新海莲花组织最早出现于2022年中，2023年底转入不活跃状态，2024年11月重新活跃并被快速制止。文章分享了新海莲花组织在内存中的技战术分析，同时通过2024年3月的两波 0day 供应链事件，最终确认攻击者位于 UTC +7 时区。

The QiAnXin Threat Intelligence Center has discovered that the new OceanLotus group (APT-Q-31) has recently become active again and is employing a new tactic of MSI file abuse, which is the first time that the use of this technique has been captured in domestic APT campaigns targeting government and enterprises. The two OceanLotus attack sets share attack resources, but have completely different TTPs. The last time a new Sea Lotus was active was in late 2023.

奇安信威胁情报中心发现，新海莲花组织APT-Q-31近期重新活跃，并采用MSI文件滥用的新手法，这是首次在国内针对政企的APT活动中捕获到该技术的使用。海莲花的两个攻击集合共享攻击资源，但TTP完全不同。上次新海莲花的活跃是2023年末。

The QiAnXin Threat Intelligence Center has recently discovered a batch of special CHMs, in which the html is very simple and only executes an external file, which leads to a very low number of VT reports. Based on the similarity of the malicious samples, this article suggests that these special CHM attack samples and the C# backdoor are most likely from the Mysterious Elephant group.

奇安信威胁情报中心近期发现一批特别的 CHM，其中html十分简单，仅执行一个外部文件，这导致VT报毒数很低。本文基于恶意样本相似性认为这些特殊的 CHM 攻击样本和 C# 后门很可能来自 Mysterious Elephant 组织。

Bitter Group Enables New Trojan Horse MiyaRat, Domestic Users Become Primary Targets. Bitter has been trying a variety of no-kill methods this year: loading the havoc framework through powershell in June, and directly distributing the steganography plugin that was in use in 2018 in July, with less than ideal results, and ultimately distributing a brand new trojan horse, MiyaRat, in September. it was still was successfully captured by us.

Bitter 在今年一直在尝试各种免杀方法：6月份通过 powershell 加载 havoc 框架、7 月份直接下发 2018 年就在使用的窃密插件，效果都不太理想，最终在 9 月份下发了全新的特马 MiyaRat 还是被我们成功捕获。

Attackers often conduct very complex information collection before using vulnerability attacks. APT-Q-12 uses multiple sets of complex email probes and periodically delivers probe emails to the target to collect the victim's usage habits and behavior. Logic, including commonly used email platforms and brands, will be treated differently for different office products.

攻击者在使用漏洞攻击前往往会进行非常复杂的信息收集，APT-Q-12使用多套复杂的邮件探针，周期性的向目标投递探针邮件以此来收集受害者的使用习惯和行为逻辑，包括常用的邮件平台、品牌，在针对不同office产品又会进行区别处理。

Recently, we discovered a new variant of the Spyder downloader of the Patchwork group, and observed attackers using Spyder to distribute two secret-stealing components, which are used to capture screenshots and collect file information respectively. Although the core function of the Spyder downloader has not changed, it still releases subsequent components from the remotely downloaded encrypted ZIP package and executes it, but some changes have been made in terms of code structure and C2 communication format. The following is the attack process of the Spyder downloader and secret-stealing components discovered this time.