← All Threat Actors
Threat Actor Profile

UNG0002

No known aliases in database
▲ High Threat
Operation Dragon Whistle, Operation AmberMist, Operation Cobalt Whisper
Origin South/Southeast Asia
Sponsor Unknown (suspected state-aligned)
Motivation Cyber espionage, including intellectual property theft and government intelligence collection

Target Sectors

Defense Electrotechnical Engineering Energy Civil Aviation Academia Medical Institutions Cybersecurity Gaming Software Development Government Agencies Manufacturing Telecommunications Media Research Institutions

Known TTPs

Spear-phishing with weaponized LNK and VBScript files
ClickFix social engineering (fake CAPTCHA verification pages)
DLL sideloading (abusing legitimate binaries such as Rasphone and Node-Webkit)
Cloud-based C2 infrastructure (Dropbox, X/Twitter, Zimbra mail services)
Reflective loading of Cobalt Strike
Deployment of custom RATs (Shadow RAT, INET RAT)
Blister DLL shellcode loader
Spoofing of government websites (e.g., Pakistan's Ministry of Maritime Affairs)

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD