Recently, Qi'anxin Threat Intelligence Center discovered that the GoldenEyed Dog gang distributed malware disguised as installation packages such as Todesk, QuickConnect VPN and Paper Airplane through watering hole websites. After running, in addition to releasing installation software with normal signatures, it will also secretly implant Winos4.0 remote control, and combine it with the "Silver Fox" Trojan for remote control and stealing secrets, and add Shellcode backdoors and anti-antivirus software.

近日，奇安信威胁情报中心发现金眼狗团伙通过水坑网站分发伪装成Todesk、快连VPN和纸飞机等安装包的恶意软件，运行后除了释放携带正常签名的安装软件，还会暗中植入 Winos4.0 远控，并结合“银狐”类木马进行远程控制及窃密，新增Shellcode后门、对抗杀软等手段。

Our continued tracking of the donot group found that they had used couldmailauth.com to host malware. Recently, we captured another batch of samples that used this domain as the C&C server. These samples were Spyder downloaders of the Patchwork group, and one of them had the same digital signature as the donot sample. The reason for this may be that the two groups have the same resource provider behind them, or that the two groups may be acting in unison under the coordination of a higher-level group.

我们对肚脑虫组织的持续追踪发现该组织曾使用couldmailauth.com托管恶意软件。近期我们捕获到另一批以该域名为 C&C 服务器的样本，此类样本为摩诃草组织的 Spyder 下载器，并且其中一个样本带有与肚脑虫样本相同的数字签名。导致这种情况的原因可能是两个组织背后存在相同的资源提供者，也可能是两者在某个层级更高的组织的协调下统一开展行动。

After the UTG-Q-015 targeting CSDN and other websites was disclosed at the end of last year, the gang changed its attack methods and began to use 0day/Nday vulnerabilities to invade government and enterprise websites. In March, a batch of scanning nodes were activated to blast government and enterprise targets. In April, it attacked blockchain websites, gitlab backends, etc., and targeted financial targets through IM phishing.

去年底UTG-Q-015针对CSDN等挂马被披露后该团伙更改了攻击手法，开始利用0day/Nday漏洞入侵政企Web站点，3月启用一批扫描节点对政企目标进行爆破，4月针对区块链网站、gitlab后台等进行攻击，并通过IM钓鱼定向入侵金融目标。

The overseas advanced espionage group UTG-Q-017 has been active since August 2024. It exploited the Chrome Nday vulnerability and used "short, flat and fast" techniques and tactics such as fileless landing, one-time C2 and short control time to accurately attack government and enterprise targets and steal sensitive information.

境外高级窃密组织 UTG-Q-017 自 2024 年 8 月起活跃，利用 Chrome Nday 漏洞，通过无文件落地、一次性 C2 和短暂控制时间等“短平快”技战术，精准攻击政企目标，窃取敏感信息。

Recently, Qi'anxin Threat Intelligence Center discovered a new version of Kimsuky backdoor. In order to increase the stealth of the attack, the backdoor only executes the core malicious code on machines with specific host names, which reflects the high degree of directionality of this attack. Other information operations should be performed in the early stage to screen targets.

近期奇安信威胁情报中心发现Kimsuky新版后门，该后门为了增加攻击的隐蔽性，只在具有特定主机名的机器上才执行核心恶意代码，体现了本次攻击高度的定向性，前期应该有其他的信息操作以筛选目标。