UNC Cluster Targeting South Asian Countries
A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login pages for government and military organizations, and malicious Android apps. The Android malware, based on the Rafel Rat, steals information and provides remote access. Victims are primarily from South Asian countries, with stolen data including SMS messages, contact lists, and documents. The operation also uses Windows malware with the same command and control infrastructure.
AI Analysis
Technical Summary
The UNC Cluster represents a persistent threat actor group identified as a South Asian Advanced Persistent Threat (APT) targeting primarily military personnel in South Asian countries including Sri Lanka, Bangladesh, Pakistan, and Turkey. The group employs sophisticated phishing campaigns leveraging military-themed lures to compromise mobile devices, particularly Android phones. The attack vectors include PDF phishing documents and fake login pages impersonating government and military organizations, designed to deceive victims into divulging credentials or installing malicious applications. The Android malware used is based on the Rafel RAT (Remote Access Trojan), which enables attackers to steal sensitive information such as SMS messages, contact lists, and documents, and maintain persistent remote access to compromised devices. In addition to Android malware, the threat actor also deploys Windows malware that shares the same command and control (C2) infrastructure, indicating a coordinated multi-platform campaign. The phishing techniques correspond to MITRE ATT&CK techniques T1566 (Phishing), T1566.001 (Spearphishing Attachment), and T1566.002 (Spearphishing Link). Although no known exploits are reported in the wild, the operation's use of credential theft and information stealing malware poses significant risks to confidentiality and operational security of targeted military personnel. The campaign's focus on military-themed lures and targeting of military personnel suggests a strategic intelligence-gathering objective, consistent with APT behavior. The lack of affected software versions and patch links indicates this is a social engineering and malware-based threat rather than a software vulnerability exploitation. The threat is assessed as medium severity based on the information provided.
Potential Impact
For European organizations, the direct impact of this threat is currently limited due to the geographic focus on South Asian countries and Turkey. However, European defense contractors, government agencies, or organizations with personnel or operations linked to South Asia could be indirectly affected if targeted by similar phishing campaigns or if compromised devices connect to European networks. The use of Android malware capable of stealing sensitive communications and documents could lead to espionage, data leakage, and compromise of operational security. The shared C2 infrastructure with Windows malware suggests potential lateral movement or multi-platform compromise capabilities, which could be leveraged against European targets if the threat actor expands their scope. Additionally, the targeting of military personnel highlights the risk to critical national security information. European organizations involved in defense cooperation or intelligence sharing with South Asian countries should be vigilant. The threat also underscores the importance of securing mobile endpoints, especially those used by personnel with access to sensitive information.
Mitigation Recommendations
1. Implement targeted security awareness training focused on recognizing phishing attempts, especially those using military or government-themed lures. 2. Enforce strict mobile device management (MDM) policies to control installation of applications and monitor for suspicious activity on Android devices. 3. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting RAT behaviors and anomalous network communications on both Android and Windows platforms. 4. Use multi-factor authentication (MFA) for access to government and military systems to reduce the risk of credential theft exploitation. 5. Regularly audit and monitor network traffic for connections to known or suspicious command and control servers associated with the UNC Cluster. 6. Encourage personnel to verify URLs and attachments before interaction, especially in unsolicited communications. 7. Coordinate with national cybersecurity agencies to share threat intelligence and indicators of compromise (IOCs) related to this APT group. 8. Restrict permissions of mobile applications to limit data access and prevent unauthorized exfiltration. 9. Conduct regular security assessments of mobile and desktop environments to identify potential compromises early.
Affected Countries
Turkey, Sri Lanka, Bangladesh, Pakistan
Indicators of Compromise
- hash: 01011bd3c58141165f2a4551f4c40609
- hash: 0d106fd047d6a744b1dbecddbe9c2e99
- hash: 12b6483d4843e99b57b86379197208cd
- hash: 33fe3e792a0e98fb890b6393f31ae5cb
- hash: 3b26fcd7c6994598dc53bb3f69725d68
- hash: 3c47053adffd39b467592d13398060b5
- hash: 4e13a48db966b3ebffb1fd49b3d2af8e
- hash: 65a08e14ca41bfedf483d1ada74844a9
- hash: 67e7cf00aa82d9b4cf0db2b55b7fb0b9
- hash: 6e930ad2ab7e97da818f54bfbb45b759
- hash: 73f142ae7c6c10fbb18f439b6410af4f
- hash: 78bc9707f298552b7087ef385f098912
- hash: 94e6911b0a99b54391735dfc70b4187d
- hash: 9a7510e780ef40d63ca5ab826b1e9dab
- hash: abbb7063e3a6d03cf180f73b6ac15ee2
- hash: aef81736c6dcaf8b67775602cbf9ccbd
- hash: b8eda465ffbc197d80a9ce7ab785f07a
- hash: c2ee24fb4aa103b4c1a8e8169d3a9f47
- hash: c8d2bf204349853b6d7d810ed2698924
- hash: ce417487ac9ccfbb31fa28fde9365fd7
- hash: cf9914eca9f8ae90ddd54875506459d6
- hash: dfa353ac65b29df7d14f72aca7d52f12
- hash: e573a2cd2b6a24255c400055d06342b9
- hash: 48d1fa9a742d974a66efada6ff16c83659332820
- hash: 74f8de4edd555c9d334bc66cef11831a87a3d033
- hash: 8c47707ef68a9576c0b48a0a99d82f31f67cd762
- hash: 8e1cbfe683bc4587cdbfaba37d71f8241693ea54
- hash: c84d4ee410ed56ccad32641f28881ba154a7b6aa
- hash: 1499d8282ef4c2b5efa033ad74567757649ee5777d5f995f04b691b78f0518bf
- hash: 33bee15de0506e8921b10f0875f0944660521d9545210b4a2ab3e884b86e44e5
- hash: a7b1c213266d46c0debc0f67e0ae52cd6d746421abc4a6acc127ad26377fc3a7
- hash: d3d706c98545690a4e7f73c65501284586256dc6dae925ef16d36e1bba5b789b
- hash: fe6fa7f3201febf07362a327cc178c9587c403350073211bb5d5cb39fd82a63a
- url: http://quickhelpsolve.com/asdf.6786708906
- url: http://updatemind52.com/Love_Chat.apk
- url: http://updatemind52.com/Love_Chat.apk.
- url: http://updatemind52.com/asdf.6786708906
- url: https://quickhelpsolve.com/public/commands.php
- domain: downloadattachment.com
- domain: inboxofficial-bd.com
- domain: kutcat-rat.com
- domain: mailbox-inbox-bd.com
- domain: mailbox3-inbox1-bd.com
- domain: mailserver-lk.com
- domain: mailservicess.com
- domain: play-googyle.com
- domain: playservicess.com
- domain: quickhelpsolve.com
- domain: securedownloadfiles.com
- domain: updatemind52.com
- domain: apm.vpce.gdw55e.quickhelpsolve.com
- domain: bsgrouponline.com.webmail.pdf.updatemind52.com
- domain: cloud.file.pdf.updatemind52.com
- domain: cloud.files.pdf.updatemind52.com
- domain: cloud.national.email.file.updatemind52.com
- domain: cloud.national.email.pdf.updatemind52.com
- domain: cloud.secured.file.updatemind52.com
- domain: drive.egovcloud.gov.bd.quickhelpsolve.com
- domain: ebmail.police.gov.bd.updatemind52.com
- domain: gov.bd.cloud.file.updatemind52.com
- domain: gov.bd.file.pdf.updatemind52.com
- domain: gov.bd.file.quickhelpsolve.com
- domain: gov.bd.file.updatemind52.com
- domain: gov.bd.pdf.updatemind52.com
- domain: gov.bd.secured.updatemind52.com
- domain: live.login.account.out.quickhelpsolve.com
- domain: mail.163.com.files.updatemind52.com
- domain: mail.awany.org.file.updatemind52.com
- domain: mail.baf.mil.bd.pdf.quickhelpsolve.com
- domain: mail.bangladesh.air.quickhelpsolve.com
- domain: mail.bcc.gov.bd.pdf.quickhelpsolve.com
- domain: mail.bhclondon.org.uk.quickhelpsolve.com
- domain: mail.drive.gov.bd.files.updatemind52.com
- domain: mail.gov.bd.account.file.updatemind52.com
- domain: mail.mofa.gov.pk.file.updatemind52.com
- domain: mail.mofa.gov.pk.pdf.updatemind52.com
- domain: mailairforce.quickhelpsolve.com
- domain: mails.navy.mll.bd.account.file.centralized-email-system-np.com
- domain: profen.com.fil.login.updatemind52.com
- domain: webmail.bmsdefence.com.pdf.updatemind52.com
- domain: webmail.paragonms.com.pk.pdf.updatemind52.com
- domain: webmail.police.gov.bd.updatemind52.com
- domain: webmail.profen.com.pdf.updatemind52.com
- domain: webmail.timgosavunma.com.tr.file.updatemind52.com
- domain: webmil.assangroup.com.tr.asd.updatemind52.com
- domain: www.centralized-email-system-np.com
UNC Cluster Targeting South Asian Countries
Description
A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login pages for government and military organizations, and malicious Android apps. The Android malware, based on the Rafel Rat, steals information and provides remote access. Victims are primarily from South Asian countries, with stolen data including SMS messages, contact lists, and documents. The operation also uses Windows malware with the same command and control infrastructure.
AI-Powered Analysis
Technical Analysis
The UNC Cluster represents a persistent threat actor group identified as a South Asian Advanced Persistent Threat (APT) targeting primarily military personnel in South Asian countries including Sri Lanka, Bangladesh, Pakistan, and Turkey. The group employs sophisticated phishing campaigns leveraging military-themed lures to compromise mobile devices, particularly Android phones. The attack vectors include PDF phishing documents and fake login pages impersonating government and military organizations, designed to deceive victims into divulging credentials or installing malicious applications. The Android malware used is based on the Rafel RAT (Remote Access Trojan), which enables attackers to steal sensitive information such as SMS messages, contact lists, and documents, and maintain persistent remote access to compromised devices. In addition to Android malware, the threat actor also deploys Windows malware that shares the same command and control (C2) infrastructure, indicating a coordinated multi-platform campaign. The phishing techniques correspond to MITRE ATT&CK techniques T1566 (Phishing), T1566.001 (Spearphishing Attachment), and T1566.002 (Spearphishing Link). Although no known exploits are reported in the wild, the operation's use of credential theft and information stealing malware poses significant risks to confidentiality and operational security of targeted military personnel. The campaign's focus on military-themed lures and targeting of military personnel suggests a strategic intelligence-gathering objective, consistent with APT behavior. The lack of affected software versions and patch links indicates this is a social engineering and malware-based threat rather than a software vulnerability exploitation. The threat is assessed as medium severity based on the information provided.
Potential Impact
For European organizations, the direct impact of this threat is currently limited due to the geographic focus on South Asian countries and Turkey. However, European defense contractors, government agencies, or organizations with personnel or operations linked to South Asia could be indirectly affected if targeted by similar phishing campaigns or if compromised devices connect to European networks. The use of Android malware capable of stealing sensitive communications and documents could lead to espionage, data leakage, and compromise of operational security. The shared C2 infrastructure with Windows malware suggests potential lateral movement or multi-platform compromise capabilities, which could be leveraged against European targets if the threat actor expands their scope. Additionally, the targeting of military personnel highlights the risk to critical national security information. European organizations involved in defense cooperation or intelligence sharing with South Asian countries should be vigilant. The threat also underscores the importance of securing mobile endpoints, especially those used by personnel with access to sensitive information.
Mitigation Recommendations
1. Implement targeted security awareness training focused on recognizing phishing attempts, especially those using military or government-themed lures. 2. Enforce strict mobile device management (MDM) policies to control installation of applications and monitor for suspicious activity on Android devices. 3. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting RAT behaviors and anomalous network communications on both Android and Windows platforms. 4. Use multi-factor authentication (MFA) for access to government and military systems to reduce the risk of credential theft exploitation. 5. Regularly audit and monitor network traffic for connections to known or suspicious command and control servers associated with the UNC Cluster. 6. Encourage personnel to verify URLs and attachments before interaction, especially in unsolicited communications. 7. Coordinate with national cybersecurity agencies to share threat intelligence and indicators of compromise (IOCs) related to this APT group. 8. Restrict permissions of mobile applications to limit data access and prevent unauthorized exfiltration. 9. Conduct regular security assessments of mobile and desktop environments to identify potential compromises early.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://strikeready.com/blog/apt-android-phishing-microsoft"]
- Adversary
- null
- Pulse Id
- 68af30b96e802c733e0c8b8a
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash01011bd3c58141165f2a4551f4c40609 | — | |
hash0d106fd047d6a744b1dbecddbe9c2e99 | — | |
hash12b6483d4843e99b57b86379197208cd | — | |
hash33fe3e792a0e98fb890b6393f31ae5cb | — | |
hash3b26fcd7c6994598dc53bb3f69725d68 | — | |
hash3c47053adffd39b467592d13398060b5 | — | |
hash4e13a48db966b3ebffb1fd49b3d2af8e | — | |
hash65a08e14ca41bfedf483d1ada74844a9 | — | |
hash67e7cf00aa82d9b4cf0db2b55b7fb0b9 | — | |
hash6e930ad2ab7e97da818f54bfbb45b759 | — | |
hash73f142ae7c6c10fbb18f439b6410af4f | — | |
hash78bc9707f298552b7087ef385f098912 | — | |
hash94e6911b0a99b54391735dfc70b4187d | — | |
hash9a7510e780ef40d63ca5ab826b1e9dab | — | |
hashabbb7063e3a6d03cf180f73b6ac15ee2 | — | |
hashaef81736c6dcaf8b67775602cbf9ccbd | — | |
hashb8eda465ffbc197d80a9ce7ab785f07a | — | |
hashc2ee24fb4aa103b4c1a8e8169d3a9f47 | — | |
hashc8d2bf204349853b6d7d810ed2698924 | — | |
hashce417487ac9ccfbb31fa28fde9365fd7 | — | |
hashcf9914eca9f8ae90ddd54875506459d6 | — | |
hashdfa353ac65b29df7d14f72aca7d52f12 | — | |
hashe573a2cd2b6a24255c400055d06342b9 | — | |
hash48d1fa9a742d974a66efada6ff16c83659332820 | — | |
hash74f8de4edd555c9d334bc66cef11831a87a3d033 | — | |
hash8c47707ef68a9576c0b48a0a99d82f31f67cd762 | — | |
hash8e1cbfe683bc4587cdbfaba37d71f8241693ea54 | — | |
hashc84d4ee410ed56ccad32641f28881ba154a7b6aa | — | |
hash1499d8282ef4c2b5efa033ad74567757649ee5777d5f995f04b691b78f0518bf | — | |
hash33bee15de0506e8921b10f0875f0944660521d9545210b4a2ab3e884b86e44e5 | — | |
hasha7b1c213266d46c0debc0f67e0ae52cd6d746421abc4a6acc127ad26377fc3a7 | — | |
hashd3d706c98545690a4e7f73c65501284586256dc6dae925ef16d36e1bba5b789b | — | |
hashfe6fa7f3201febf07362a327cc178c9587c403350073211bb5d5cb39fd82a63a | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://quickhelpsolve.com/asdf.6786708906 | — | |
urlhttp://updatemind52.com/Love_Chat.apk | — | |
urlhttp://updatemind52.com/Love_Chat.apk. | — | |
urlhttp://updatemind52.com/asdf.6786708906 | — | |
urlhttps://quickhelpsolve.com/public/commands.php | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaindownloadattachment.com | — | |
domaininboxofficial-bd.com | — | |
domainkutcat-rat.com | — | |
domainmailbox-inbox-bd.com | — | |
domainmailbox3-inbox1-bd.com | — | |
domainmailserver-lk.com | — | |
domainmailservicess.com | — | |
domainplay-googyle.com | — | |
domainplayservicess.com | — | |
domainquickhelpsolve.com | — | |
domainsecuredownloadfiles.com | — | |
domainupdatemind52.com | — | |
domainapm.vpce.gdw55e.quickhelpsolve.com | — | |
domainbsgrouponline.com.webmail.pdf.updatemind52.com | — | |
domaincloud.file.pdf.updatemind52.com | — | |
domaincloud.files.pdf.updatemind52.com | — | |
domaincloud.national.email.file.updatemind52.com | — | |
domaincloud.national.email.pdf.updatemind52.com | — | |
domaincloud.secured.file.updatemind52.com | — | |
domaindrive.egovcloud.gov.bd.quickhelpsolve.com | — | |
domainebmail.police.gov.bd.updatemind52.com | — | |
domaingov.bd.cloud.file.updatemind52.com | — | |
domaingov.bd.file.pdf.updatemind52.com | — | |
domaingov.bd.file.quickhelpsolve.com | — | |
domaingov.bd.file.updatemind52.com | — | |
domaingov.bd.pdf.updatemind52.com | — | |
domaingov.bd.secured.updatemind52.com | — | |
domainlive.login.account.out.quickhelpsolve.com | — | |
domainmail.163.com.files.updatemind52.com | — | |
domainmail.awany.org.file.updatemind52.com | — | |
domainmail.baf.mil.bd.pdf.quickhelpsolve.com | — | |
domainmail.bangladesh.air.quickhelpsolve.com | — | |
domainmail.bcc.gov.bd.pdf.quickhelpsolve.com | — | |
domainmail.bhclondon.org.uk.quickhelpsolve.com | — | |
domainmail.drive.gov.bd.files.updatemind52.com | — | |
domainmail.gov.bd.account.file.updatemind52.com | — | |
domainmail.mofa.gov.pk.file.updatemind52.com | — | |
domainmail.mofa.gov.pk.pdf.updatemind52.com | — | |
domainmailairforce.quickhelpsolve.com | — | |
domainmails.navy.mll.bd.account.file.centralized-email-system-np.com | — | |
domainprofen.com.fil.login.updatemind52.com | — | |
domainwebmail.bmsdefence.com.pdf.updatemind52.com | — | |
domainwebmail.paragonms.com.pk.pdf.updatemind52.com | — | |
domainwebmail.police.gov.bd.updatemind52.com | — | |
domainwebmail.profen.com.pdf.updatemind52.com | — | |
domainwebmail.timgosavunma.com.tr.file.updatemind52.com | — | |
domainwebmil.assangroup.com.tr.asd.updatemind52.com | — | |
domainwww.centralized-email-system-np.com | — |
Threat ID: 68af5d62ad5a09ad0065ab1d
Added to database: 8/27/2025, 7:32:50 PM
Last enriched: 8/27/2025, 7:48:44 PM
Last updated: 9/1/2025, 2:24:34 AM
Views: 18
Related Threats
8 Cybersecurity News Worth Your Attention this Week Summarised – 2025-09-01
MediumTraps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique
MediumTINKYWINKEY KEYLOGGER
MediumWarning About NightSpire Ransomware Following Cases of Damage in South Korea
MediumNew Mac malware identified that evades detection through fake PDF conversion tool
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.