Recently, the Qi'anxin Threat Intelligence Center discovered a suspicious compressed file from a job search website. Through the comprehensive judgment of malicious behavior based on intelligence, the Qi'anxin Intelligence Sandbox identified the file as suspicious and gave it a malicious score of 10. The RAS detection results showed that the sample may use DLL side loading. Combined with manual analysis, it is believed that this malicious activity is a continuation of the UNC1549 attack.

近期，奇安信威胁情报中心发现一个来自伪装为求职网站的可疑压缩包。通过奇安信情报沙箱基于智能的恶意行为综合判断，识别出文件可疑并给出 10 分的恶意评分。RAS 检测结果表明样本可能采用 DLL 侧加载手段。结合手动分析，认为此次恶意活动是 UNC1549 攻击的延续。

The recent activity tracking of the APT-Q-27 is based on the mapping analysis of Qi’anxin Threat Radar. Since 2022, APT-Q-27 has been one of the groups with the highest frequency of domestic attacks. This article will introduce the APT-Q-27 samples and attack methods captured in recent years, and discuss the common attack methods and sample evolution of APT-Q-27.

金眼狗团伙近期活动跟踪基于奇安信威胁雷达的测绘分析，从 2022 年以来，金眼狗一直是对国内攻击频率最高的几个组织之一。本文将对最近几年捕获到的金眼狗样本以及攻击手法进行介绍，并讨论金眼狗的常用攻击手法和样本演变。

The QiAnXin Threat Intelligence Center has discovered that the new OceanLotus group (APT-Q-31) has recently become active again and is employing a new tactic of MSI file abuse, which is the first time that the use of this technique has been captured in domestic APT campaigns targeting government and enterprises. The two OceanLotus attack sets share attack resources, but have completely different TTPs. The last time a new Sea Lotus was active was in late 2023.

奇安信威胁情报中心发现，新海莲花组织APT-Q-31近期重新活跃，并采用MSI文件滥用的新手法，这是首次在国内针对政企的APT活动中捕获到该技术的使用。海莲花的两个攻击集合共享攻击资源，但TTP完全不同。上次新海莲花的活跃是2023年末。

The QiAnXin Threat Intelligence Center has recently discovered a batch of special CHMs, in which the html is very simple and only executes an external file, which leads to a very low number of VT reports. Based on the similarity of the malicious samples, this article suggests that these special CHM attack samples and the C# backdoor are most likely from the Mysterious Elephant group.

奇安信威胁情报中心近期发现一批特别的 CHM，其中html十分简单，仅执行一个外部文件，这导致VT报毒数很低。本文基于恶意样本相似性认为这些特殊的 CHM 攻击样本和 C# 后门很可能来自 Mysterious Elephant 组织。

Bitter Group Enables New Trojan Horse MiyaRat, Domestic Users Become Primary Targets. Bitter has been trying a variety of no-kill methods this year: loading the havoc framework through powershell in June, and directly distributing the steganography plugin that was in use in 2018 in July, with less than ideal results, and ultimately distributing a brand new trojan horse, MiyaRat, in September. it was still was successfully captured by us.

Bitter 在今年一直在尝试各种免杀方法：6月份通过 powershell 加载 havoc 框架、7 月份直接下发 2018 年就在使用的窃密插件，效果都不太理想，最终在 9 月份下发了全新的特马 MiyaRat 还是被我们成功捕获。