Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan.
Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan.
AI Analysis
Technical Summary
Operation Cobalt Whisper is a low-severity cyber threat campaign identified through open-source intelligence (OSINT) that targets multiple industries primarily in Hong Kong and Pakistan. The threat actor employs a multi-faceted attack approach leveraging spearphishing with malicious attachments (MITRE ATT&CK T1566.001), delivery of malicious files (T1204.002), and execution of Visual Basic scripts (T1059.005). Persistence is maintained through scheduled tasks (T1053.005), and the attacker uses portable executable injection techniques (T1055.002) to evade detection and maintain foothold. The campaign includes system owner/user discovery (T1033) to gather information about compromised environments and uses web protocols (T1071.001) for command and control communications. The targeted sectors are diverse, including academia, civil aviation, defense, electric and energy utilities, engineering, environmental organizations, IT security firms, pharmacy, and security actors, indicating a broad strategic interest in critical infrastructure and sensitive information. While no specific vulnerabilities or exploits have been identified, the campaign’s use of spearphishing and malicious file execution highlights the reliance on social engineering and user interaction to initiate compromise. The absence of patch availability and known exploits in the wild suggests this is an emerging or ongoing threat rather than a vulnerability with a known fix. The campaign’s low severity rating reflects limited impact or sophistication observed to date but does not preclude escalation or broader targeting in the future.
Potential Impact
For European organizations, the direct impact of Operation Cobalt Whisper may currently be limited due to its geographic focus on Hong Kong and Pakistan. However, the sectors targeted—such as civil aviation, defense, energy, and IT security—are critical and have global interdependencies. European entities operating in or with partners in these regions could face indirect risks, including supply chain compromise, espionage, or disruption of services. The use of spearphishing and malicious attachments poses a risk to user credentials and network integrity, potentially leading to data breaches, intellectual property theft, or operational disruptions. Given the campaign’s targeting of multi-sector environments, European organizations in similar sectors should be vigilant against similar tactics, as threat actors often adapt campaigns to new regions. The persistence and stealth techniques employed could enable prolonged unauthorized access, increasing the risk of data exfiltration and sabotage. The low severity rating suggests current impact is limited, but the potential for escalation or expansion into Europe exists, especially in sectors with strategic importance or geopolitical relevance.
Mitigation Recommendations
European organizations should implement targeted defenses against spearphishing and malicious file attacks beyond generic advice. This includes deploying advanced email filtering solutions capable of detecting and quarantining spearphishing attempts with malicious attachments, and employing sandboxing technologies to analyze suspicious files before delivery. Endpoint detection and response (EDR) tools should be configured to monitor for execution of Visual Basic scripts and unusual scheduled tasks indicative of persistence mechanisms. Network monitoring should focus on detecting anomalous web protocol traffic that could signal command and control communications. User training programs must emphasize recognition of spearphishing tactics specific to the sectors targeted, including simulation exercises tailored to the threat actor’s methods. Organizations should enforce strict application whitelisting to prevent unauthorized execution of injected portable executables and implement least privilege principles to limit the impact of compromised accounts. Regular audits of scheduled tasks and system owner/user discovery activities can help identify early signs of compromise. Collaboration with national cybersecurity centers and sharing of threat intelligence related to Operation Cobalt Whisper can enhance detection and response capabilities.
Affected Countries
United Kingdom, Germany, France, Italy, Spain, Netherlands, Belgium, Poland
Indicators of Compromise
- file: %windir%\\syswow64\\dllhost.exe
- file: %windir%\\sysnative\\dllhost.exe
- file: ImeBroker.exe
- regkey: “C:\LLVM\bin\LnkFishing\.asset\.asset.pdf“
- file: PressMe.pdf
- ip: 43.137.69.76
- ip: 139.155.190.198
- ip: 106.55.77.71
- ip: 129.204.98.221
- ip: 119.45.2.30
- ip: 119.45.67.241
- ip: 119.45.2.56
- ip: 139.155.190.84
- domain: service-a8vp3r65-1319584009.cd.tencentapigw.com
- domain: service-c2y0jtba-1319584009.gz.tencentapigw.com.cn
- domain: service-qgezbin5-1319584009.sh.tencentapigw.com
- domain: service-h87kxr41-1319584009.bj.tencentapigw.com.cn
- domain: service-cyuasu6k-1319584009.nj.tencentapigw.com
- domain: service-3z1ebnpd-1319584009.sh.tencentapigw.com
- domain: service-b4ibcyjt-1325935989.sh.tencentapigw.com
- domain: service-k6iylaqt-1319584009.bj.tencentapigw.com.cn
- domain: service-7wu3p58s-1319584009.nj.tencentapigw.com
- link: https://www.seqrite.com/blog/operation-cobalt-whisper-targets-industries-hong-kong-pakistan/
- text: SEQRITE Labs APT-Team has recently uncovered a campaign targeting various industries such as the Defense Sector in Pakistan and predominantly researchers from Hong Kong. Tracked as Operation Cobalt Whisper, the entire campaign heavily leverages the use of a post-exploitation tool Cobalt Strike, which is deployed using obfuscated VBScript. A total of 20 infection chains have been identified so far along with additional individual samples, where 18 of them target Hong Kong and two target Pakistan where over 30 decoy files have been identified. In this blog, we will explore the technical details of one of the campaigns we encountered during our initial analysis and examine the various stages of the infection chain, starting with a deep dive into the decoy documents. We will then look into the common Tactics, Techniques, and Procedures (TTPs), such as the use of malicious VBScript and LNK payloads employed by this threat actor across most campaigns. These methods facilitate the in-memory execution of the Cobalt Strike implant, which is delivered alongside these lures in an archive file.
- text: Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan.
- text: Blog
- file: malicious.rar
- file: 附件1:《2024年度中国电工技术学会科学技术奖推荐提名书》(技术发明奖和科技进步奖)填报说明(2024年8月新版).pdf.lnk
- file: cache.bak
- file: O365.vbs
- file: subscription.db
- file: 附件2:《中国电工技术学会科学技术奖励办法》(2024年4月修订).pdf
- file: sigverif.exe
- ip: 139.155.190.84
- domain: service-a8vp3r65-1319584009.cd.tencentapigw.com
- port: 443
- as: 45090
- text: China
- hash: 86543a984e604430fb7685a1e707b2c4
- file: 科学技术奖填报说明和奖励办法修订版.rar
- hash: 95557088474250a9749b958c3935dee4
- file: 最新停车场收费标准调整方案.rar
- hash: 95f05674e4cb18a363346b488b67fd38
- file: ╒δ╢╘í╢│Θ╦«╨ε─▄╡τ╒╛╩Σ╦«╖ó╡τ╧╡═│╖╜░╕╔Φ╝╞▒╚╤í╤╨╛┐í╖╡─╨▐╕─╜¿╥Θ.zip
- hash: b8c94d2f66481cc52b30948f65fed761
- file: ╣π╕µ═╢╖┼╥¬╟≤╩Θ.zip
- hash: 4cf9bd6af64c3937e156ffb20537a6c1
- file: 预加油航班管理方法研究与软件实现(修改意见).rar
- hash: b2649134fbf0520222263d73b7e985d8
- file: aaa.zip
- hash: af669dfa074eb9b6fda3fd258f58e2d2
- file: 贾哲文-云南大学-环境工程.rar
- hash: 865483fea76242e687aa9e76b1a37f28
- file: 刘潇-清华大学-计算机.rar
- hash: 432230af1d59dac7dfb47e0684807240
- file: 李新宇-北京大学-2026毕业-金融硕士.rar
- hash: b9d04a61b30ddf53b28bf58a86fc28f5
- file: 热核聚变发电岛三回路参数优化研究(修改意见).rar
- hash: 2d478e4527486d85932254c7a7413951
- file: 国家互联网应急中心CCSC认证邀请函_海关信息中心.rar
- hash: e08dcbbd3e2ab9bcc2c02c44b6a97870
- file: 异构平台要素协同理论方法研究(修改意见).rar
- hash: fe4c575abf70ad11cdbce0b0821ee681
- file: 博士后申请-王玉玺-华中科技大学-电气与电子工程-博士.rar
- hash: 68278e47f36a44d9a8bbd46b74422bbe
- file: 企业资质材料.zip
- hash: 58f5ff5be4e765e62758b1f3e679a2ac
- file: 针对《苍术倍半萜类化合物生物合成的研究进展》的修改建议.rar
- hash: 955841a4d2315422818b47aec6ce51fb
- file: 中债数据无法使用情况.rar
- hash: 75def3a25b1d355c9163d3c247990867
- file: 参编《人工智能通用大模型合规管理体系 指南》申请表.rar
- hash: 343a3944218a040089fa7131112c1681
- file: 中国外汇交易中心信息产品许可表.rar
- hash: b28bb7cabfb12e9bc5b87692b065c83a
- file: Islamabad_Security_Dialogue_Pub.rar
- hash: 7728fee377137e83e9bd1c609cc166c0
- file: IDEAS_2024_Calling_Letter.zip
- hash: dad7d9528e9506ebd0524b3ebd89ddf2
- file: Final_Combined_Forecast_MCP_FY_2024_25.zip
- hash: a02a664f80d9011e38c45762683771c0
- file: Final_Combined_Forecast_MCP_FY_2024_25.pdf.lnk
- file: 12th_Edition_Of_Innovation_&_Excellence_IDEAS_2024.pdf.lnk
- hash: d73a5c11423923d8a8c483cf6172f7e2
- hash: 22c07c76020f9311385cfaa97a2d6adb
- file: 附件1:《2024年度中国电工技术学会科学技术奖推荐提名书》(技术发明奖和科技进步奖)填报说明(2024年8月新版).pdf.lnk
- hash: 7a494f7448bc350bb46fb7f21450d1d9
- file: 最新停车场收费标准调整方案.lnk
- hash: 3c3986899bdb4890ea6d44c00538e2fd
- file: ╒δ╢╘í╢│Θ╦«╨ε─▄╡τ╒╛╩Σ╦«╖ó╡τ╧╡═│╖╜░╕╔Φ╝╞▒╚╤í╤╨╛┐í╖╡─╨▐╕─╜¿╥Θ.docx.lnk
- hash: 74ca14032a93be59098d607ba7039660
- file: 预加油航班管理方法研究与软件实现(修改意见).docx.lnk
- hash: cd14d51d27f294c2e60d1bc3ef907160
- file: 电影宣传要求.pdf.lnk
- hash: db08274efb374e2196a9f46961c8d8f8
- file: 需使用中债数据.jpg.lnk
- hash: 62eb90df5ee3a3b443c277d12b893141
- file: 贾哲文-云南大学-环境工程.docx.lnk
- hash: 41b5d5a04cf4534550e6ac3fc9a8f42d
- file: 刘潇-清华大学-计算机科学与技术学院-硕士.pdf.lnk
- hash: ae55cb4988f2f45197132631f5a86632
- file: filename.lnk
- hash: 5ae488083403cd69002c29ef6326cca7
- file: 李新宇-北京大学-2026毕业-金融硕士.pdf.lnk
- hash: 72011305317d7e9d38a0e75650f22e34
- file: 修改建议.docx.lnk
- hash: 473adee7068573fd01862b4bf43979e6
- file: Islamabad_Security_Dialogue_Pub.pdf.lnk
- hash: 10d0a351df1bfe57494ac18a7f2edec1
- file: 热核聚变发电岛三回路参数优化研究(修改意见).docx.lnk
- hash: 10d6fb6ab395001a4424058a52c3c69f
- file: 国家互联网应急中心CCSC认证邀请函_海关信息中心.pdf.lnk
- hash: 1070fc4a998cb7515842fb1b647340be
- file: 异构平台要素协同理论方法研究(修改意见).docx.lnk
- hash: 1b538fef54102fd36e83e4fc549f960e
- file: 博士后申请-王玉玺-华中科技大学-电气与电子工程博士-简历.pdf.lnk
- hash: c8231c5709ca548f1fe70f3b61d3537a
- file: 针对《苍术倍半萜类化合物生物合成的研究进展》的修改建议.docx.lnk
- hash: 955a8b63723eb35686ddce6cbfe890cf
- file: 中债数据无法使用情况.jpg.lnk
- hash: da623c5ca61e25c6205904a5cb91bd55
- file: 参编《人工智能通用大模型合规管理体系 指南》申请表.pdf.lnk
- hash: afc805006390b00713898c09d50343b6
- file: 中国外汇交易中心信息产品许可表.doc.lnk
- hash: 0a34cc8983fb581a59308135868b75d0
- file: O365.vbs
- hash: 5d18995193465c618844949f0ff9c786
- file: cache.vbs
- hash: 4c409d7201ec5dccf55a8ea54b0de101
- file: DS_Store.vbs
- hash: 39ab2053406493b9a0d81ed40212ffa8
- file: O365.vbs
- hash: 4711d0d163c00158abd4b20177d68b9a
- file: DS_Store.vbs
- hash: 3dce8d8f9664c755448413cbfe1bc08f
- file: DS_Store.vbs
- hash: 3b573c2229b43bde50f998f6cba17f2f
- file: DS_Store.vbs
- hash: 318a1a18df75b49f72fbcc020384cc24
- file: DS_Store.vbs
- hash: a0d760492c0193d14114792f0c3fff7a
- file: cache.vbs
- hash: cafdc03dcbe06ac43ec25fb38c1e013f
- file: cache.vbs
- hash: d13828ae89a7dab34d2f380eef518332
- file: cache.vbs
- hash: 7e98bb7ffba4cf12d29132a2c71973eb
- file: cache.vbs
- hash: c3d460ac3a93e86782c2bc374aa5ecd2
- file: Anx.vbs
- hash: 93eafad827126a9d12fc1d0e6e21aaef
- file: cal.vbs
- hash: a4a47dd08cf59f8b6a7c907cf0e39029
- file: cal.vbs
- hash: b2c882f6121d758cfcd4ece31834f497
- file: O365.vbs
- hash: 86e4c5d39dda20eee4dd8f794be04c80
- file: DS_Store.vbs
- hash: e7f3c33a5cd569ebf4b57381f03c5337
- file: cache.vbs
- hash: 7ac5daaa5fe4e59137271eaf97c9e692
- file: O365.vbs
- hash: a2f64bafeafbeb303d24fd6ed1f5a89a
- file: DS_Store.vbs
- hash: 8ba5b61454a29e09e7f536e85c951f53
- file: DS_Store.vbs
- hash: 4eeeb2b40e7189c271098c515b8f91d8
- file: DS_Store.vbs
- hash: 3711e1913f2ae74c4fc765bc28dbc60f
- file: DS_Store.vbs
- hash: e112698125e67a1a6f26597371cae502
- file: DS_Store.vbs
- hash: 67dc90468327a0c733ca48881084593b
- file: cache.vbs
- hash: d68fb3502e63ef3ca91c45f508d146b9
- file: cache.vbs
- hash: 91b7328a6064706fa9f125621a09f648
- file: cache.vbs
- hash: bfd61e5e133b2cd592d42ecdbc0eaee2
- file: cache.vbs
- hash: e5e709be4584031aefdc2a0782017f8f
- file: cache.vbs
- hash: cf59916d271dce7f44bbf349464a31e2
- file: cache.vbs
- hash: 5d18995193465c618844949f0ff9c786
- file: cache.vbs
- hash: e213dc8060794bb97c5f94f563107e88
- file: cache.vbs
- hash: d01e7c41140aeff82ad87a558ae96587
- file: DS_Store.vbs
- hash: de3a0ff11c7645f5d0ac717b0eb98e52
- file: cache.vbs
- hash: 98b85b474c02ce8c0a33ad7507abbf2a
- file: subscription.db
- hash: 5368f0b6ff56cce0de42165f14067427
- file: 附件2:《中国电工技术学会科学技术奖励办法》(2024年4月修订).pdf
- hash: 22ce60653860fe33bdfc47ce60deb681
- file: │Θ╦«╨ε─▄╡τ╒╛╩Σ╦«╖ó╡τ╧╡═│╖╜░╕╔Φ╝╞▒╚╤í╤╨╛┐_╦╬╫╙╞µ.pdf
- hash: b69c075caff565528bf42705d936a066
- file: cache.db
- hash: 477c5abea7299891b7f7c487f8636613
- file: ╡τ╙░╨√┤½╥¬╟≤.pdf / 电影宣传要求.pdf
- hash: 298a27e24e4ca917020fa5a230fe6c8f
- file: subscription.db
- hash: 820485d456ce6bfab933a1b662ff590a
- file: 贾哲文-云南大学-环境工程.docx
- hash: 55467fcb1b51477104442e74d7baf3df
- file: cache.db
- hash: ab1bc05e7f110042d7eacda5724918e0
- file: cache.db
- hash: 8423873a0eee6139c1eb6d5a9919121b
- file: 企业资质证明(请先解密).pptx
- hash: 6833e934c675717a0581472e00cb6d93
- file: 12th_Edition_Of_Innovation_&_Excellence_IDEAS_2024.pdf
- hash: 9294dd350f921745602f745e501e8e43
- file: 预加油航班管理方法研究与软件实现.pdf
- hash: 43bed053851e7a182b99835bcd1d2d16
- file: 需使用中债数据.jpg
- hash: 154bf965c1c8e54540179b2d01c4202e
- file: 刘潇-清华大学-计算机科学与技术学院-硕士.pdf
- hash: 1fbffdc19d3cfee158558e266206f46f
- file: 李新宇-北京大学-2026毕业-金融硕士.pdf
- hash: 8bdd5587b9863bdb154d9db85c67037b
- file: 热核聚变发电岛三回路参数优化研究.pdf
- hash: 05770b4da4f87150f2faf6c4e821f727
- file: cache.db
- hash: c5b2970e227e311abb5acf480bc48934
- file: 异构平台要素协同理论方法研究.pdf
- hash: edd1a870a0eea3bf9dcbd88ece487920
- file: cache.db
- hash: 1c2126ea78d3430ce04bf96b0d1c524e
- file: JPCS-2021-A_novel_current_differential_protection_for_MMC-HV.pdf
- hash: 13097891c790fbd3df75a2aebf993b16
- file: 论文及荣誉证书/电力系统自动化-2024-逆变型新能源场站送出线时域方向元件.pdf
- hash: 23bd40035a9a9fd1d31a1c7aceda1727
- file: IET-2022-A simplified model of Type‐4 wind turbine for short‐circuit currents simulation analysis.pdf
- hash: 7763e73dd2e877c4770c0f10e4d3a1dd
- file: 论文及荣誉证书/教育部学籍在线验证报告-王玉玺.png
- hash: 162a9b9aee469b8de10c37c6311906cd
- file: Islamabad_Security_Dialogue_Pub.pdf
- hash: e8db7191c84a84717bffd0f1af9de36c
- file: Final_Combined_Forecast_MCP_FY_2024_25.pdf
- hash: 91611a155d4722d178f7697cd4ddd95f
- file: 苍术倍半萜类化合物生物合成的研究进展_冯铃芳.pdf
- hash: 75c1403abfbe9f5c92625a1baf8b22f5
- file: subscription.db
- hash: d967a709472775c118ec339963c1d940
- file: 中债数据无法使用情况.jpg
- hash: 154141caa12b828ace18fd4b3fda77e0
- file: 参编《人工智能通用大模型合规管理体系 指南》申请表.pdf
- hash: c116a1971593a3a5468eb972b505fb57
- file: cache.db
- hash: 63d4015195c5006d81e14a85aa2459c4
- file: 联系方式.txt
- hash: a3df3505d89c15bb3940062f7abd786b
- file: 联系方式.txt
- hash: 041d01a5495cdede35f4ad8e1fe437f7
- file: 清华通知.txt
- hash: d29980f768aafdcf102cf1b3741c8a2b
- file: ImeBroker.exe
- file: cache.bak
- hash: 2acfad6fd814b02683038d21ba3eccbe
- file: ImeBroker.exe
- file: cache.bak
- hash: 1aa1f12d26d3a34265d0b99705bdf283
- file: DevicesFlow.EXE
- file: DS_Store
- hash: e7550dd2db4dbe1a2cc1dadc47846cd0
- file: ImeBroker.exe
- file: cache.bak
- hash: 1d109c8bb9e6ad16cd5f6813db39c21a
- file: Microsoft IME
- file: DS_Store
- hash: d8c348a2f27097d8689dba4452bb76eb
- file: charmap.exe
- file: DS_Store
- hash: 14df06539b72837adb9f8d13cfcea6db
- file: CTTUNE.EXE
- file: DS_Store
- hash: 6388625810652f0767be13b43363c10d
- file: ImeBroker.exe
- file: cache.bak
- hash: e8d3540212384d45ba9d7135c5bf8d8e
- file: ImeBroker.exe
- file: cache.bak
- hash: 352e299fc3f2327bfad5026b4a56b7cb
- file: ImeBroker.exe
- file: cache.bak
- hash: 73fa6149e68dd7842f7cfce78dd732c5
- file: ImeBroker.exe
- file: cache.bak
- file: sigverif.exe
- hash: 3813e4ebddd87615c1adc9c05888341d
- file: 企业资质材料/企业签名解密专用解密工具.exe
- file: D:\MyPrograms\vs2022\vt01\vt\x64\Release\vt.pdb
- hash: 316e8d798f7db625c207532e2f7a5d38
- file: keycongif.exe
- file: Anx
- hash: 5e7dba4aafb8176ab026e2f4aa3211dd
- file: Adobbee.exe
- file: cal
- hash: 33b3e322679f1500a9f3c162e4b25040
- file: ImeBroker.exe
- file: cache.bak
- hash: 2694553347f23e250ed70a8c23096d8f
- file: BioEnrollmentHost.exe
- file: DS_Store
- hash: 800be8a4989d4b7ed07ddd068c6469f1
- file: DevicesFlow.EXE
- file: DS_Store
- hash: bfd6c2f0787865ecb1604439ea9a5f15
- file: imecfmui.exe
- file: cache.bak
- hash: 49c5553995f032195890b5bfc2abcb00
- file: ImeBroker.exe
- file: cache.bak
- hash: ae9d676e4eda5cfa18a061e4bc2b1637
- file: ImeBroker.exe
- file: cache.bak
- hash: 008255c14420420e9a53c9959d0d08b8
- file: ImeBroker.exe
- file: cache.bak
- hash: 49a9c56fab34795b7e6e4c0b6185ca3e
- file: ImeBroker.exe
- file: cache.bak
- hash: d901fa81a4b3d83219440b80a1c338bc
- file: ImeBroker.exe
- file: cache.bak
- hash: 88b8bbe04b53e4af857cd1c032968c94
- file: ImeBroker.exe
- file: cache.bak
- file: sigverif.exe
- hash: 1d065492e7b5d118e31e571cc53dfe65
- file: ImeBroker.exe
- file: cache.bak
- file: sigverif.exe
Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan.
Description
Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan.
AI-Powered Analysis
Technical Analysis
Operation Cobalt Whisper is a low-severity cyber threat campaign identified through open-source intelligence (OSINT) that targets multiple industries primarily in Hong Kong and Pakistan. The threat actor employs a multi-faceted attack approach leveraging spearphishing with malicious attachments (MITRE ATT&CK T1566.001), delivery of malicious files (T1204.002), and execution of Visual Basic scripts (T1059.005). Persistence is maintained through scheduled tasks (T1053.005), and the attacker uses portable executable injection techniques (T1055.002) to evade detection and maintain foothold. The campaign includes system owner/user discovery (T1033) to gather information about compromised environments and uses web protocols (T1071.001) for command and control communications. The targeted sectors are diverse, including academia, civil aviation, defense, electric and energy utilities, engineering, environmental organizations, IT security firms, pharmacy, and security actors, indicating a broad strategic interest in critical infrastructure and sensitive information. While no specific vulnerabilities or exploits have been identified, the campaign’s use of spearphishing and malicious file execution highlights the reliance on social engineering and user interaction to initiate compromise. The absence of patch availability and known exploits in the wild suggests this is an emerging or ongoing threat rather than a vulnerability with a known fix. The campaign’s low severity rating reflects limited impact or sophistication observed to date but does not preclude escalation or broader targeting in the future.
Potential Impact
For European organizations, the direct impact of Operation Cobalt Whisper may currently be limited due to its geographic focus on Hong Kong and Pakistan. However, the sectors targeted—such as civil aviation, defense, energy, and IT security—are critical and have global interdependencies. European entities operating in or with partners in these regions could face indirect risks, including supply chain compromise, espionage, or disruption of services. The use of spearphishing and malicious attachments poses a risk to user credentials and network integrity, potentially leading to data breaches, intellectual property theft, or operational disruptions. Given the campaign’s targeting of multi-sector environments, European organizations in similar sectors should be vigilant against similar tactics, as threat actors often adapt campaigns to new regions. The persistence and stealth techniques employed could enable prolonged unauthorized access, increasing the risk of data exfiltration and sabotage. The low severity rating suggests current impact is limited, but the potential for escalation or expansion into Europe exists, especially in sectors with strategic importance or geopolitical relevance.
Mitigation Recommendations
European organizations should implement targeted defenses against spearphishing and malicious file attacks beyond generic advice. This includes deploying advanced email filtering solutions capable of detecting and quarantining spearphishing attempts with malicious attachments, and employing sandboxing technologies to analyze suspicious files before delivery. Endpoint detection and response (EDR) tools should be configured to monitor for execution of Visual Basic scripts and unusual scheduled tasks indicative of persistence mechanisms. Network monitoring should focus on detecting anomalous web protocol traffic that could signal command and control communications. User training programs must emphasize recognition of spearphishing tactics specific to the sectors targeted, including simulation exercises tailored to the threat actor’s methods. Organizations should enforce strict application whitelisting to prevent unauthorized execution of injected portable executables and implement least privilege principles to limit the impact of compromised accounts. Regular audits of scheduled tasks and system owner/user discovery activities can help identify early signs of compromise. Collaboration with national cybersecurity centers and sharing of threat intelligence related to Operation Cobalt Whisper can enhance detection and response capabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- b2a90426-2dc0-4022-b51e-8be190ffb7e5
- Original Timestamp
- 1733752769
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file%windir%\\syswow64\\dllhost.exe | Spawnto_x86 | |
file%windir%\\sysnative\\dllhost.exe | Spawnto_x64 | |
fileImeBroker.exe | — | |
filePressMe.pdf | — | |
filemalicious.rar | filename is a placeholder - do not use for detection | |
file附件1:《2024年度中国电工技术学会科学技术奖推荐提名书》(技术发明奖和科技进步奖)填报说明(2024年8月新版).pdf.lnk | — | |
filecache.bak | — | |
fileO365.vbs | — | |
filesubscription.db | — | |
file附件2:《中国电工技术学会科学技术奖励办法》(2024年4月修订).pdf | translates to “Attachment 2: Regulations on Scientific and Technological Awards of the China Electrotechnical Society (Revised April 2024) | |
filesigverif.exe | — | |
file科学技术奖填报说明和奖励办法修订版.rar | — | |
file最新停车场收费标准调整方案.rar | — | |
file╒δ╢╘í╢│Θ╦«╨ε─▄╡τ╒╛╩Σ╦«╖ó╡τ╧╡═│╖╜░╕╔Φ╝╞▒╚╤í╤╨╛┐í╖╡─╨▐╕─╜¿╥Θ.zip | — | |
file╣π╕µ═╢╖┼╥¬╟≤╩Θ.zip | — | |
file预加油航班管理方法研究与软件实现(修改意见).rar | — | |
fileaaa.zip | — | |
file贾哲文-云南大学-环境工程.rar | — | |
file刘潇-清华大学-计算机.rar | — | |
file李新宇-北京大学-2026毕业-金融硕士.rar | — | |
file热核聚变发电岛三回路参数优化研究(修改意见).rar | — | |
file国家互联网应急中心CCSC认证邀请函_海关信息中心.rar | — | |
file异构平台要素协同理论方法研究(修改意见).rar | — | |
file博士后申请-王玉玺-华中科技大学-电气与电子工程-博士.rar | — | |
file企业资质材料.zip | — | |
file针对《苍术倍半萜类化合物生物合成的研究进展》的修改建议.rar | — | |
file中债数据无法使用情况.rar | — | |
file参编《人工智能通用大模型合规管理体系 指南》申请表.rar | — | |
file中国外汇交易中心信息产品许可表.rar | — | |
fileIslamabad_Security_Dialogue_Pub.rar | — | |
fileIDEAS_2024_Calling_Letter.zip | — | |
fileFinal_Combined_Forecast_MCP_FY_2024_25.zip | — | |
fileFinal_Combined_Forecast_MCP_FY_2024_25.pdf.lnk | — | |
file12th_Edition_Of_Innovation_&_Excellence_IDEAS_2024.pdf.lnk | — | |
file附件1:《2024年度中国电工技术学会科学技术奖推荐提名书》(技术发明奖和科技进步奖)填报说明(2024年8月新版).pdf.lnk | — | |
file最新停车场收费标准调整方案.lnk | — | |
file╒δ╢╘í╢│Θ╦«╨ε─▄╡τ╒╛╩Σ╦«╖ó╡τ╧╡═│╖╜░╕╔Φ╝╞▒╚╤í╤╨╛┐í╖╡─╨▐╕─╜¿╥Θ.docx.lnk | — | |
file预加油航班管理方法研究与软件实现(修改意见).docx.lnk | — | |
file电影宣传要求.pdf.lnk | — | |
file需使用中债数据.jpg.lnk | — | |
file贾哲文-云南大学-环境工程.docx.lnk | — | |
file刘潇-清华大学-计算机科学与技术学院-硕士.pdf.lnk | — | |
filefilename.lnk | — | |
file李新宇-北京大学-2026毕业-金融硕士.pdf.lnk | — | |
file修改建议.docx.lnk | — | |
fileIslamabad_Security_Dialogue_Pub.pdf.lnk | — | |
file热核聚变发电岛三回路参数优化研究(修改意见).docx.lnk | — | |
file国家互联网应急中心CCSC认证邀请函_海关信息中心.pdf.lnk | — | |
file异构平台要素协同理论方法研究(修改意见).docx.lnk | — | |
file博士后申请-王玉玺-华中科技大学-电气与电子工程博士-简历.pdf.lnk | — | |
file针对《苍术倍半萜类化合物生物合成的研究进展》的修改建议.docx.lnk | — | |
file中债数据无法使用情况.jpg.lnk | — | |
file参编《人工智能通用大模型合规管理体系 指南》申请表.pdf.lnk | — | |
file中国外汇交易中心信息产品许可表.doc.lnk | — | |
fileO365.vbs | — | |
filecache.vbs | — | |
fileDS_Store.vbs | — | |
fileO365.vbs | — | |
fileDS_Store.vbs | — | |
fileDS_Store.vbs | — | |
fileDS_Store.vbs | — | |
fileDS_Store.vbs | — | |
filecache.vbs | — | |
filecache.vbs | — | |
filecache.vbs | — | |
filecache.vbs | — | |
fileAnx.vbs | — | |
filecal.vbs | — | |
filecal.vbs | — | |
fileO365.vbs | — | |
fileDS_Store.vbs | — | |
filecache.vbs | — | |
fileO365.vbs | — | |
fileDS_Store.vbs | — | |
fileDS_Store.vbs | — | |
fileDS_Store.vbs | — | |
fileDS_Store.vbs | — | |
fileDS_Store.vbs | — | |
filecache.vbs | — | |
filecache.vbs | — | |
filecache.vbs | — | |
filecache.vbs | — | |
filecache.vbs | — | |
filecache.vbs | — | |
filecache.vbs | — | |
filecache.vbs | — | |
fileDS_Store.vbs | — | |
filecache.vbs | — | |
filesubscription.db | — | |
file附件2:《中国电工技术学会科学技术奖励办法》(2024年4月修订).pdf | — | |
file│Θ╦«╨ε─▄╡τ╒╛╩Σ╦«╖ó╡τ╧╡═│╖╜░╕╔Φ╝╞▒╚╤í╤╨╛┐_╦╬╫╙╞µ.pdf | — | |
filecache.db | — | |
file╡τ╙░╨√┤½╥¬╟≤.pdf / 电影宣传要求.pdf | — | |
filesubscription.db | — | |
file贾哲文-云南大学-环境工程.docx | — | |
filecache.db | — | |
filecache.db | — | |
file企业资质证明(请先解密).pptx | — | |
file12th_Edition_Of_Innovation_&_Excellence_IDEAS_2024.pdf | — | |
file预加油航班管理方法研究与软件实现.pdf | — | |
file需使用中债数据.jpg | — | |
file刘潇-清华大学-计算机科学与技术学院-硕士.pdf | — | |
file李新宇-北京大学-2026毕业-金融硕士.pdf | — | |
file热核聚变发电岛三回路参数优化研究.pdf | — | |
filecache.db | — | |
file异构平台要素协同理论方法研究.pdf | — | |
filecache.db | — | |
fileJPCS-2021-A_novel_current_differential_protection_for_MMC-HV.pdf | — | |
file论文及荣誉证书/电力系统自动化-2024-逆变型新能源场站送出线时域方向元件.pdf | — | |
fileIET-2022-A simplified model of Type‐4 wind turbine for short‐circuit currents simulation analysis.pdf | — | |
file论文及荣誉证书/教育部学籍在线验证报告-王玉玺.png | — | |
fileIslamabad_Security_Dialogue_Pub.pdf | — | |
fileFinal_Combined_Forecast_MCP_FY_2024_25.pdf | — | |
file苍术倍半萜类化合物生物合成的研究进展_冯铃芳.pdf | — | |
filesubscription.db | — | |
file中债数据无法使用情况.jpg | — | |
file参编《人工智能通用大模型合规管理体系 指南》申请表.pdf | — | |
filecache.db | — | |
file联系方式.txt | — | |
file联系方式.txt | — | |
file清华通知.txt | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileDevicesFlow.EXE | — | |
fileDS_Store | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileMicrosoft IME | — | |
fileDS_Store | — | |
filecharmap.exe | — | |
fileDS_Store | — | |
fileCTTUNE.EXE | — | |
fileDS_Store | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
filesigverif.exe | — | |
file企业资质材料/企业签名解密专用解密工具.exe | — | |
fileD:\MyPrograms\vs2022\vt01\vt\x64\Release\vt.pdb | — | |
filekeycongif.exe | — | |
fileAnx | — | |
fileAdobbee.exe | — | |
filecal | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileBioEnrollmentHost.exe | — | |
fileDS_Store | — | |
fileDevicesFlow.EXE | — | |
fileDS_Store | — | |
fileimecfmui.exe | — | |
filecache.bak | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
filesigverif.exe | — | |
fileImeBroker.exe | — | |
filecache.bak | — | |
filesigverif.exe | — |
Regkey
| Value | Description | Copy |
|---|---|---|
regkey“C:\LLVM\bin\LnkFishing\.asset\.asset.pdf“ | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip43.137.69.76 | — | |
ip139.155.190.198 | — | |
ip106.55.77.71 | — | |
ip129.204.98.221 | — | |
ip119.45.2.30 | — | |
ip119.45.67.241 | — | |
ip119.45.2.56 | — | |
ip139.155.190.84 | — | |
ip139.155.190.84 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainservice-a8vp3r65-1319584009.cd.tencentapigw.com | — | |
domainservice-c2y0jtba-1319584009.gz.tencentapigw.com.cn | — | |
domainservice-qgezbin5-1319584009.sh.tencentapigw.com | — | |
domainservice-h87kxr41-1319584009.bj.tencentapigw.com.cn | — | |
domainservice-cyuasu6k-1319584009.nj.tencentapigw.com | — | |
domainservice-3z1ebnpd-1319584009.sh.tencentapigw.com | — | |
domainservice-b4ibcyjt-1325935989.sh.tencentapigw.com | — | |
domainservice-k6iylaqt-1319584009.bj.tencentapigw.com.cn | — | |
domainservice-7wu3p58s-1319584009.nj.tencentapigw.com | — | |
domainservice-a8vp3r65-1319584009.cd.tencentapigw.com | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.seqrite.com/blog/operation-cobalt-whisper-targets-industries-hong-kong-pakistan/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textSEQRITE Labs APT-Team has recently uncovered a campaign targeting various industries such as the Defense Sector in Pakistan and predominantly researchers from Hong Kong. Tracked as Operation Cobalt Whisper, the entire campaign heavily leverages the use of a post-exploitation tool Cobalt Strike, which is deployed using obfuscated VBScript. A total of 20 infection chains have been identified so far along with additional individual samples, where 18 of them target Hong Kong and two target Pakistan where over 30 decoy files have been identified.
In this blog, we will explore the technical details of one of the campaigns we encountered during our initial analysis and examine the various stages of the infection chain, starting with a deep dive into the decoy documents. We will then look into the common Tactics, Techniques, and Procedures (TTPs), such as the use of malicious VBScript and LNK payloads employed by this threat actor across most campaigns. These methods facilitate the in-memory execution of the Cobalt Strike implant, which is delivered alongside these lures in an archive file. | — | |
textOperation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan. | — | |
textBlog | — | |
textChina | — |
Port
| Value | Description | Copy |
|---|---|---|
port443 | — |
As
| Value | Description | Copy |
|---|---|---|
as45090 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash86543a984e604430fb7685a1e707b2c4 | — | |
hash95557088474250a9749b958c3935dee4 | — | |
hash95f05674e4cb18a363346b488b67fd38 | — | |
hashb8c94d2f66481cc52b30948f65fed761 | — | |
hash4cf9bd6af64c3937e156ffb20537a6c1 | — | |
hashb2649134fbf0520222263d73b7e985d8 | — | |
hashaf669dfa074eb9b6fda3fd258f58e2d2 | — | |
hash865483fea76242e687aa9e76b1a37f28 | — | |
hash432230af1d59dac7dfb47e0684807240 | — | |
hashb9d04a61b30ddf53b28bf58a86fc28f5 | — | |
hash2d478e4527486d85932254c7a7413951 | — | |
hashe08dcbbd3e2ab9bcc2c02c44b6a97870 | — | |
hashfe4c575abf70ad11cdbce0b0821ee681 | — | |
hash68278e47f36a44d9a8bbd46b74422bbe | — | |
hash58f5ff5be4e765e62758b1f3e679a2ac | — | |
hash955841a4d2315422818b47aec6ce51fb | — | |
hash75def3a25b1d355c9163d3c247990867 | — | |
hash343a3944218a040089fa7131112c1681 | — | |
hashb28bb7cabfb12e9bc5b87692b065c83a | — | |
hash7728fee377137e83e9bd1c609cc166c0 | — | |
hashdad7d9528e9506ebd0524b3ebd89ddf2 | — | |
hasha02a664f80d9011e38c45762683771c0 | — | |
hashd73a5c11423923d8a8c483cf6172f7e2 | — | |
hash22c07c76020f9311385cfaa97a2d6adb | — | |
hash7a494f7448bc350bb46fb7f21450d1d9 | — | |
hash3c3986899bdb4890ea6d44c00538e2fd | — | |
hash74ca14032a93be59098d607ba7039660 | — | |
hashcd14d51d27f294c2e60d1bc3ef907160 | — | |
hashdb08274efb374e2196a9f46961c8d8f8 | — | |
hash62eb90df5ee3a3b443c277d12b893141 | — | |
hash41b5d5a04cf4534550e6ac3fc9a8f42d | — | |
hashae55cb4988f2f45197132631f5a86632 | — | |
hash5ae488083403cd69002c29ef6326cca7 | — | |
hash72011305317d7e9d38a0e75650f22e34 | — | |
hash473adee7068573fd01862b4bf43979e6 | — | |
hash10d0a351df1bfe57494ac18a7f2edec1 | — | |
hash10d6fb6ab395001a4424058a52c3c69f | — | |
hash1070fc4a998cb7515842fb1b647340be | — | |
hash1b538fef54102fd36e83e4fc549f960e | — | |
hashc8231c5709ca548f1fe70f3b61d3537a | — | |
hash955a8b63723eb35686ddce6cbfe890cf | — | |
hashda623c5ca61e25c6205904a5cb91bd55 | — | |
hashafc805006390b00713898c09d50343b6 | — | |
hash0a34cc8983fb581a59308135868b75d0 | — | |
hash5d18995193465c618844949f0ff9c786 | — | |
hash4c409d7201ec5dccf55a8ea54b0de101 | — | |
hash39ab2053406493b9a0d81ed40212ffa8 | — | |
hash4711d0d163c00158abd4b20177d68b9a | — | |
hash3dce8d8f9664c755448413cbfe1bc08f | — | |
hash3b573c2229b43bde50f998f6cba17f2f | — | |
hash318a1a18df75b49f72fbcc020384cc24 | — | |
hasha0d760492c0193d14114792f0c3fff7a | — | |
hashcafdc03dcbe06ac43ec25fb38c1e013f | — | |
hashd13828ae89a7dab34d2f380eef518332 | — | |
hash7e98bb7ffba4cf12d29132a2c71973eb | — | |
hashc3d460ac3a93e86782c2bc374aa5ecd2 | — | |
hash93eafad827126a9d12fc1d0e6e21aaef | — | |
hasha4a47dd08cf59f8b6a7c907cf0e39029 | — | |
hashb2c882f6121d758cfcd4ece31834f497 | — | |
hash86e4c5d39dda20eee4dd8f794be04c80 | — | |
hashe7f3c33a5cd569ebf4b57381f03c5337 | — | |
hash7ac5daaa5fe4e59137271eaf97c9e692 | — | |
hasha2f64bafeafbeb303d24fd6ed1f5a89a | — | |
hash8ba5b61454a29e09e7f536e85c951f53 | — | |
hash4eeeb2b40e7189c271098c515b8f91d8 | — | |
hash3711e1913f2ae74c4fc765bc28dbc60f | — | |
hashe112698125e67a1a6f26597371cae502 | — | |
hash67dc90468327a0c733ca48881084593b | — | |
hashd68fb3502e63ef3ca91c45f508d146b9 | — | |
hash91b7328a6064706fa9f125621a09f648 | — | |
hashbfd61e5e133b2cd592d42ecdbc0eaee2 | — | |
hashe5e709be4584031aefdc2a0782017f8f | — | |
hashcf59916d271dce7f44bbf349464a31e2 | — | |
hash5d18995193465c618844949f0ff9c786 | — | |
hashe213dc8060794bb97c5f94f563107e88 | — | |
hashd01e7c41140aeff82ad87a558ae96587 | — | |
hashde3a0ff11c7645f5d0ac717b0eb98e52 | — | |
hash98b85b474c02ce8c0a33ad7507abbf2a | — | |
hash5368f0b6ff56cce0de42165f14067427 | — | |
hash22ce60653860fe33bdfc47ce60deb681 | — | |
hashb69c075caff565528bf42705d936a066 | — | |
hash477c5abea7299891b7f7c487f8636613 | — | |
hash298a27e24e4ca917020fa5a230fe6c8f | — | |
hash820485d456ce6bfab933a1b662ff590a | — | |
hash55467fcb1b51477104442e74d7baf3df | — | |
hashab1bc05e7f110042d7eacda5724918e0 | — | |
hash8423873a0eee6139c1eb6d5a9919121b | — | |
hash6833e934c675717a0581472e00cb6d93 | — | |
hash9294dd350f921745602f745e501e8e43 | — | |
hash43bed053851e7a182b99835bcd1d2d16 | — | |
hash154bf965c1c8e54540179b2d01c4202e | — | |
hash1fbffdc19d3cfee158558e266206f46f | — | |
hash8bdd5587b9863bdb154d9db85c67037b | — | |
hash05770b4da4f87150f2faf6c4e821f727 | — | |
hashc5b2970e227e311abb5acf480bc48934 | — | |
hashedd1a870a0eea3bf9dcbd88ece487920 | — | |
hash1c2126ea78d3430ce04bf96b0d1c524e | — | |
hash13097891c790fbd3df75a2aebf993b16 | — | |
hash23bd40035a9a9fd1d31a1c7aceda1727 | — | |
hash7763e73dd2e877c4770c0f10e4d3a1dd | — | |
hash162a9b9aee469b8de10c37c6311906cd | — | |
hashe8db7191c84a84717bffd0f1af9de36c | — | |
hash91611a155d4722d178f7697cd4ddd95f | — | |
hash75c1403abfbe9f5c92625a1baf8b22f5 | — | |
hashd967a709472775c118ec339963c1d940 | — | |
hash154141caa12b828ace18fd4b3fda77e0 | — | |
hashc116a1971593a3a5468eb972b505fb57 | — | |
hash63d4015195c5006d81e14a85aa2459c4 | — | |
hasha3df3505d89c15bb3940062f7abd786b | — | |
hash041d01a5495cdede35f4ad8e1fe437f7 | — | |
hashd29980f768aafdcf102cf1b3741c8a2b | — | |
hash2acfad6fd814b02683038d21ba3eccbe | — | |
hash1aa1f12d26d3a34265d0b99705bdf283 | — | |
hashe7550dd2db4dbe1a2cc1dadc47846cd0 | — | |
hash1d109c8bb9e6ad16cd5f6813db39c21a | — | |
hashd8c348a2f27097d8689dba4452bb76eb | — | |
hash14df06539b72837adb9f8d13cfcea6db | — | |
hash6388625810652f0767be13b43363c10d | — | |
hashe8d3540212384d45ba9d7135c5bf8d8e | — | |
hash352e299fc3f2327bfad5026b4a56b7cb | — | |
hash73fa6149e68dd7842f7cfce78dd732c5 | — | |
hash3813e4ebddd87615c1adc9c05888341d | — | |
hash316e8d798f7db625c207532e2f7a5d38 | — | |
hash5e7dba4aafb8176ab026e2f4aa3211dd | — | |
hash33b3e322679f1500a9f3c162e4b25040 | — | |
hash2694553347f23e250ed70a8c23096d8f | — | |
hash800be8a4989d4b7ed07ddd068c6469f1 | — | |
hashbfd6c2f0787865ecb1604439ea9a5f15 | — | |
hash49c5553995f032195890b5bfc2abcb00 | — | |
hashae9d676e4eda5cfa18a061e4bc2b1637 | — | |
hash008255c14420420e9a53c9959d0d08b8 | — | |
hash49a9c56fab34795b7e6e4c0b6185ca3e | — | |
hashd901fa81a4b3d83219440b80a1c338bc | — | |
hash88b8bbe04b53e4af857cd1c032968c94 | — | |
hash1d065492e7b5d118e31e571cc53dfe65 | — |
Threat ID: 68367c09182aa0cae2310861
Added to database: 5/28/2025, 2:59:21 AM
Last enriched: 6/27/2025, 11:36:34 AM
Last updated: 8/14/2025, 2:59:29 AM
Views: 23
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.