奇安信威胁情报中心在终端侧运营过程中发现了一个规模巨大并且能够劫持受害者 Google 搜索内容和劫持电商链接等恶意行为的境外黑客团伙，基于 PDNS 数据发现该团伙从 2021 年开始活跃，并且恶意域名在 OPENDNS 的 top 1m 列表中，全球受影响的终端至少百万级别。

During the terminal operation, the Qi'anxin Threat Intelligence Center discovered a large-scale overseas hacker group that was able to hijack victims' Google search content and e-commerce links and other malicious behaviors. Based on PDNS data, it was found that the group has been active since 2021, and the malicious domain name is on the top of OPENDNS. In the 1m list, there are at least millions of terminals affected worldwide.

In mid-2024 we discovered a collection of attacks in the South Asian direction numbered UTG-Q-011, which, despite the fact that the subsequent plugins in the collection differed too much from CNC, had the same backdoor as the codebase used by the CNC group, and ultimately researched UTG-Q-011 as a subset of CNC, which will be disclosed at the end of this paper.

2024 年中旬我们发现了南亚方向编号为 UTG-Q-011 的攻击集合，尽管该集合后续插件与 CNC 相差过大，但是其后门与 CNC 组织所使用的代码库相同，最终将 UTG-Q-011 当作 CNC 的子集来进行研究，本文最后会对其进行披露。

Qi‘anxin Threat Intelligence Center recently found the Donot group use of PDF documents as a bait for attack activities, through a variety of attack techniques against Pakistan, Bangladesh and other countries in South Asia.

奇安信威胁情报中心近期发现肚脑虫组织利用PDF文档作为攻击活动的诱饵，通过多种攻击手法针对巴基斯坦、孟加拉国等南亚地区的国家。

奇安信威胁情报中心发布《网络安全威胁2024年度报告》，内容涵盖高级持续性威胁（APT）、勒索攻击、互联网黑产、漏洞利用等方面。针对我国的APT事件主要涉及科研教育、信息技术、制造、政府机构等领域，受害目标集中在广东等地。年末披露了入侵国内最大IT社区的UTG-Q-015，该团伙成功入侵IT社区、技术论坛、软件园、政府官网、媒体网站等目标，影响规模巨大，值得警惕。

The New OceanLotus group first appeared in mid-2022, became inactive at the end of 2023, became active again in November 2024, and was quickly stopped. The article shared the in-memory technical and tactical analysis of the New OceanLotus group. At the same time, through two waves of 0-day supply chain events in March 2024, it was finally confirmed that the attacker was located in the UTC +7 time zone.

新海莲花组织最早出现于2022年中，2023年底转入不活跃状态，2024年11月重新活跃并被快速制止。文章分享了新海莲花组织在内存中的技战术分析，同时通过2024年3月的两波 0day 供应链事件，最终确认攻击者位于 UTC +7 时区。

Recently, we found an unknown Windows Nday vulnerability sample in the wild that can escalate privileges. When the vulnerability sample was first uploaded, only 6 people checked it. After analysis, it was confirmed that the vulnerability should have been fixed in the Microsoft patch in August and is an unknown nday exploit that has been fixed. This article provides a detailed analysis of the vulnerability and the vulnerability sample.