The New OceanLotus group first appeared in mid-2022, became inactive at the end of 2023, became active again in November 2024, and was quickly stopped. The article shared the in-memory technical and tactical analysis of the New OceanLotus group. At the same time, through two waves of 0-day supply chain events in March 2024, it was finally confirmed that the attacker was located in the UTC +7 time zone.

新海莲花组织最早出现于2022年中，2023年底转入不活跃状态，2024年11月重新活跃并被快速制止。文章分享了新海莲花组织在内存中的技战术分析，同时通过2024年3月的两波 0day 供应链事件，最终确认攻击者位于 UTC +7 时区。 事件，最终确认攻击者位于 UTC +7 时区。

Recently, we found an unknown Windows Nday vulnerability sample in the wild that can escalate privileges. When the vulnerability sample was first uploaded, only 6 people checked it. After analysis, it was confirmed that the vulnerability should have been fixed in the Microsoft patch in August and is an unknown nday exploit that has been fixed. This article provides a detailed analysis of the vulnerability and the vulnerability sample.

近期，我们发现一个未知 Windows 在野提权 Nday 漏洞样本，该漏洞样最早被上传时只有6个查杀。经过分析确认该漏洞应该是在八月的微软补丁中被修复，是一个被修复的未知nday利用。本文对该漏洞及漏洞样本进行了详细分析。

alphatronBot是一款基于p2p协议的后门程序，拥有远控功能，并且会下发特定的payload。该恶意软件通过Pubsub聊天室的形式进行控制，后门内置了700多个受感染的p2p C2节点，影响linux和windows双平台。

alphatronBot is a backdoor program based on p2p protocol. It has remote control function and will deliver a specific payload. The malware is controlled through a Pubsub chat room, with more than 700 infected p2p C2 nodes built into the backdoor, affecting both Linux and Windows platforms.

Recently, the Qi'anxin Threat Intelligence Center discovered a suspicious compressed file from a job search website. Through the comprehensive judgment of malicious behavior based on intelligence, the Qi'anxin Intelligence Sandbox identified the file as suspicious and gave it a malicious score of 10. The RAS detection results showed that the sample may use DLL side loading. Combined with manual analysis, it is believed that this malicious activity is a continuation of the UNC1549 attack.

近期，奇安信威胁情报中心发现一个来自伪装为求职网站的可疑压缩包。通过奇安信情报沙箱基于智能的恶意行为综合判断，识别出文件可疑并给出 10 分的恶意评分。RAS 检测结果表明样本可能采用 DLL 侧加载手段。结合手动分析，认为此次恶意活动是 UNC1549 攻击的延续。

The recent activity tracking of the APT-Q-27 is based on the mapping analysis of Qi’anxin Threat Radar. Since 2022, APT-Q-27 has been one of the groups with the highest frequency of domestic attacks. This article will introduce the APT-Q-27 samples and attack methods captured in recent years, and discuss the common attack methods and sample evolution of APT-Q-27.

金眼狗团伙近期活动跟踪基于奇安信威胁雷达的测绘分析，从 2022 年以来，金眼狗一直是对国内攻击频率最高的几个组织之一。本文将对最近几年捕获到的金眼狗样本以及攻击手法进行介绍，并讨论金眼狗的常用攻击手法和样本演变。