Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign.
“This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed decoy documents to lure victims,” Seqrite Labs researcher Subhajeet Singha said in a report published this week.
The activity encompasses two major campaigns, one called Operation Cobalt Whisper which took place between May and September 2024, and Operation AmberMist that occurred between January and May 2025.
Targets of these campaigns include defense, electrotechnical engineering, energy, civil aviation, academia, medical institutions, cybersecurity, gaming, and software development sectors.
Operation Cobalt Whisper was first documented by Seqrite Labs in late October 2024, detailing the use of ZIP archives propagated via spear-phishing attacks to deliver Cobalt Strike beacons, a post-exploitation framework, using LNK and Visual Basic Scripts as interim payloads.
“The scope and complexity of the campaign, coupled with the tailored lures, strongly suggest a targeted effort by an APT group to compromise sensitive research and intellectual property in these industries,” the company noted at the time.
The AmberMist attack chains have been found to leverage spear-phishing emails as a starting point to deliver LNK files masquerading as curriculum vitae and resumes to unleash a multi-stage infection process that results in the deployment of INET RAT and Blister DLL loader.
Alternate attack sequences detected in January 2025 have been found to redirect email recipients to fake landing pages spoofing Pakistan’s Ministry of Maritime Affairs (MoMA) website to serve fake CAPTCHA verification checks that employ ClickFix tactics to launch PowerShell commands, which are used to execute Shadow RAT.
Shadow RAT, launched via DLL side-loading, is capable of establishing contact with a remote server to await further commands. INET RAT is assessed to be a modified version of Shadow RAT, whereas the Blister DLL implant functions as a shellcode loader, eventually paving the way for a reverse-shell based implant.
The exact origins of the threat actor remain unclear, but evidence points to it being an espionage-focused group from Southeast Asia.
“UNG0002 represents a sophisticated and persistent threat entity from South Asia that has maintained consistent operations targeting multiple Asian jurisdictions since at least May 2024,” Singha said. “The group demonstrates high adaptability and technical proficiency, continuously evolving their toolset while maintaining consistent tactics, techniques, and procedures.”
