The malicious campaign employs a multi-stage infection chain beginning with weaponized LNK files embedded within CV-themed decoy documents, progressing through VBScript execution, batch processing, and culminating in PowerShell-based payload deployment. A sophisticated espionage campaign targeting multiple Asian jurisdictions has emerged, utilizing weaponized shortcut files and deceptive social engineering techniques to infiltrate high-value targets across China, Hong Kong, and Pakistan. These tools provide comprehensive system access, enabling data exfiltration, remote command execution, and lateral movement capabilities across compromised networks, establishing UNG0002 as a formidable threat to regional cybersecurity. Program Database (PDB) paths discovered during analysis indicate internal code names “Mustang” and “ShockWave,” suggesting organized development practices with C:\Users\The Freelancer\source\repos\JAN25\mustang\x64\Release\mustang.pdb and C:\Users\Shockwave\source\repos\memcom\x64\Release\memcom.pdb paths embedded within Shadow RAT and INET RAT respectively. The threat group has expanded their targeting beyond traditional defense and civil aviation sectors to include gaming companies, software development firms, and academic institutions, indicating a broader intelligence collection mandate. This sophisticated approach allows the threat actors to bypass traditional security measures while maintaining a low detection profile throughout the infection process. The campaign’s most notable innovation involves the abuse of the ClickFix technique, a social engineering method that presents victims with fake CAPTCHA verification pages designed to trick them into executing malicious PowerShell scripts. The threat actor, designated UNG0002 (Unknown Group 0002), has demonstrated remarkable persistence and technical evolution throughout two major operational phases spanning from May 2024 to the present. Security researchers have observed instances where the threat actors specifically spoofed Pakistan’s Ministry of Maritime Affairs website to enhance the legitimacy of their deceptive pages. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Upon execution, these shortcut files initiate a complex chain involving VBScript interpretation, batch script processing, and PowerShell execution. Technical analysis reveals that UNG0002 employs DLL sideloading techniques, particularly targeting legitimate Windows applications such as Rasphone.exe and Node-Webkit binaries. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The attack begins when victims receive CV-themed ZIP archives containing malicious LNK files disguised as legitimate PDF documents.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Jul 2025 14:45:16 +0000