The hacker collective identified as UTG-Q-015 has significantly escalated its tactics against government and enterprise web servers.
First exposed in December 2024 for their mounting activities against major platforms including CSDN, the group has since abandoned conventional methods for more complex intrusion techniques involving both zero-day and known vulnerabilities.
According to technical intelligence from Qi’anxin Report, UTG-Q-015 launched a new campaign in March, deploying a fresh fleet of scanning nodes specifically designed to conduct brute-force attacks against publicly accessible web servers belonging to government agencies and corporations.
Target Expansion
The threat landscape evolved further in April, with UTG-Q-015 conducting broad “puddle mounting” operations targeting blockchain projects, digital signature management systems, bitcoin backend portals, and GitLab infrastructures.
More than a hundred sites across these sectors have reportedly been compromised.
Their attacks commonly involved the deployment of JavaScript-based phishing payloads: when unsuspecting users visited targeted pages, they were prompted with fraudulent update notifications, leading to the download of malicious executables from compromised URLs such as updategoogls.cc and safe-controls.oss-cn-hongkong.aliyuncs.com.
In addition to traditional enterprise targets, the group shifted attention to the financial sector, leveraging a multi-phase attack chain.
Initial footholds were achieved through undisclosed web vulnerabilities, enabling attackers to infiltrate perimeter servers.
Subsequently, social engineering tactics were employed via instant messaging, where victims were lured into executing disguised downloader payloads.
These payloads, in turn, communicated with command and control (C2) servers to retrieve and deploy advanced backdoors within internal networks.
The AI sector was not spared. Researchers observed UTG-Q-015 exploiting vulnerabilities in Linux-based AI environments, notably through the unauthorized access flaw in the ComfyUI-Manager plugin.
This route was used to deliver malicious model files, culminating in the installation of the Vshell backdoor.
Earlier incidents in February and April 2025 also noted the use of CVE-2023-48022 targeting AI research servers, where attackers executed shell commands to deploy persistent plugins and establish long-term espionage footholds.
Outsourcing Wars
Contrary to Western characterization of “Chinese-speaking attackers” as a monolithic entity, the threat actor landscape is diverse, with UTG-Q-015 operating from Southeast Asia and providing penetration and intelligence services regionally.
Competition and ideological rifts exist between regional groups, as illustrated by UTG-Q-015’s deliberate retaliation against domestic programming forums an act described as both a form of outsourcing warfare and an expression of deeper political and ideological discord.
Qi’anxin security experts recommend that enterprises and government units enhance their security posture by enabling advanced cloud-based threat detection and response mechanisms.
Existing products, including the Qi’anxin Threat Intelligence Platform (TIP), SkyRock, and NGSOC, have already integrated indicators to detect UTG-Q-015’s tactics and tooling.
IOC Table
| Type | Value |
|---|---|
| FileHash-MD5 | c313868c3e3e470fc7dde07ebaac0a87 |
| FileHash-MD5 | fb68d6affca239ba4f9315889fcf6d61 |
| FileHash-MD5 | e9ab0bc9d47c84285b82b25834aeae03 |
| FileHash-MD5 | 53a83040fea6dbe2845747d69da6504e |
| FileHash-MD5 | e89a6d6a0ca026317456594211ccb007 |
| C2 | updategoogls.cc |
| C2 | safe-controls.oss-cn-hongkong.aliyuncs.com |
| C2 | 209.250.254.130:13389 |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
