Economic Background
In the first half of 2025, the global financial market experienced a rare drastic change, and the historic surge in gold prices became the most critical economic background for this event. This round of gold price surge was mainly driven by a combination of factors: firstly, the divergence of monetary policies in major economies around the world, which shook the market's confidence in credit currencies; secondly, the continued escalation of geopolitical conflicts, in particular the intensification of tensions in certain regions, which greatly stimulated the market's safe-haven sentiments; and thirdly, the global economic growth expectations have been sharply downgraded by a number of institutions, and panicked funds have flocked to gold, a traditional safe-haven asset. traditional safe-haven assets. The dramatic fluctuations in the price of gold and the huge volume of transactions, so that the financial institutions around the gold trade - including exchanges, banks, custodians and investment funds - the amount of money held and flow of funds has expanded dramatically, which undoubtedly for the cybercrime to create a very high "input-output ratio". It is this extremely attractive economic value that has attracted sophisticated attack forces, including APT groups, which have attempted to infiltrate the core of HongKong's financial system and high-value investors on the mainland through supply chain attacks in such a stealthy and efficient manner. The goal is to steal large sums of money or manipulate the market to reap huge profits.
Incident Background
In May 2024, the Qi'anxin Threat Intelligence Center disclosed APT group UTG-Q-010[1] targeting the gaming and artificial intelligence industries. The group was extremely vindictive and went so far as to launch a low-level spear-email attack against public email addresses related to our localization business after the report was released.
The attackers seemed to be so frazzled and busy in their delivery that they failed to write even the full domain name of the probe in the body:
In July 2025, the TianQing "Liuhe" advanced threat engine and the RedDrip team's proprietary intelligence production process revealed the latest activity of the UTG-Q-010 group. Some government and enterprise clients triggered rule alerts when installing financial software from the official websites of HongKong-based financial institutions "Jinrong China" (jrjr.hk) and "Wanzhou Gold" (wzg.com). Manual analysis confirmed the presence of malicious code in the installation packages. The installation packages from these websites have now been restored to normal operation.
Jinrong China and Wanzhou Gold are two well-known gold traders with AA licenses on the HongKong Gold Exchange[2], and are also the main trading platforms of choice for high-value investors in China.
Sample Analysis
The information of the malicious installation package is as follows:
| - | - |
|---|---|
| MD5 | Filename |
| 3d60c16bbe50c562429a50b21dd6fcc0 | upway_desktop.exe |
| af99f2aa90026f0690d44d9747cd7a78 | wzgoldgroup5setup.exe |
The malicious setup program releases the White Plus Black component in the C:\Windows\Tasks directory in addition to the normal installation process:
The malicious export function for msdtctm.dll is DtcMainExt, which executes downloader logic consistent with that of the 2024 campaign. Downloading a set of memory loaders and shellcode from https://cloudcenter.top/sys/systemupdate.
Unlike in '24, UTG-Q-010 replaces the final payload from Pupy Rat with a brand new infiltration framework, AdaptixC2, which has just appeared in 2025.
Link back: cloudcenter.top/api/update
The logic of the remote control command is as follows:
It is identical compared to the source code on Github:
AdaptixC2 features are similar to traditional infiltration frameworks such as Cobalt Strike, Sliver, Havoc, Mythic, etc. Currently, Skyrocket Hexagon engine already supports in-memory checking of AdaptixC2 infiltration framework:
Scope of Impact
Qi'anxin's PDNS data shows a significant difference in the scope of this campaign compared to last year. While last year's attacks were only focused on gaming, AI and healthcare, this supply chain campaign has involved victims from key industries such as finance, manufacturing and culture.
Summary
Currently, the full line of products based on the threat intelligence data from the Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform ( TIP), TianQing, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situational Awareness, etc., already support accurate detection of such attacks.
IOC
FileHash-MD5:
3d60c16bbe50c562429a50b21dd6fcc0
af99f2aa90026f0690d44d9747cd7a78
C2:
cloudcenter.top
Reference Links
[1] https://ti.qianxin.com/blog/articles/UTG-Q-010-Targeted-Attack-Campaign-Against-the-AI-and-Gaming-Industry-EN/
[2] https://finance.sina.com.cn/jjxw/2025-06-03/doc-ineyuiii1529546.shtml?froms=ggmp