2023年十月，奇安信威胁情报中心发布了《Operation HideBear：俄语威胁者将目标瞄准东亚和北美》一文，我们在文中提到攻击者的目标有着经济和技术的双重目的，经济上瞄准投资机构和比特币公司（个人），技术上对我国电感元器件制造商和生物抗体研究制药有着浓厚的兴趣，我们以中等程度的信心将其归属于Strom-0978，并于2023年末对其进行持续的跟踪中捕获了一个非常奇怪的样本，经过长时间的逆向分析发现攻击者使用了一套之前从未见披露过的内核注入技术，我们将其命名为“Step Bear”，在注入中使用天堂之门和地狱之门的调用方式启动一些不常见的内核函数导致该注入技术能够绕过主流的EDR检测。

In October 2023, QiAnXin Threat Intelligence Center published an article titled "Operation HideBear: Russian Threat Actors Targeting East Asia and North America". In the article, we mentioned that the attackers had dual objectives of economic and technological nature. Economically, they targeted investment institutions and Bitcoin companies (individuals), while technologically they showed strong interest in Chinese inductor component manufacturers and biopharmaceutical antibody research. With moderate confidence, we attributed these activities to Strom-0978 and captured a highly peculiar sample during continued tracking at the end of 2023. After extensive reverse analysis, we discovered that the attackers employed a previously undisclosed kernel injection technique, which we named "Step Bear." This injection technique utilizes a combination of "Heaven's Gate" and "Hell's Gate" invocation methods to initiate certain uncommon kernel functions, enabling it to bypass mainstream EDR detections.

近期奇安信威胁情报中心发现以虚拟货币行业监管条例和法律文档为诱饵的攻击样本，疑似针对韩国地区的虚拟货币行业参与者。Zip压缩包中包含两个文件，其中一个为正常文档，另一个是伪装为文档的LNK（快捷方式）文件。 如果受害者因为试图查看文档内容而点击LNK文件，LNK文件将暗中释放并执行一系列恶意脚本，收集受害者信息回传C2服务器，同时从C2服务器下载AutoIt恶意软件。根据攻击者使用的攻击手法和恶意代码的特点，我们将此次攻击活动归为Konni组织。

QiAnXin Threat Intelligence Center detected targeted phishing emails received by customers during routine endpoint operations. The attachment, named "版權資訊及版權保護政策 Dentsu Taipei.zip," contained a malicious lnk file and a normal PDF lure. Tianqing EDR intercepted the script Trojan in time. Although the attackers did not cause significant damage to our customers, the Chinese lure and subsequent Trojan used by this group caught our interest. After some investigation, we named this criminal group UTG-Q-007. Their targets include Asian countries such as China, South Korea, Vietnam, and India, with industries involving construction, real estate marketing, and the internet. They utilize the unique ROTbot Trojan to steal sensitive data such as cryptocurrency, intellectual property, and social media accounts. Similar to the profit model of faceduck Group (ducktail), they hijack Facebook business account ads. We have disclosed relevant details to the open-source community for analysis and investigation by friendly companies.

QiAnXin Threat Intelligence Center has observed a diligent domestic ransomware operator, mainly active during weekends, able to physically bypass security personnel's detection of alerts. On Saturdays, they utilize various Nday vulnerabilities for intrusion, conduct continuous internal information gathering, assess the number of controlled machines, and on Sunday evenings, they deploy ransomware trojans in bulk to provide a "surprise" for the victims returning to work the next day. The tools predominantly used for lateral movement include Cobalt Strike, fscan, frp, and ransomware delivery packages, exhibiting a high similarity to the tactics employed by domestic red teams during penetration testing.

奇安信威胁情报中心观察到一伙较为勤奋的国产勒索运营商，工作时间主要在周末，可以在物理上绕过安全人员对告警的发现。周六的时候使用一些Nday漏洞进行入侵，全天无休的进行内网信息收集，控制机器数量评估，并在周日晚上控制木马批量投递勒索软件，为了给第二天要上班的受害者一个“惊喜”，攻击者在横向移动所使用的工具主要有Cobalt Strike、fscan、frp、勒索投递包等，攻击手法与护网期间的国内红队有着很高的相似性。

Recently, the QiAnXin Threat Intelligence Center discovered a batch of espionage attack samples disguised as installation programs of software products under the SGA, a South Korean software company. These samples, upon execution, release legitimate installation packages to deceive victims and secretly execute malicious DLLs processed by VMProtect. The malicious DLLs, implemented in Go language, collect various types of information from infected devices and transmit them to the attackers, then erase traces of the attack. Based on the digital signatures carried by the espionage software samples, we associated them with another type of malicious software used as a backdoor, also written in Go and protected by VMProtect. This backdoor software shares multiple characteristics with historical attack samples from the Kimsuky organization, leading us to believe that both types of malicious software are associated with the Kimsuky group.

近期奇安信威胁情报中心发现一批以韩国软件公司SGA旗下产品安装程序为伪装的窃密攻击样本，样本运行后释放正常的安装包迷惑受害者，并暗中执行经过VMProtect处理的恶意DLL，恶意DLL由Go语言实现，收集感染设备上的各类信息回传给攻击者，然后清除攻击痕迹。 根据窃密软件样本携带的数字签名我们关联到另一种用作后门的恶意软件，同样为Go编写，并带有VMProtect保护壳。此后门软件与Kimsuky组织历史攻击样本存在多处特征重叠，因此我们认为这两种恶意软件均和Kimsuky组织存在关联。

奇安信威胁情报中心在日常终端运营过程中发现客户收到了定向的钓鱼邮件，附件名为“版權資訊及版權保護政策 Dentsu Taipei.zip”，内容包含恶意的lnk文件和正常的PDF诱饵,经过调查我们将该犯罪团伙命名为UTG-Q-007

近日，奇安信威胁情报中心发布《全球高级持续性威胁（APT）2023年度报告》，该报告通过分析奇安信威胁雷达对 2023 年境内的 APT 攻击活动的全方位遥感测绘数据，展示了我国境内 APT 攻击活动及高级持续性威胁发展趋势，并结合开源情报分析了全球范围内高级持续性威胁发展变化及特点，发现同2022年一样，政府部门、国防军事仍是2023年APT攻击活动的重灾区。此外，科研教育、信息技术也是2023年APT威胁的主要行业目标。