Swan Vector Espionage Targets Japan & Taiwan with Advanced Malware

The Seqrite Labs APT-Team has uncovered a complex cyber-espionage operation dubbed Swan Vector, targeting educational institutions and the mechanical engineering sector in Japan and Taiwan. This multi-stage malware campaign employs deceptive resume-themed lures and advanced techniques such as DLL sideloading, API hashing, and Google Drive C2 infrastructure to evade detection and deliver Cobalt Strike shellcode.

The attack begins with a ZIP archive named 歐買尬金流問題資料_20250413 (6).rar, which translates to “Oh My God Payment Flow Problem Data – 2025/04/13 (6)”. Inside, a malicious .LNK file masquerading as a PDF resume initiates the infection chain by executing a DLL implant (Pterois) through the Windows LOLBin rundll32.exe.

“The ZIP contains a malicious LNK file named… ‘Detailed Documentation of Withdrawal Delay Issues and Related Transaction Records.pdf.lnk’, which is responsible for running the DLL payload masqueraded as a PNG file,” the report explains.

Once executed, Pterois performs API hashing to resolve system libraries and loads additional malware stages from Google Drive. Authentication is achieved via OAuth, and filenames are downloaded using hardcoded file IDs—appearing as legitimate Google traffic.

“It uses a technique to abuse Google Drive as a command-and-control server… allowing the implant to download additional payloads while appearing as legitimate traffic,” Seqrite states. The implant self-deletes using a delayed execution via cmd.exe and ping to erase forensic traces post-execution.

Next, a legitimate Windows binary (PrintDialog.exe) is used to sideload a malicious DLL (PrintDialog.dll, dubbed Isurus). This implant decrypts and executes an encrypted shellcode (from ra.ini) using direct syscalls and RC4 decryption.

“This Isurus performs API resolution via hash along with shellcode extraction and loads and executes the shellcode in memory.” the report describes. This stage is critical in loading the final payload without invoking standard Windows API calls—evading endpoint detection.

The decrypted shellcode was confirmed to be a Cobalt Strike beacon, configured to inject into binaries like bootcfg.exe. The beacon communicates over HTTPS with a hardcoded C2 IP (52.199.49.4) using obfuscated HTTP headers and cookies.

“Available extracted beacon configuration confirm that the threat actor leveraged Cobalt Strike as a component of their intrusion toolkit,” says the report.

Seqrite’s analysis uncovered an extensive Google Drive C2 infrastructure associated with the email swsanavector42@gmail.com and a host of scheduled implants for future campaigns. Some binaries reference legitimate Windows and Python executables, suggesting future DLL sideloading against trusted apps like pythonw.exe, OneDriveFileLauncher.exe, and wmiapsrv.exe.

While full attribution remains uncertain, the campaign bears resemblance to activity linked with Winnti, Lazarus, and APT10, especially in its heavy use of DLL sideloading, evasive implants, and targeting of Japan and Taiwan.

“We are attributing this threat actor to the East Asian geosphere with medium confidence,” the researchers conclude.

Related Posts:

• Doctors warn that medical implants may be the hacker’s future goals
• Threat Actor Deploys LummaC2 and Rhadamanthys Stealers in Attacks on Taiwanese Facebook Accounts
• Earth Kasha Refines Spear-Phishing Tactics in Espionage Campaign Targeting Taiwan and Japan
• Check Point Exposes Outlook’s Silent Attack Vectors