Threat Research

Unveiling Swan Vector APT Targeting Taiwan and Japan with varied DLL Implants

Seqrite
Unveiling Swan Vector APT Targeting Taiwan and Japan with varied DLL Implants
EXTRACT IOC
Seqrite Labs uncovered a sophisticated multi-stage malware campaign named Swan Vector targeting educational and mechanical engineering sectors in Taiwan and Japan, using fake candidate resumes as decoys. This campaign employs techniques such as DLL sideloading, API hashing, and Cobalt Strike shellcode delivered via Google Drive-based command and control. #SeqriteLabs #SwanVector #Taiwan #Japan

Keypoints

  • The infection starts with a malicious LNK file that triggers execution of a DLL implant named Pterois via the legitimate Windows binary rundll32.exe.
  • Pterois uses API hashing and abuses Google Drive API with OAuth authentication to download further payloads and deploy decoy PDF resumes in Japanese.
  • The second stage implant, Isurus, leverages DLL sideloading with a legitimate signed executable (PrintDialog.exe) to load and execute encrypted shellcode from a configuration file.
  • The final payload is a Cobalt Strike beacon shellcode deployed using direct syscalls to evade detection and inject into legitimate system processes.
  • The threat actor’s infrastructure heavily relies on Google Drive as a command-and-control platform, exposing sensitive API keys and additional malicious binaries.
  • Attribution analysis links the campaign with East Asian threat groups, showing TTP overlaps with Winnti, Lazarus, and APT10 groups with medium confidence.
  • The threat actor employs multiple sophisticated evasion and persistence techniques such as API hashing, self-deletion, DLL sideloading, and LOLBin abuse targeting Japan and Taiwan.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Delivered initial malicious LNK file disguised as PDF shortcut. (“malicious LNK file… responsible for running the DLL payload”)
  • [T1129] Shared Modules – Usage of DLL implants Pterois and Isurus loaded via legitimate binaries.
  • [T1106] Native API – Use of direct Windows API resolution and calls within implants for stealthy execution.
  • [T1204.002] Malicious File – Execution of user-triggered malicious LNK file.
  • [T1574.001] DLL Sideloading – Isurus implant abuses PrintDialog.exe to sideload malicious DLL.
  • [T1055.003] Thread Execution Hijacking – Execution of shellcode via thread manipulation.
  • [T1055.004] Asynchronous Procedure Call – Shellcode executed in memory using APC injection techniques.
  • [T1218.011] Rundll32 – Execution of malicious DLL via rundll32.exe LOLBin.
  • [T1027.007] Dynamic API Resolution – API functions resolved dynamically via hashing algorithms within implants.
  • [T1027.012] LNK Icon Smuggling – Malicious LNK file used to deceive user into execution.
  • [T1027.013] Encrypted/Encoded File – Shellcode and configuration files encrypted (RC4) and decrypted in memory.
  • [T1070.004] File Deletion – Self-deletion of implant using delayed cmd.exe ping technique.
  • [T1102] Web Service – Abuse of Google Drive API as command-and-control server for payload delivery.

Indicators of Compromise

  • [Filename] Decoy PDFs – rirekisho2021_01.pdf, rirekisho2025.pdf (used as CV decoys)
  • [Filename] Malicious Implants – Chen_YiChun.png (DLL implant), PrintDialog.dll, wbemcomn.dll (malicious DLLs)
  • [Filename] Suspicious Config Files – ra.ini, 0g9pglZr74.ini (encrypted shellcode containers)
  • [IP Address] Cobalt Strike C2 Server – 52.199.49.4:7284 (host located in Japan, ASN 16509)
  • [Google Drive File IDs] Malicious payload repository – various file IDs used for implant delivery including 1LwalLoUdSinfGqYUx8vBCJ3Kqq_LCxIg (PDF), 1VMrUQlxvKZZ-fRyQ8m3Ai8ZEhkzE3g5T (PrintDialog.dll)

Read more: https://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/

Views: 39

Tags: PROXY, INITIAL ACCESS, PRIVILEGE, APPLE, APT, TROJAN, PERSISTENCE, WINDOWS