Our continued tracking of the donot group found that they had used couldmailauth.com to host malware. Recently, we captured another batch of samples that used this domain as the C&C server. These samples were Spyder downloaders of the Patchwork group, and one of them had the same digital signature as the donot sample. The reason for this may be that the two groups have the same resource provider behind them, or that the two groups may be acting in unison under the coordination of a higher-level group.

我们对肚脑虫组织的持续追踪发现该组织曾使用couldmailauth.com托管恶意软件。近期我们捕获到另一批以该域名为 C&C 服务器的样本，此类样本为摩诃草组织的 Spyder 下载器，并且其中一个样本带有与肚脑虫样本相同的数字签名。导致这种情况的原因可能是两个组织背后存在相同的资源提供者，也可能是两者在某个层级更高的组织的协调下统一开展行动。

After the UTG-Q-015 targeting CSDN and other websites was disclosed at the end of last year, the gang changed its attack methods and began to use 0day/Nday vulnerabilities to invade government and enterprise websites. In March, a batch of scanning nodes were activated to blast government and enterprise targets. In April, it attacked blockchain websites, gitlab backends, etc., and targeted financial targets through IM phishing.

去年底UTG-Q-015针对CSDN等挂马被披露后该团伙更改了攻击手法，开始利用0day/Nday漏洞入侵政企Web站点，3月启用一批扫描节点对政企目标进行爆破，4月针对区块链网站、gitlab后台等进行攻击，并通过IM钓鱼定向入侵金融目标。

The overseas advanced espionage group UTG-Q-017 has been active since August 2024. It exploited the Chrome Nday vulnerability and used "short, flat and fast" techniques and tactics such as fileless landing, one-time C2 and short control time to accurately attack government and enterprise targets and steal sensitive information.

境外高级窃密组织 UTG-Q-017 自 2024 年 8 月起活跃，利用 Chrome Nday 漏洞，通过无文件落地、一次性 C2 和短暂控制时间等“短平快”技战术，精准攻击政企目标，窃取敏感信息。

Recently, Qi'anxin Threat Intelligence Center discovered a new version of Kimsuky backdoor. In order to increase the stealth of the attack, the backdoor only executes the core malicious code on machines with specific host names, which reflects the high degree of directionality of this attack. Other information operations should be performed in the early stage to screen targets.

近期奇安信威胁情报中心发现Kimsuky新版后门，该后门为了增加攻击的隐蔽性，只在具有特定主机名的机器上才执行核心恶意代码，体现了本次攻击高度的定向性，前期应该有其他的信息操作以筛选目标。

Foxmail official thanks! APT-Q-12 exploits high-risk vulnerabilities in email clients to target domestic corporate users. The RedDrip team discovered at the beginning of the year that attackers exploits high-risk vulnerabilities in Foxmail clients to attack. Victims only need to click on the email itself to trigger RCE and cause the Trojan to land. After reproducing it immediately, it was reported to the Tencent Foxmail business team. At present, the vulnerability has been fixed and the latest version of Foxmail 7.2.25 is not affected.

Foxmail官方致谢！APT-Q-12利用邮件客户端高危漏洞瞄准国内企业用户红雨滴团队年初发现攻击者利用Foxmail客户端高危漏洞进行攻击，受害者仅需点击邮件本身即可触发RCE导致木马落地，第一时间复现后并将其上报给腾讯Foxmail业务团队，目前该漏洞已经被修复，最新版Foxmail 7.2.25 不受影响。