The Swan Vector campaign is a sophisticated Advanced Persistent Threat (APT) operation targeting educational institutions and mechanical engineering sectors primarily in Taiwan and Japan. The attack employs a multi-stage infection chain beginning with malicious LNK (Windows shortcut) files that serve as the initial infection vector. Upon execution, these LNK files trigger the loading of DLL implants named Pterois and Isurus. These implants leverage advanced evasion techniques such as API hashing, which obfuscates API calls to avoid detection by security tools; direct syscalls, which bypass user-mode hooks; DLL sideloading, where malicious DLLs are loaded by legitimate applications to evade detection; and self-deletion to remove traces post-execution. The implants facilitate the deployment of Cobalt Strike payloads, a well-known post-exploitation framework used for lateral movement, persistence, and command and control (C2). Notably, the threat actor abuses Google Drive as a C2 server, leveraging a trusted cloud service to evade network-based detection and filtering. Although attribution is uncertain, the tactics, techniques, and procedures (TTPs) share similarities with known APT groups such as Winnti, Lazarus, and APT10, indicating a high level of sophistication and potential state-sponsored backing. Active since December 2024, the campaign is expected to evolve with new implants targeting additional applications, suggesting ongoing and adaptive threat activity.

For European organizations, the direct targeting of Taiwan and Japan may initially suggest limited exposure; however, the use of widely adopted attack techniques and tools like DLL sideloading and Cobalt Strike poses a broader risk. European educational and mechanical engineering sectors, which often collaborate internationally and share supply chains with East Asian counterparts, could be indirectly impacted through shared software, third-party vendors, or multinational operations. The abuse of Google Drive as a C2 channel complicates detection, as traffic to this cloud service is typically permitted, increasing the risk of stealthy data exfiltration or lateral movement within networks. Compromise could lead to significant confidentiality breaches, intellectual property theft, and disruption of critical engineering projects or academic research. The campaign’s evasion techniques reduce the effectiveness of traditional endpoint detection and response (EDR) solutions, increasing the likelihood of prolonged undetected presence. Given the strategic importance of mechanical engineering and education sectors in Europe, successful infiltration could undermine competitive advantage and national security interests, especially in countries with strong industrial bases and research institutions.

1. Implement strict controls and monitoring for the execution of LNK files, including disabling autorun features and restricting the use of shortcut files from untrusted sources. 2. Employ advanced endpoint protection solutions capable of detecting API hashing and direct syscall techniques, including behavior-based detection rather than signature-based alone. 3. Monitor and restrict DLL sideloading by enforcing application whitelisting and validating DLLs loaded by critical applications. 4. Analyze network traffic for anomalous patterns to Google Drive, including unusual file access or command patterns, and consider deploying cloud access security broker (CASB) solutions to monitor and control cloud service usage. 5. Conduct regular threat hunting exercises focusing on Cobalt Strike indicators and related post-exploitation behaviors. 6. Enhance logging and correlation capabilities to detect self-deletion attempts and other anti-forensic activities. 7. Foster information sharing with international partners and threat intelligence communities to stay updated on evolving implants and TTPs. 8. Educate users, especially in targeted sectors, about spear-phishing and social engineering risks associated with malicious LNK files. 9. Review and harden supply chain security, particularly for software and hardware sourced from or connected to East Asian markets.