UNG0002: Regional Threat Operations Tracked Across Multiple Asian Jurisdictions

Seqrite Labs APT-Team tracks UNG0002, an espionage-focused threat cluster active since at least May 2024 that targets organizations across China, Hong Kong, Pakistan and other Asian jurisdictions. The group uses multi-stage infection chains (malicious LNKs, VBScript, batch, PowerShell), social engineering (fake CAPTCHA 'ClickFix'), DLL sideloading of legitimate binaries (rasphone, node-webkit), and custom implants (Shadow RAT, INET RAT, Blister DLL). Two major campaigns—Operation Cobalt Whisper and Operation AmberMist—show evolution from commodity frameworks (Cobalt Strike, Metasploit) to lightweight custom loaders and RATs, with numerous IOCs and MITRE ATT&CK mappings provided.