The overseas advanced espionage group UTG-Q-017 has been active since August 2024. It exploited the Chrome Nday vulnerability and used "short, flat and fast" techniques and tactics such as fileless landing, one-time C2 and short control time to accurately attack government and enterprise targets and steal sensitive information.

境外高级窃密组织 UTG-Q-017 自 2024 年 8 月起活跃，利用 Chrome Nday 漏洞，通过无文件落地、一次性 C2 和短暂控制时间等“短平快”技战术，精准攻击政企目标，窃取敏感信息。

Recently, Qi'anxin Threat Intelligence Center discovered a new version of Kimsuky backdoor. In order to increase the stealth of the attack, the backdoor only executes the core malicious code on machines with specific host names, which reflects the high degree of directionality of this attack. Other information operations should be performed in the early stage to screen targets.

近期奇安信威胁情报中心发现Kimsuky新版后门，该后门为了增加攻击的隐蔽性，只在具有特定主机名的机器上才执行核心恶意代码，体现了本次攻击高度的定向性，前期应该有其他的信息操作以筛选目标。

Foxmail official thanks! APT-Q-12 exploits high-risk vulnerabilities in email clients to target domestic corporate users. The RedDrip team discovered at the beginning of the year that attackers exploits high-risk vulnerabilities in Foxmail clients to attack. Victims only need to click on the email itself to trigger RCE and cause the Trojan to land. After reproducing it immediately, it was reported to the Tencent Foxmail business team. At present, the vulnerability has been fixed and the latest version of Foxmail 7.2.25 is not affected.

Foxmail官方致谢！APT-Q-12利用邮件客户端高危漏洞瞄准国内企业用户红雨滴团队年初发现攻击者利用Foxmail客户端高危漏洞进行攻击，受害者仅需点击邮件本身即可触发RCE导致木马落地，第一时间复现后并将其上报给腾讯Foxmail业务团队，目前该漏洞已经被修复，最新版Foxmail 7.2.25 不受影响。

奇安信威胁情报中心在终端侧运营过程中发现了一个规模巨大并且能够劫持受害者 Google 搜索内容和劫持电商链接等恶意行为的境外黑客团伙，基于 PDNS 数据发现该团伙从 2021 年开始活跃，并且恶意域名在 OPENDNS 的 top 1m 列表中，全球受影响的终端至少百万级别。

During the terminal operation, the Qi'anxin Threat Intelligence Center discovered a large-scale overseas hacker group that was able to hijack victims' Google search content and e-commerce links and other malicious behaviors. Based on PDNS data, it was found that the group has been active since 2021, and the malicious domain name is on the top of OPENDNS. In the 1m list, there are at least millions of terminals affected worldwide.

In mid-2024 we discovered a collection of attacks in the South Asian direction numbered UTG-Q-011, which, despite the fact that the subsequent plugins in the collection differed too much from CNC, had the same backdoor as the codebase used by the CNC group, and ultimately researched UTG-Q-011 as a subset of CNC, which will be disclosed at the end of this paper.

2024 年中旬我们发现了南亚方向编号为 UTG-Q-011 的攻击集合，尽管该集合后续插件与 CNC 相差过大，但是其后门与 CNC 组织所使用的代码库相同，最终将 UTG-Q-011 当作 CNC 的子集来进行研究，本文最后会对其进行披露。