Wednesday, May 14, 2025
HomeCyber AttackOperation DevilTiger, APT Hackers 0-Day Exploitation Tactics Exposed

Operation DevilTiger, APT Hackers 0-Day Exploitation Tactics Exposed

Published on

SIEM as a Service

Follow Us on Google News

The APT-Q-12 group, also known as Pseudo Hunter, is a Northeast Asian threat actor linked to Darkhotel, which primarily targets East Asian countries, including China, North Korea, Japan, and South Korea. 

They employ sophisticated techniques to infiltrate systems and steal sensitive data by use of various plug-ins, such as Durain and Peach, demonstrating their adaptability and ability to tailor their attacks to specific targets.

uploads all the documents

APT-Q-12 employs sophisticated email probes to gather information about potential victims, including their email platforms, devices, and office software. 

- Advertisement - Google News

By embedding malicious content in emails disguised as advertisements or subscriptions, the attackers capture user-agent information to identify email brands and platforms. 

To differentiate between WPS and Word, they utilize web control objects in mhtml files and template injection techniques and the collected information is shared among APT groups in Northeast Asia to facilitate targeted zero-day attacks.

differentiated detection methods

It exploited a 0-day vulnerability in a Win platform mail client, likely using an XSS attack.

The email triggered a malicious script hidden within the title field that downloaded a weaponized LNK file disguised as an image. 

The report says that this LNK dropped a Trojan called s.mui, which checked out the system settings and downloaded another payload called ~StaticCache-System.dat. This one set up persistence through COM hijacking and then got a second payload called MMDevAPI.mui, which is a known APT-Q-12 remote access tool.

The attackers also deployed a suite of plugins for espionage, including keylogging, browser steganography for credential theft, screenshot capture, and a reverse tunneling tool for data exfiltration.

keylogs.APT-Q-12

The 0-day vulnerability in the Android platform mail client exploited by APT-Q-14 leverages a ClickOnce attack vector to execute malicious code within attachments. 

By parsing an XSS vulnerability in the mail structure, the attacker triggers the execution of the internal interface, leading to the execution of the malicious program (0o0o.apk), which establishes a connection with a C2 server for long-term control of the target device, downloading a payload that reads and uploads email data to the C2 domain. 

Establishing a connection with the C2 server

The attack aims to spy on information related to trade between China and North Korea, which highlights the advanced cyber capabilities of attackers in the Korean Peninsula and the potential for significant impacts on both sides and neighboring countries.

The QiAnXin Threat Intelligence Center provides threat intelligence data that is used in their security products to identify malicious activity, which includes indicators of compromise (IOCs), such as MD5 hashes and URLs. 

The MD5 hashes can be used to identify specific malware files, while the URLs are known to be malicious, while the security products can also detect communication with command and control (C2) servers, although a specific IP address mentioned is no longer active.  

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Threat Actors Leverage Weaponized HTML Files to Deliver Horabot Malware

A recent discovery by FortiGuard Labs has unveiled a cunning phishing campaign orchestrated by...

TA406 Hackers Target Government Entities to Steal Login Credentials

The North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni,...

Google Threat Intelligence Releases Actionable Threat Hunting Technique for Malicious .desktop Files

Google Threat Intelligence has unveiled a series of sophisticated threat hunting techniques to detect...

New Adobe Photoshop Vulnerability Enables Arbitrary Code Execution

Adobe has released critical security updates addressing three high-severity vulnerabilities (CVE-2025-30324, CVE-2025-30325, CVE-2025-30326) in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

TA406 Hackers Target Government Entities to Steal Login Credentials

The North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni,...

Researchers Unveil New Mechanism to Track Compartmentalized Cyber Threats

Cisco Talos, in collaboration with The Vertex Project, has introduced an innovative approach to...

Healthcare Cyberattacks in 2024 Expose 276 Million Patient Records Compromised

The healthcare sector faced an unprecedented wave of cyber threats, with a staggering 92%...