奇安信威胁情报中心和猎鹰运营团队在日常运营过程中观察到在2024年6月份时多个境外友商发布与GrimResource新型攻击技术有关的在野攻击活动，我们第一时间对该技术进行了研究并持续进行监控，于2024年7月中旬在政企终端中发现第一例攻击事件，攻击性质我们定性为黑产。GrimResource技术利用mmc系统文件中的XSS漏洞执行js代码，并通过DotNetToJScript的方式内存加载任意.net程序，不仅可以绕过ActiveX控件告警，还能实现无文件落地的payload执行，可以预见在未来的一段时间内，MSC样式的鱼叉邮件将会替代lnk、offcie宏文档等成为攻击者最常用的钓鱼诱饵。建议政企客户不要在非官方网站上下载软件安装包，我们将会详细披露MSC诱饵的攻击链，以便客户进行自查。

QiAnXin Threat Intelligence Center and Falcon Operations Team observed in their daily operations that in June 2024, several foreign counterparts reported in-the-wild attacks related to the new attack technique GrimResource. We promptly conducted research on this technique and have been continuously monitoring it. In mid-July 2024, we discovered the first attack incident in government and enterprise terminals, and we classified the nature of the attack as black industry. The GrimResource technique exploits the XSS vulnerability in mmc system files to execute JS code and uses DotNetToJScript to load arbitrary .NET programs into memory. This not only bypasses ActiveX control warnings but also enables fileless payload execution. It is foreseeable that in the future, MSC-style spear-phishing emails will replace lnk and office macro documents as the most commonly used phishing baits by attackers. Government and enterprise customers are advised not to download software installation packages from unofficial websites. We will disclose the attack chain of MSC baits in detail to facilitate customer self-examination.

QiAnXin Threat Intelligence Center, since the initiation of UTG (Unified Threat Graph) numbering, has closely monitored attacks targeting server environments within government and enterprise sectors. We have discovered several attack groups such as UTG-Q-008 and UTG-Q-009, which have caused significant harm to government and enterprise entities. Among them, UTG-Q-008 is the only organization exclusively targeting Linux platforms for its malicious activities. It operates a massive botnet network. After a year-long intensive tracking effort, we have finally confirmed evidence of UTG-Q-008 utilizing the resources of this botnet network for espionage activities against the domestic research and education sector. A staggering 70% of the infrastructure used in the attacks consists of jump servers, with new jump servers being replaced for each new activity. The domain names controlled by the attackers have been active for at least a decade, displaying an adversarial strength far surpassing mainstream APT organizations. This experience has deeply impressed upon us the notion that network resources are the best "0-day weapons."

长期以来，安全厂商在研究与Linux系统相关的窃密事件方面一直存在不足，市面上披露的大部分APT攻击都集中在非涉密的办公机器（windows平台），窃取的数据大部分为非涉密的未公开内部文档，我们认为这种类型的窃密攻击炒作噱头大于实际危害。然而，在科学研究领域，Linux服务器通常承载着重要数据，其安全性至关重要。因此，加强对linux系统的安全研究和事件监控，是保卫国家科学技术高质量发展的关建任务。 奇安信威胁情报中心在启动UTG编号后，一直在政企终端中紧密监控只针对服务器区进行渗透的攻击集合，发现了UTG-Q-008、UTG-Q-009等数个对政企造成巨大危害的攻击团伙，其中UTG-Q-008是唯一一个只针对Linux平台进行攻击活动的组织，背后拥有庞大的僵尸网络，经过长达一年的高强度跟踪，我们最终证实了UTG-Q-008调用僵尸网络资源针对国内科研教育领域进行窃密活动的证据，攻击活动中高达70%的基础设施为跳板服务器，并且每次开展新活动时都会更换新跳板，攻击者掌握的域名中最早十年前就开始活跃，对抗强度远超主流APT组织，让我们深刻体会到网络资源就是最好的“0day武器”。

QiAnXin Threat Intelligence Center has identified targeted Chinese phishing emails in its daily operations, where the body of the email is logically structured and uses content related to game recruitment from major internet companies and AI technology. The email aims to entice the HR departments of targeted companies to open encrypted attachments containing malicious lnk files. This allows the attackers to establish a foothold within the internal network and seek further lateral movement. After a brief investigation, the group responsible for these activities has been named UTG-Q-010, a financially motivated targeted attack group located in East Asia. Considering some issues raised by foreign cybersecurity vendors in their references to our previous disclosure of UTG-Q-007, it is necessary to introduce the origin of QiAnXin’s “UTG” (Unknown Threat Group) numbering convention. To address the mismatch between the threats identified by QiAnXin's government and enterprise endpoints and the commonly known APT threats, as well as the situation that some APT campaigns are outsourced to private companies, we have identified several highly harmful and actively threat groups from hundreds of attack campaigns detected by government and enterprise endpoints. These groups have been named in the form of “UTG-Q-XXX”. Therefore, UTG should not be simply understood as an unknown group. Instead, we are aware of the attackers' motives and geographical region, but we are unable to attribute them to specific attacking entities or the clients they serve.

奇安信威胁情报中心在日常运营过程中发现客户收到了定向的中文钓鱼邮件，正文中逻辑清晰，使用互联网大厂的游戏招聘、AI技术等内容诱导目标公司的HR打开包含恶意lnk的加密附件，从而在内网中立足并寻求进一步的横向移动，经过短暂的调查我们将该团伙命名为UTG-Q-010,具有经济目的定向攻击团伙，攻击者位于东亚。 鉴于上次我们披露UTG-Q-007时境外友商对我们报告的引用问题，我们有必要介绍一下UTG（unknown threat Group）编号的由来：为了应对目前奇安信政企终端中的威胁与市面上通用的APT威胁不匹配以及各国APT组织都已经外包给私营公司的现状，我们从政企终端发现的几百个攻击集合中识别出危害性较大且持续活跃的Group，并将其命名为UTG-Q-XXX的样式，所以并不能将UTG单纯的理解为未知组织，我们清楚攻击者的目的和所在地区，但是无法归因到具体的攻击实体或服务的甲方单位。

2023年十月，奇安信威胁情报中心发布了《Operation HideBear：俄语威胁者将目标瞄准东亚和北美》一文，我们在文中提到攻击者的目标有着经济和技术的双重目的，经济上瞄准投资机构和比特币公司（个人），技术上对我国电感元器件制造商和生物抗体研究制药有着浓厚的兴趣，我们以中等程度的信心将其归属于Strom-0978，并于2023年末对其进行持续的跟踪中捕获了一个非常奇怪的样本，经过长时间的逆向分析发现攻击者使用了一套之前从未见披露过的内核注入技术，我们将其命名为“Step Bear”，在注入中使用天堂之门和地狱之门的调用方式启动一些不常见的内核函数导致该注入技术能够绕过主流的EDR检测。

In October 2023, QiAnXin Threat Intelligence Center published an article titled "Operation HideBear: Russian Threat Actors Targeting East Asia and North America". In the article, we mentioned that the attackers had dual objectives of economic and technological nature. Economically, they targeted investment institutions and Bitcoin companies (individuals), while technologically they showed strong interest in Chinese inductor component manufacturers and biopharmaceutical antibody research. With moderate confidence, we attributed these activities to Strom-0978 and captured a highly peculiar sample during continued tracking at the end of 2023. After extensive reverse analysis, we discovered that the attackers employed a previously undisclosed kernel injection technique, which we named "Step Bear." This injection technique utilizes a combination of "Heaven's Gate" and "Hell's Gate" invocation methods to initiate certain uncommon kernel functions, enabling it to bypass mainstream EDR detections.

近期奇安信威胁情报中心发现以虚拟货币行业监管条例和法律文档为诱饵的攻击样本，疑似针对韩国地区的虚拟货币行业参与者。Zip压缩包中包含两个文件，其中一个为正常文档，另一个是伪装为文档的LNK（快捷方式）文件。 如果受害者因为试图查看文档内容而点击LNK文件，LNK文件将暗中释放并执行一系列恶意脚本，收集受害者信息回传C2服务器，同时从C2服务器下载AutoIt恶意软件。根据攻击者使用的攻击手法和恶意代码的特点，我们将此次攻击活动归为Konni组织。

QiAnXin Threat Intelligence Center detected targeted phishing emails received by customers during routine endpoint operations. The attachment, named "版權資訊及版權保護政策 Dentsu Taipei.zip," contained a malicious lnk file and a normal PDF lure. Tianqing EDR intercepted the script Trojan in time. Although the attackers did not cause significant damage to our customers, the Chinese lure and subsequent Trojan used by this group caught our interest. After some investigation, we named this criminal group UTG-Q-007. Their targets include Asian countries such as China, South Korea, Vietnam, and India, with industries involving construction, real estate marketing, and the internet. They utilize the unique ROTbot Trojan to steal sensitive data such as cryptocurrency, intellectual property, and social media accounts. Similar to the profit model of faceduck Group (ducktail), they hijack Facebook business account ads. We have disclosed relevant details to the open-source community for analysis and investigation by friendly companies.