A stealthy cyber-espionage operation has been discovered targeting several Asian regions, including China, Hong Kong, and Pakistan. The campaign uses weaponized shortcut files and deceptive social engineering tactics to breach high-value networks.
The attacker, identified as UNG0002 (Unknown Group 0002), has shown consistent technical advancement over two major phases of activity, beginning in May 2024 and continuing into 2025. The attack sequence starts with LNK files embedded in resume-themed decoy documents, then moves through VBScript and batch file execution before delivering a final payload via PowerShell. This layered approach helps the group avoid detection and bypass standard security defenses.
During their latest effort, dubbed Operation AmberMist (January to May 2025), researchers at Seqrite observed significant changes in UNG0002's methods. The group expanded its focus beyond defense and aviation to include targets such as gaming companies, software firms, and academic institutions. A key tactic in this campaign involved using fake CAPTCHA pages, a method called ClickFix to trick users into launching harmful PowerShell scripts. The attackers also spoofed the website of Pakistan’s Ministry of Maritime Affairs to make their decoy pages appear more credible.
The infection method is highly complex. Victims typically receive ZIP files containing malicious LNK shortcuts disguised as PDF documents. Once opened, these files trigger a chain of scripts such as VBScript, batch, and PowerShell that ultimately install surveillance tools on the system. Metadata from the tools revealed internal development names like “Mustang” and “ShockWave,” with file paths pointing to development environments used by the attackers.
UNG0002 uses a stable command-and-control setup with custom implants like Shadow RAT, INET RAT, and Blister DLL loaders. These tools allow full access to compromised systems, including remote commands, data theft, and lateral movement within networks.
The group also uses DLL sideloading to blend their malware with legitimate Windows programs such as Rasphone.exe and Node-Webkit, making it harder for security tools to detect the attack. These methods and tools highlight the group’s sophistication and the serious risk they pose to cybersecurity in the region.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
