Operation DevilTiger, APT Hackers 0-Day Exploitation Tactics Exposed

The APT-Q-12 group, also known as Pseudo Hunter, is a Northeast Asian threat actor linked to Darkhotel, which primarily targets East Asian countries, including China, North Korea, Japan, and South Korea. 

They employ sophisticated techniques to infiltrate systems and steal sensitive data by use of various plug-ins, such as Durain and Peach, demonstrating their adaptability and ability to tailor their attacks to specific targets.

uploads all the documents

APT-Q-12 employs sophisticated email probes to gather information about potential victims, including their email platforms, devices, and office software. 

By embedding malicious content in emails disguised as advertisements or subscriptions, the attackers capture user-agent information to identify email brands and platforms. 

To differentiate between WPS and Word, they utilize web control objects in mhtml files and template injection techniques and the collected information is shared among APT groups in Northeast Asia to facilitate targeted zero-day attacks.

differentiated detection methods

It exploited a 0-day vulnerability in a Win platform mail client, likely using an XSS attack.

The email triggered a malicious script hidden within the title field that downloaded a weaponized LNK file disguised as an image. 

The report says that this LNK dropped a Trojan called s.mui, which checked out the system settings and downloaded another payload called ~StaticCache-System.dat. This one set up persistence through COM hijacking and then got a second payload called MMDevAPI.mui, which is a known APT-Q-12 remote access tool.

The attackers also deployed a suite of plugins for espionage, including keylogging, browser steganography for credential theft, screenshot capture, and a reverse tunneling tool for data exfiltration.

keylogs.APT-Q-12

The 0-day vulnerability in the Android platform mail client exploited by APT-Q-14 leverages a ClickOnce attack vector to execute malicious code within attachments. 

By parsing an XSS vulnerability in the mail structure, the attacker triggers the execution of the internal interface, leading to the execution of the malicious program (0o0o.apk), which establishes a connection with a C2 server for long-term control of the target device, downloading a payload that reads and uploads email data to the C2 domain. 

Establishing a connection with the C2 server

The attack aims to spy on information related to trade between China and North Korea, which highlights the advanced cyber capabilities of attackers in the Korean Peninsula and the potential for significant impacts on both sides and neighboring countries.

The QiAnXin Threat Intelligence Center provides threat intelligence data that is used in their security products to identify malicious activity, which includes indicators of compromise (IOCs), such as MD5 hashes and URLs. 

The MD5 hashes can be used to identify specific malware files, while the URLs are known to be malicious, while the security products can also detect communication with command and control (C2) servers, although a specific IP address mentioned is no longer active.  

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Raga Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

White House Considers Oracle-Led Takeover of TikTok with U.S. Investors

In a significant development, the Trump administration is reportedly formulating a plan to prevent a…

8 minutes ago

Critical Vulnerability in IBM Security Directory Enables Session Cookie Theft

IBM has announced the resolution of several security vulnerabilities affecting its IBM Security Directory Integrator…

34 minutes ago

Critical Apache Solr Vulnerability Grants Write Access to Attackers on Windows

A new security vulnerability has been uncovered in Apache Solr, affecting versions 6.6 through 9.7.0.…

39 minutes ago

GitHub Vulnerability Exposes User Credentials via Malicious Repositories

A cybersecurity researcher recently disclosed several critical vulnerabilities affecting Git-related projects, revealing how improper handling…

1 hour ago

Critical Isolation Vulnerability in Intel Trust Domain Extensions Exposes Sensitive Data

Researchers from IIT Kharagpur and Intel Corporation have identified a significant security vulnerability in Intel…

1 hour ago

Burp Suite 2025.1 Released, What’s New!

Burp Suite 2025.1, is packed with new features and enhancements designed to improve your web…

5 hours ago