UTG-Q-010 (APT) – Threat Actor

UTG-Q-010
Date of Initial Activity	2024
Location	East Asia
Suspected Attribution	APT
Motivation	Cyberwarfare
Software	Windows

Overview

The UTG-Q-010 threat group, identified by QiAnXin Threat Intelligence Center, represents a highly organized and financially motivated cybercriminal collective. Based in East Asia, UTG-Q-010 has been targeting organizations in the AI and gaming industries, deploying sophisticated and well-orchestrated attacks to infiltrate their networks. Characterized by its use of advanced social engineering techniques, the group primarily leverages phishing campaigns to deliver malicious payloads, with the ultimate goal of exfiltrating valuable data and compromising sensitive systems. Their operations are distinguished by a meticulous approach that combines human manipulation with technical expertise, making them a significant threat to both corporate entities and individuals within these sectors.

Operating through targeted phishing emails, UTG-Q-010 capitalizes on the trust inherent in job recruitment processes. The group sends seemingly innocuous emails to HR departments, often containing encrypted attachments disguised as resumes or job applications. These attachments, however, are laced with malicious lnk files designed to exploit vulnerabilities in the target’s system. Once executed, these files release a series of malicious payloads that allow the attackers to establish an initial foothold within the victim’s network. From there, UTG-Q-010 deploys more complex malware, including the MoinDownloader and Python-based Remote Access Trojans (RATs), enabling them to gain full control over compromised systems and exfiltrate critical information.

Common targets

Information

Individuals

China

Attack Vectors

Phishing

Software Vulnerabilities

How they operate

At the core of UTG-Q-010’s attack methodology is the use of phishing emails, which are carefully crafted to appear legitimate. These emails often target HR departments within organizations, offering seemingly innocuous content such as job applications or resumes. The attachments in these emails are typically encrypted lnk files, which, when executed, trigger the initial stages of the attack. Upon opening the lnk file, a malicious payload is released. One of the most common payloads used by UTG-Q-010 is a downloader known as MoinDownloader, which is encoded within a faultrep.dll file. This file is copied to the victim’s %temp% directory along with another file, werFault.exe, which helps maintain persistence on the infected system.

Once activated, MoinDownloader begins its primary task: downloading further malicious payloads from a remote server. The attacker-controlled server typically uses a C2 (Command and Control) address, such as hxxps://chemdl.ioskaishi.live/down_xia.php, to fetch encrypted files. After decryption, the downloaded payload is executed, which is often a remote access tool (RAT) like Pupy RAT. Pupy RAT, a Python-based RAT, allows the attackers to remotely control the compromised system, execute arbitrary commands, exfiltrate sensitive data, and maintain persistent access without detection. The RAT communicates with its C2 server, which may be located at 103.79.76.40:8443, facilitating ongoing control over the infected environment.

In addition to traditional phishing and malware delivery methods, UTG-Q-010 has also demonstrated technical agility in targeting mobile platforms, specifically Android devices. The group has utilized watering hole attacks—where they compromise websites frequented by their intended victims—to deliver malicious APK files. These APK files are often disguised as legitimate applications related to cryptocurrency or AI, and they contain malware from the Ermac family. The malware injects malicious code into legitimate APK files, allowing the attackers to gain control over the device. The C2 server for these mobile attacks is typically a domain such as conn.phmdbad.live, and data from passive DNS investigations suggests that many of the victims are located in regions with home broadband networks, which adds another layer of complexity to their infrastructure.

Through these diverse techniques, UTG-Q-010 has demonstrated a high level of sophistication in its attacks, combining traditional phishing tactics with advanced malware deployment and mobile platform exploitation. The group’s ability to target both corporate networks and individual mobile devices illustrates their technical prowess and their focus on financially motivated objectives, such as data theft, ransomware, or further exploitation of compromised systems. As this group continues to evolve, their tactics may become even more refined, posing an ongoing threat to industries across East Asia and beyond.

References: