Skip to main content
Mallory
Back to threat actors
🇨🇳 CN6 malware families

UNG0002

Also known asUNG0002

UNG0002, also referred to as Unknown Group 0002, is a South Asian cyber espionage actor. Reporting attributes the group to campaigns targeting strategic sectors across China, Hong Kong, and Pakistan, including defense, aviation, government, academia, electrical engineering, energy infrastructure, healthcare, universities, IT enterprises, and the video game sector. Seqrite Labs documented campaigns including Operation Cobalt Whisper, Operation AmberMist, and Operation Dragon Whistle. The group commonly uses phishing emails and socially engineered lures, including fake résumés and institutional notices, to deliver malicious ZIP archives containing LNK shortcut files and VBScript payloads. In Operation Dragon Whistle, the actor targeted the Chinese educational sector, specifically students and faculty at Changzhou University, using a lure about mandatory 2026 physical fitness testing. That campaign used a double-extension LNK disguised as a PDF, explorer.exe to launch hidden VBScript, a decoy document for distraction, and DLL side-loading via a legitimate Bandizip executable with a malicious ark.x64.dll. Reported anti-analysis and defense-evasion behavior included checks for tools such as Wireshark and Process Monitor, and tampering with AMSI and ETW. The final payload in that campaign was an in-memory Cobalt Strike Beacon communicating with infrastructure resolving to lysander.asia. Across reported activity, UNG0002 has shown preference for LNK and VBScript-based infection chains and has used post-exploitation tooling including Cobalt Strike and Metasploit. Operation Cobalt Whisper, active from May to September 2024, targeted defense and aviation entities in China and Hong Kong and deployed Cobalt Strike for command and control. Operation AmberMist, active from January to May 2025, targeted government and academia entities in China and Pakistan and culminated in deployment of INET RAT, assessed as a customized Shadow RAT variant, along with the Blister DLL trojan acting as a shellcode loader. Shadow RAT usage has been attributed to UNG0002 by Malpedia and Seqrite Labs.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Academia & Research

Where they target

Geographies tied to known operations.

  • 🇨🇳 China

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

17 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics27 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001×4
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
3 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.003
Windows Command Shell
T1059.005×2
Visual Basic
T1204
User Execution
T1204.002×2
Malicious File
TA0003
Persistence
1 technique
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
TA0004
Privilege Escalation
1 technique
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
TA0005
Stealth
5 techniques
T1036
Masquerading
T1218
System Binary Proxy Execution
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1620×2
Reflective Code Loading
T1622
Debugger Evasion
TA0007
Discovery
3 techniques
T1082
System Information Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1622
Debugger Evasion
TA0011
Command and Control
1 technique
T1071×2
Application Layer Protocol
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Cobalt StrikeUltimately, the final stage drops a dangerous Cobalt Strike Beacon directly into memory . This implant establishes an outbound command-and-control connection to a remote server .2May 26, 2026
Metasploit...post-exploitation tools such as Cobalt Strike and Metasploit...2Mar 8, 2026
Shadow RATBreakglass Intelligence discovered a fully operational Shadow RAT command-and-control panel running at 87.120.107[.]117 on Ukrainian-operated bulletproof hosting infrastructure... The panel ... provides a complete Malware-as-a-Service platform with user registration, licensing, and a malware builder capable of producing Windows RAT payloads with rootkit, surveillance, credential theft, and remote shell capabilities.2Apr 25, 2026
Blister DLL"...deployment of INET RAT and Blister DLL trojans." / "...Blister DLL acts as a shellcode loader to establish remote access."1Mar 8, 2026
INET RAT"...culminating in the deployment of INET RAT and Blister DLL trojans."1Mar 8, 2026

1 additional family tracked in Mallory.

IOCS

Observables

12 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

12 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
security online infoNews
May 26, 2026
Operation Dragon Whistle Phishing Campaign Analysis

Conducting the Operation Dragon Whistle phishing campaign targeting the Chinese educational sector, using highly tailored social engineering against university students and faculty, followed by a multi-stage malware infection chain that culminates in in-memory Cobalt Strike Beacon deployment.

Read more
breakglass intelNews
Mar 12, 2026
Shadow RAT Panel v2.0: Inside a Live MaaS Platform With APT Crossover - Breakglass Intelligence - Breakglass Intelligence

South Asian espionage actor linked to Shadow RAT and conducting campaigns against defense, aviation, government, and academia targets. Reported operations include Operation Cobalt Whisper and Operation AmberMist, using spearphishing, ClickFix social engineering, LNK delivery, DLL sideloading, and fake government pages.

Read more
rewterzNews
Jul 23, 2025
APT UNG0002 Expands Cyber Espionage Campaigns Across Asia - Active IOCs - Rewterz

Conducting large-scale cyber-espionage campaigns across strategic sectors in China, Hong Kong, and Pakistan using phishing emails (often with fake résumés) that deliver ZIP/LNK/VBScript-based infection chains, followed by post-exploitation frameworks and RAT deployment for persistent remote access.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping17

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables12

Domains, IPs, and hashes tied to this actor, refreshed continuously.