Monthly Threat Actor Group Intelligence Report, July 2022 (ENG)

This report is a summary of Threat Actor group activities analyzed by NSHC ThreatRecon team based on data and information collected from 21 June 2022 to 20 July 2022. In July, activities by a total of 31 Threat Actor Groups were identified, in which activities by SectorJ groups were the most prominent by 22%, followed by SectorA and SectorE groups.


Threat Actors identified in July carried out the highest number of attacks on workers and systems in government agencies and info-communication industries. Regionally, Europe and East Asia were seen as the continents with the highest number of hacking activities targeted on.

1. Characteristics of SectorA Group Activities

In July 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorA01, SectorA04, SectorA05, SectorA07 groups

SectorA01 group was found to be active in Japan, England, the United States, South Korea and Austria. The group targeted organizations in medical and health industries to disseminate ransomwares, which was seen as an attempt to encrypt internal medical data and demand for ransom in return.

SectorA04 group was found to be active in Germany and Hungary. The group targeted small enterprises to disseminate ransomwares, which was seen as an attempt to encrypt internal data and demand for ransom in return.

SectorA05 group was found to be active in South Korea. The group delivered spear phishing emails to university professors, media reporters and researchers in the field of unification, diplomacy, national defense, and security.

SectorA07 group was found to be active in Russia, Malaysia, Poland, Czech Republic, and Israel. The group used spear phishing emails attached with compressed files in their attacks.

Hacking activities of SectorA hacking groups that continue to date aim to collect advanced information regarding South Korean governmental activities such as political, diplomatic activities, while targeting hacking activities on the whole world to secure financial resources at the same time. This aim for hacking activities has continued over a long period of time and is expected to be carried on without changes for some time.

2. Characteristics of SectorB Group Activities

In July 2022, activities by a total of 3 hacking groups were identified, and the groups were SectorB22, SectorB25, and SectorB38 groups

SectorB22 group was found to be active in Czech Republic, the Philippines, Thailand, Vietnam, England, China, Belgium, Hungary, and Singapore. The group used compressed files containing malwares that were disguised under subjects such as meeting reports, embassy reports, guidelines, and Pandemic to pull the attention of the targets.

SectorB25 group was found to be active in Pakistan and England. The group delivered spear phishing emails containing document format malwares to telecommunication worker of a Southeast Asian country.

SectorB38 group was found to be active in Vietnam. The group used RTF (Rich Text File) document format malwares disguised as an electronic news created by a military unit.

Hacking activities of SectorB hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, and is targeted at the whole world.

3. Characteristics of SectorC Group Activities

In July 2022, activities by a total of 7 hacking groups were identified, and the groups were SectorC01, SectorC02, SectorC04, SectorC05, SectorC08, SectorC14 and SectorC15 groups

SectorC01 group was found to be active in Ukraine. The group used DOT Net based malwares with the purpose of collecting information, and used a Word malware exploiting the Follina vulnerability (CVE-2022-30190) disguised as an article related to Ukrainian war.

SectorC02 group was found to be active in Georgia and Argentina. The group distributed Android malwares disguised as a DDoS tool in a website impersonating a military unit.

SectorC04 group was found to be active in Egypt, Ukraine, India, Hong Kong, Canada, the United States, Norway, Italy, Russian Federation, Belgium, Netherlands, Estonia, Malaysia, Finland, and Austria. The group impersonated governments to send out spear phishing emails containing PDF documents, and the PDF document disguised under the topic of COVID-19 led the targets to click on a phishing link within it.

SectorC05 group was found to be active in Uruguay and Ukraine. The group targeted the telecommunication industry to send out spear phishing emails related to legal support and military units, and used backdoor malware in the final stage.

SectorC08 group was found to be active in Ukraine, Russia, India, and Germany. The group used malwares disguised as documents related to military expenditure. Additionally, they also used malwares in the format of MS Word documents. In the final stage, a remote controlling tool UltraVNC was used.

SectorC14 group was found to be active in Ukraine and England. The group used phishing websites disguised as a login webpage of the Ministry of Defense.

SectorC15 group was found to be active in France, Ukraine, the United States, England, Australia, and Germany. The group targeted workers of government sectors to send out spear phishing emails related to national defense, using Cobalt Strike, a pentesting tool at the final stage.

Hacking activities of SectorC hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, targeted at the whole world, including countries near the supporting government’s borders.

4. Characteristics of SectorD Group Activities

In July 2022, activities by a total of 2 hacking groups were identified, and the groups were SectorD02 and SectorD10 groups

SectorD02 group was found to be active in Israel. The group used Windows Installer package file format malware that was disguised as a document related to an airline.

SectorD10 group was found to be active in Sweden, the United States and England. The group used phishing websites disguised as university library or portal websites to collect information from the targets.

SectorD hacking groups mostly served hacking activities targeted on countries in political conflicts with supported government, and the group is recently seen to be collecting advanced information such as political, diplomatic activities of individuals or governments against the supporting government.

5. Characteristics of SectorE Group Activities

In July 2022, activities by a total of 6 hacking groups were identified, and the groups were SectorE02, SectorE03, SectorE04, SectorE05. SectorE06 and SectorE07 groups

SectorE02 group was found to be active in Singapore, Czech Republic, Pakistan, India, Qatar, and England. The group used RTF document format malware disguised as proposals and thesis topics.

SectorE03 group was found to be active in Qatar, Germany, Pakistan, Sweden, and England. The group delivered spear phishing emails regarding COVID-19 prevention measures to workers of government institutions.

SectorE04 group was found to be active in Sri Lanka and Pakistan. The group attached document format malwares to a spear phishing email targeted on workers of a shipyard company.

SectorE05 group was found to be active in China and South Korea. The group used malwares that exploit vulnerabilities of Excel documents in their attacks.

SectorE06 group was found to be active in China, Italy, and Palestine. The group used targeted users of Android OS to deploy Android malwares.

SectorE07 group was found to be active in Italy. The group used an Android malware disguised as a video platform to steal personal information such as SMS information, photos, and phone recordings from their targets.

Hacking activities of SectorE hacking groups that continue to date are seen to be aiming to collect advanced information regarding such as political, diplomatic, military activities. However, considering that they have expanded their targets to East Asian countries including China and other areas recently, it is analyzed that the proportion of hacking activities to collect advanced information related to politics, diplomacy, and technology from these countries have increased.

6. Characteristics of SectorF Group Activities

In July 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorF01 groups

SectorF01 group was found to be active in China and Hong Kong. The group used ELF (Executable and Linkable Format) format malwares on users of Linux OS.

Hacking activities of SectorF carry the aim of collecting advanced information on governmental activities of countries neighboring supported government, such as political, diplomatic, and military activities, and to steal information related to cutting-edge technology for economic development of their country.

7. Characteristics of SectorH Group Activities

In July 2022, activities by a total of 2 hacking groups were identified, and the groups were SectorH01 and SectorH03 groups

SectorH01 group was found to be active in South Korea and Jordan. The group sent out spear phishing emails targeted on a specific legal service company and ship components production company, together with a PowerPoint document disguised as a purchase order. The document was used to install malwares in the target’s system, and the installed malware carried out malicious activities such as keylogging, stealing system information, screen capturing, clipboard data collection.

SectorH03 group was found to be active in Japan, India, and the United States. The group distributed PowerPoint documents disguised as guidelines from the Ministry of Defense to install malware in the victim’s system. The installed malware carried out malicious activities such as keylogging, stealing system information, screen capturing, and clipboard data collection.

In addition, the group distributed Windows LNK files disguised as documents related to a military unit to install malware in the victim’s system and carry out malicious activities as mentioned above.

Hacking activities of SectorH hacking group consists of cybercrime hacking activities and government supported hacking activities. Diplomatic clashes has been ongoing between the backing country and the bordering country, India, so it is analyzed that they will continue activities to collect advanced information regarding Indian government agencies’ military and politics to their need.

8. Characteristics of cybercrime group activities

In July 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorJ06, SectorJ09, SectorJ14, SectorJ53 groups

Unlike other government-supported hacking groups, they steal online information of monetary value in the real world or directly hacks specific companies and organizations to distribute ransomware in their internal networks, or steal important industrial confidential information and threaten to demand ransom in return.

SectorJ06 group was found to be active in Canada, Saudi Arabia, Japan, Spain, Singapore, Brazil, Egypt, France, Mexico, Qatar, the United States, India, Czech Republic, Ecuador, Vietnam, Chile, Sweden, China, Italy, Indonesia, Thailand, Croatia, Hong Kong, Malaysia, Germany, Russia, Norway, Cambodia, Ukraine. The group used malware disguised as a tax report, which was compressed in an ISO file and had a Ukrainian file name. At the final stage, a pentesting tool named Cobalt Strike was used.

SectorJ09 group was found to be active in Turkey, Moldova, Palestine, Rumania, and Denmark. They continued using their hacking technique of inserting obfuscated skimming scripts in websites to collect username, address, email, phone numbers and credit card payment details at the payment page. In this activity, JavaScript malwares with a format like those that have been found in the past were identified.

SectorJ14 group was found to be active in Japan, Poland, South Korea, England, China, the United States, France, and Germany. The group used malwares disguised as Android apps of a Japanese post office company and an AI chat platform, to steal information from Android OS based smartphones.

SectorJ53 group was found to be active in Australia, Thailand, China, Kazakhstan, Singapore, Netherlands, Hong Kong, Turkey, Russia, India, the United States, Germany, France, Israel, Norway, Ukraine, Belarus, South Africa, New Zealand, Poland, Britain, Slovenia, Italy, Switzerland, Canada, South Korea, Nicaragua, Taiwan, Slovakia, Austria, Brazil, Bosnia and Herzegovina, Egypt, Chile, Japan, Colombia, Nigeria, Spain, Cyprus, Greece, Albania, Azerbaijan, Estonia, Malaysia, Morocco, Sweden, Iran, Bulgaria, Mauritania, Georgia, and Indonesia. The group attempted to steal financial information such as online banking login credentials by delivering emails with links to Google storage, which contained ISO files incorporated with malwares.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.