by the actor UTG-Q-015. Once known for compromising forums like CSDN, the group has escalated its operations since late 2024, shifting toward tactics including 0day/Nday exploitation, waterholing, and IM phishing—with targets spanning blockchain platforms, financial institutions, and AI research infrastructure.
“The attacker group behind it was named UTG-Q-015 by us… [they] started to utilize 0day/Nday vulnerabilities to invade government and enterprise web sites,” the report states.
In March 2025, UTG-Q-015 launched a wave of brute-force scanning attacks against public-facing web servers in the government and enterprise sectors. Their scanning nodes sought exposed credentials and soon began exploiting known vulnerabilities such as:
- CVE-2021-38647 (OMI remote code execution)
- CVE-2017-12611 (Apache Struts2)
- CVE-2017-9805 (REST plugin in Apache Struts)
Once breached, systems were infected with Cobalt Strike, modified NPS tunnels, and fscan for lateral movement using stolen credentials.
By April 2025, UTG-Q-015 expanded to watering hole attacks against websites tied to Web3, bitcoin backends, e-signature portals, and GitLab login pages. Victims visiting compromised sites like biodao.finance or ruleos.com were prompted to download fake software updates hosted on:
- hxxps://updategoogls[.]cc/tools.exe
- hxxps://safe-controls.oss-cn-hongkong.aliyuncs.com/res/tools.zip
“Based on Qi’anxin Global Hawk mapping data, more than a hundred websites were invaded and mounted,” the report states.
The downloads contained lightweight .NET backdoors capable of command execution and file uploads, serving as a gateway for deeper payload deployment.
UTG-Q-015’s campaign against financial institutions involved a triple-layered attack:
- Perimeter breach via unpatched web vulnerabilities.
- Social engineering using IM messages containing files like “confidential XXXX.exe.”
- Intranet beaconing from previously compromised internal domains to retrieve the final-stage payload.
In an especially concerning twist, UTG-Q-015 has shifted focus toward AI-related Linux infrastructure. In February 2025, they exploited unauthorized access in the ComfyUI-Manager plugin to push malicious AI model files, eventually loading the Vshell backdoor.
Later, in April, they used CVE-2023-48022 to compromise AI research servers in China, deploy bash-based scripts, and load remote access tools—suggesting possible espionage motives.
The report highlights deeper ideological tensions, noting UTG-Q-015’s rivalry with East Asian operations like EviLoong and Giant, describing it as a form of cyber “outsourcing war” marked by retaliatory attacks on domestic programming forums.
Related Posts:
- North Korean Cyber Espionage Group Kimsuky Exploits University Website in Watering Hole Attack
- Morphisec discovered a new watering hole attack based Flash flaw on Leading Hong Kong Telecom Site
- Apple backports fix for actively exploited 0-day to older macOS and iPhone/iPad devices
- 0-Day in Parallels Desktop Allows Root Privilege Escalation, PoC Released
Donate