Threat Research

APT-Q-12 Darkhotel Organization

Securonix

APT-Q-12, also known as Pseudo Hunter, is a Chinese APT group targeting entities in Northeast Asia. The group uses complex email probes and 0-day vulnerabilities in mail clients, along with various plugins, to collect intelligence and exfiltrate data, often overlapping with the Darkhotel operation. Hashtags: #APTQ12 #PseudoHunter #Darkhotel #NortheastAsia #WinPlatformMailClient0day #AndroidPlatform0day

Keypoints

  • APT-Q-12 targets Northeast Asian countries including China, North Korea, Japan, and South Korea, with overlaps to the Darkhotel organization.
  • Active since at least 2017, the group uses multiple plug-ins for espionage, such as keyloggers and browser steganography.
  • The operation includes sophisticated methods to probe and collect data about victims’ email platforms and office software (e.g., detecting WPS vs Word).
  • Recent campaigns exploit 0day vulnerabilities in Windows and Android mail clients to deliver payloads.
  • Intelligence objectives focus on semiconductor competition and political propaganda.
  • Threat intelligence notes the use of loader/downloader Trojans and C2 channels, with data encryption to evade detection.

MITRE Techniques

  • [T1003] Credential Dumping – Keyloggers capture credentials from victims. [‘uses keyloggers to capture sensitive information from victims.’]
  • [T1203] Exploitation for Client Execution – Exfilts payloads by exploiting vulnerabilities in email clients. [‘Exploits vulnerabilities in email clients to deliver payloads.’]
  • [T1071] Command and Control – Uses C2 servers for remote control and data exfiltration. [‘Utilizes C2 servers for remote control and data exfiltration.’]
  • [T1041] Data Encrypted – Encrypts captured data to evade detection. [‘Encrypts captured data to evade detection.’]

Indicators of Compromise

  • [MD5] context – First-stage downloader and Trojan indicators – 764c7b0cdc8a844dc58644a32773990e, 59cd91c8ee6b9519c0da27d37a8a1b31, and 2 more hashes
  • [URL] context – Probe/download links – hxxps://bitbucket.org/noelvisor/burdennetted/downloads/OAQDDI32.bmp, hxxps://bitbucket.org/poppedboy/bovrilchant/downloads/32.bmp, and 0 more items
  • [Domain] context – Tracking domains – web-oauth.com, c.statcounter.com/12830663/0/0ee00a3c/1/, and 0 more items
  • [IP] context – C2 server – 82.118.27.129:80

Read more: https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-en/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint