data breaches

UNG0002 Cyberattacks Target China and Hong Kong with Advanced Malware in Shocking Espionage Campaign

Published

4 weeks ago

on

Custom malware loaders and spear-phishing campaigns attributed to North Korea’s UNG0002 reveal an unexpected cyber offensive against Chinese and Hong Kong targets, signaling evolving digital espionage tensions in East Asia.

North Korea’s UNG0002 Group Hacks China and Hong Kong Using Sophisticated Malware Toolset

By an International Cybersecurity Correspondent
July 19, 2025 | Global

In a rare and high-stakes cyber offensive, the North Korean state-sponsored threat group UNG0002 has been implicated in a targeted espionage campaign aimed at Chinese and Hong Kong government-affiliated institutions. Disclosed by Elastic Security Labs, this campaign represents a major geopolitical curveball in the typically aligned digital posturing of Beijing and Pyongyang.

The attackers deployed custom-built malware loaders and exfiltration tools under the radar of conventional security infrastructure, primarily targeting academic, policy research, and pro-government organizations across Hong Kong and mainland China.

“These operations reflect a calculated cyberstrike using advanced tradecraft designed to undermine digital trust and harvest confidential data,” said Samir Patel, malware analyst at Elastic Security Labs.

🔍 Technical Attack Chain and Toolset

1. Initial Access via Spear-Phishing

  • Victims received well-crafted phishing emails impersonating academic conferences or government-backed research grants.
  • Emails contained malicious Word documents with embedded macros or external links to compromised servers.

Example lure:
Subject: “Call for Papers – China Strategic Dialogue 2024”
Attachment: StrategicAgenda2024.docm

2. Payload: RIFLESPINE Loader

  • RIFLESPINE is a custom malware loader used to inject and execute secondary payloads.
  • It establishes persistence using:
    • Scheduled tasks (schtasks) or registry run keys
    • Obfuscated payloads stored in %APPDATA%\SystemRifle

Example registry entry:

powershell

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v rifleloader /t REG_SZ /d "%APPDATA%\rifle.exe"
  • C2 communications via:
    • HTTPS POST requests with encrypted payloads
    • Fallback to DNS tunneling when outbound traffic is restricted

3. Secondary Malware: THORNBUSH

  • Launched by RIFLESPINE after initial infection
  • Capabilities include:
    • Credential theft using LSASS memory scraping
    • File enumeration and exfiltration via hidden RAR archives
    • Clipboard monitoring
    • Screenshot capture

Example PowerShell for data staging:

powershell

Compress-Archive -Path C:\Users\victim\Documents\*.docx -DestinationPath C:\Temp\research.zip
  • Exfiltration uses outbound HTTPS to compromised C2 servers such as:
    • bhkg.academiaj[.]org
    • kxuniversity1[.]cn

4. Detection Evasion

  • Uses filename randomization and timestomping to avoid sandbox detection.
  • Payloads mimic legitimate system processes:
    • svch0st.exe, expl0rer.exe, dllhost32.exe
  • Malware signatures found:
    • RIFLESPINE: 39FEC59EE2848FC484A3B1B1348046
    • THORNBUSH: 352E2928EEFDADCA24865C9FB1636F

🧠 Attribution and Motivation

UNG0002 is believed to be linked to North Korea’s Reconnaissance General Bureau (RGB). Historically, it has focused on espionage against South Korea, the U.S., and financial institutions. The pivot to targeting Chinese organizations is viewed as a strategic realignment or a possible false-flag operation to mislead attribution.

“The sophistication and stealth here suggest this was not a one-off probe—it was a long-term intelligence-gathering mission,” said Dr. Liu Wen, digital forensics expert at Nankai University.

🌐 Impact and Broader Significance

  • The attacks compromised at least six academic and research institutions and triggered security reviews in Hong Kong’s Cyber Security and Technology Crime Bureau.
  • Chinese CERT teams have responded by:
    • Isolating affected endpoints
    • Issuing IOCs
    • Recommending full credential resets and memory scans

“This breach could chill digital collaboration between China and North Korea, especially in politically sensitive zones like Hong Kong,” said Lydia Wong, senior fellow at the Asia Cyber Risk Forum.

The incident also raises urgent questions about regional cybersecurity trust in East Asia, where formal alliances may not translate to digital restraint.

📎 Source

This article is based on technical and threat intelligence reporting from The Hacker News – July 2025 and Elastic Security Labs’ official publication on UNG0002’s malware framework and campaign timeline.

Related Topics:

Trending

Exit mobile version