UNG0902

UNG0902 is a threat cluster tracked by Seqrite in connection with the spearphishing campaign dubbed Operation DupeHike. Seqrite states it has tracked the activity since November 2025. The cluster targets Russian corporate employees, particularly HR, payroll, internal administrative, finance, accounting, procurement, and legal functions, using realistic lures themed around employee bonuses, payment confirmations, and internal financial policies. The activity is described as targeting Russian employees and Russian corporate entities. In Operation DupeHike, phishing emails deliver ZIP archives containing PDF-themed malicious LNK files. The LNK files execute hidden PowerShell to download and run a C++ implant named DUPERUNNER. DUPERUNNER retrieves and displays decoy PDF content, downloads additional payloads disguised as .woff font files, and injects shellcode into legitimate Windows processes such as explorer.exe, notepad.exe, and msedge.exe using VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. The injected payload is AdaptixC2, described as an open-source command-and-control framework. Seqrite reported that the AdaptixC2 beacon/stager resolves APIs dynamically through PEB traversal and hashed lookups, locates an appended PE payload via a magic marker, and communicates with attacker infrastructure over HTTP, including POST requests to a /result endpoint. Supporting reporting also links UNG0902 to campaigns targeting Russian HR and payroll departments with bonus- or policy-themed lures that deploy DUPERUNNER and load AdaptixC2. Seqrite reported malicious infrastructure associated with the activity and noted hosting under AS48282 (VDSINA-AS) and AS9123 (TIMEWEB-AS). One report states Seqrite was considering possible nation-state sponsorship, but no confirmed state attribution is provided in the content. No aliases or sub-groups other than the cluster name UNG0902 are directly supported by the content.