Our continued tracking of the donot group found that they had used couldmailauth.com to host malware. Recently, we captured another batch of samples that used this domain as the C&C server. These samples were Spyder downloaders of the Patchwork group, and one of them had the same digital signature as the donot sample. The reason for this may be that the two groups have the same resource provider behind them, or that the two groups may be acting in unison under the coordination of a higher-level group.

我们对肚脑虫组织的持续追踪发现该组织曾使用couldmailauth.com托管恶意软件。近期我们捕获到另一批以该域名为 C&C 服务器的样本，此类样本为摩诃草组织的 Spyder 下载器，并且其中一个样本带有与肚脑虫样本相同的数字签名。导致这种情况的原因可能是两个组织背后存在相同的资源提供者，也可能是两者在某个层级更高的组织的协调下统一开展行动。

Recently, Qi'anxin Threat Intelligence Center discovered a new version of Kimsuky backdoor. In order to increase the stealth of the attack, the backdoor only executes the core malicious code on machines with specific host names, which reflects the high degree of directionality of this attack. Other information operations should be performed in the early stage to screen targets.

近期奇安信威胁情报中心发现Kimsuky新版后门，该后门为了增加攻击的隐蔽性，只在具有特定主机名的机器上才执行核心恶意代码，体现了本次攻击高度的定向性，前期应该有其他的信息操作以筛选目标。

Foxmail official thanks! APT-Q-12 exploits high-risk vulnerabilities in email clients to target domestic corporate users. The RedDrip team discovered at the beginning of the year that attackers exploits high-risk vulnerabilities in Foxmail clients to attack. Victims only need to click on the email itself to trigger RCE and cause the Trojan to land. After reproducing it immediately, it was reported to the Tencent Foxmail business team. At present, the vulnerability has been fixed and the latest version of Foxmail 7.2.25 is not affected.

Foxmail官方致谢！APT-Q-12利用邮件客户端高危漏洞瞄准国内企业用户红雨滴团队年初发现攻击者利用Foxmail客户端高危漏洞进行攻击，受害者仅需点击邮件本身即可触发RCE导致木马落地，第一时间复现后并将其上报给腾讯Foxmail业务团队，目前该漏洞已经被修复，最新版Foxmail 7.2.25 不受影响。

In mid-2024 we discovered a collection of attacks in the South Asian direction numbered UTG-Q-011, which, despite the fact that the subsequent plugins in the collection differed too much from CNC, had the same backdoor as the codebase used by the CNC group, and ultimately researched UTG-Q-011 as a subset of CNC, which will be disclosed at the end of this paper.

2024 年中旬我们发现了南亚方向编号为 UTG-Q-011 的攻击集合，尽管该集合后续插件与 CNC 相差过大，但是其后门与 CNC 组织所使用的代码库相同，最终将 UTG-Q-011 当作 CNC 的子集来进行研究，本文最后会对其进行披露。

Qi‘anxin Threat Intelligence Center recently found the Donot group use of PDF documents as a bait for attack activities, through a variety of attack techniques against Pakistan, Bangladesh and other countries in South Asia.

奇安信威胁情报中心近期发现肚脑虫组织利用PDF文档作为攻击活动的诱饵，通过多种攻击手法针对巴基斯坦、孟加拉国等南亚地区的国家。