Monthly Threat Actor Group Intelligence Report, Semtember 2022 (ENG)

This report is a summary of Threat Actor group activities analyzed by NSHC ThreatRecon team based on data and information collected from 21 August 2022 to 20 September 2022. In September, activities by a total of 25 Threat Actor Groups were identified, in which activities by SectorA groups were the most prominent by 32%, followed by SectorE and SectorJ groups.


Threat Actors identified in September carried out the highest number of attacks on workers and systems in government agencies and info communication industries. Regionally, East Asia and Europe were seen as the continents with the highest number of hacking activities targeted on.

1. Characteristics of SectorA Group Activities

In September 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorA01, SectorA05, SectorA06 and SectorA07 groups

SectorA01 group was found to be active in South Korea, India, Hungary, the United States, Canada, Japan, Turkey, Spain, and Ireland. The group targeted on workers in the news and media industries to carry out spear phishing attacks. The malware delivered using social engineering and a messenger app had various functionalities such as system information collection, Remote Desktop Protocol connection, file upload and download by communicating with the C2 server.

SectorA05 group was found to be active in South Korea, Vietnam, the Philippines, Hong Kong, and the United States. The group carried out attacks targeted on workers of government institutions, national defense, media, and main Think-Tanks. To deliver malware to the targets, the group used large file attachment services of portal websites to deliver document format malwares such as HWP or Word. During the final stage, the OLE (Object Linking and Embedding) object was used to download and execute additional malware within the document, with the aim of collecting system authorizations and stealing credentials.

SectorA06 group was found to be active in Hong Kong, England, the United States, India, China, Italy, and Russia. The group targeted on workers of investment and finance industries to send out spear phishing emails in this activity. The body of the email contained a download link to the malware and performance and compensation distribution related contents to pull the interest of the target. At the final stage, the malware collected information from the target such as system information and transferred them to the C2 server.

SectorA07 group was found to be active in Russia, South Korea, France, and Sweden. The group targeted on workers of Russian embassies to send out spear phishing emails. The delivered emails, which were impersonating other embassy workers, was attached with a PowerPoint malware containing a malicious macro script. At the final stage, the macro was registered under the scheduler to consistently send information to the C2 server.

Hacking activities of SectorA hacking groups that continue to date aim to collect advanced information regarding South Korean governmental activities such as political, diplomatic activities, while targeting hacking activities on the whole world to secure financial resources at the same time. This aim for hacking activities has continued over a long period of time and is expected to be carried on without changes for some time.

2. Characteristics of SectorB Group Activities

In September 2022, activities by a total of 5 hacking groups were identified, and the groups were SectorB01, SectorB07, SectorB09, SectorB22, SectorB58 groups

SectorB01 group was found to be active in Mongolia, Taiwan, Russia, Vietnam, Singapore, Netherlands, Germany, Hong Kong, the United States, China, and Cyprus. The group targeted on workers of government entities and various industries such as finance, telecommunication, and the media to disseminate malwares. The group used a known malware with DLL Side-loading technique which loads a malicious DLL through a regular program and executes it, and carried out various functions such as keylogging, screen capturing, and file upload and download.

SectorB07 group was found to be active in Taiwan, Thailand, Singapore, Germany, Australia, Malaysia, the United States, and Israel. The group attempted phishing attacks on workers of energy and manufacturing industries and disseminated malwares on visitors of a phishing webpage by inserting JavaScript. At the final stage, browser information of the targets was collected and sent to the C2 server, and various functions were carried out depending on the Plugin sent from the C2 server.

SectorB09 group was found to be active in Japan and the United States. The group used ARM based malwares to attack Linux OS with the aim of penetrating into internal networks. When communication with the C2 server is successful, the malware collects information from the system such as computer name, process ID, and login username and transfers them to the C2 server.

SectorB22 group was found to be active in Canada, the United States, Myanmar, and Vietnam. The group targeted on workers of government institutions to send out compressed files containing malwares, which were named under various topics that would interest the target such as state of economy in Ukraine, impersonation of the Republic of Suriname embassy, and EU drug crimes. At the final stage, they monitored the infected system to collect information and steal system controls.

SectorB58 was found to be active in China, Xinjiang Uygur Autonomous Region. The group targeted users of a Chinese minority community for their attacks. The group used an Android malware to collect information such as text messages, contacts, call history and location information from the infected devices.

Hacking activities of SectorB hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, and is targeted at the whole world.

3. Characteristics of SectorC Group Activities

In September 2022, activities by a total of 2 hacking groups were identified, and the groups were SectorC05 and SectorC08 groups

SectorC05 group was found to be active in Ukraine. The group used malware disguised as military administration documents of Odessa, a port city in South Ukraine, and exploited remote access tools in the final stage.

SectorC08 group was found to be active in Ukraine and China. The group used documents disguised to have been written by government institutions such as Ministry of Home Affairs and the Security Bureau. At the final stage, the malware was used to collect system information and steal files.

Hacking activities of SectorC hacking groups that continue to date are seen to be aiming to collect advanced information on governmental activities such as political, diplomatic activities, targeted at the whole world, including countries near the supporting government’s borders.

4. Characteristics of SectorD Group Activities

In September 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorD02, SectorD05, SectorD14, SectorD20 groups

SectorD02 group was found to be active in Israel. The group targeted on servers where the Log4j vulnerability has not been patched yet and used an Exploit on the vulnerable SysAid Server Instance to attempt installation of the remote access tool software.

SectorD05 group was found to be active in Egypt, Jordan, Israel, India, and the Arab Emirates. The group targeted on organizations of maritime transport and marine industries to carry out phishing attacks and was seen to have stolen mail server information of the organization to collect information for additional attacks.

SectorD14 group was found to be active in Slovakia, the United States, Albania, Greece, Russia, Vietnam, South Korea, Saudi Arabia, Brazil, Germany, and Switzerland. The group used malware disguised as a Java update. The malware not only has the function to upload files and executed additional commands but could also screenshot the current screen of the target.

SectorD20 group was found to be active in Kazakhstan, South Korea, the United States, England, Australia, and Canada. The group exploited the ProxyShell vulernability and Log4j vulnerability to gain access to the target’s system, activated BitLocket to encrypt the data and generated a ransom note at the final stage.

SectorD hacking groups mostly served hacking activities targeted on countries in political conflicts with supported government, and the group is recently seen to be collecting advanced information such as political, diplomatic activities of individuals or governments against the supporting government.

5. Characteristics of SectorE Group Activities

In September 2022, activities by a total of 5 hacking groups were identified, and the groups were SectorE01, SectorE02, SectorE03, SectorE04, and SectorE05 groups

SectorE01 group was found to be active in Pakistan, India, and China. The group disseminated RTF (Rich Text Format) document format malwares on workers of government institutions, police, and national defense. At the final stage, the group used the technique of stealing system information, downloading and executing additional malware to steal system controls.

SectorE02 group was found to be active in Ukraine, Pakistan, Singapore, Netherlands, Bangladesh, India, Austria, and Russia. The group disseminated MS Word and RTF (Rich Text Format) document format malwares disguised under file titles such as meeting minutes format, lack of components and letters. At the final stage, additional malware was generated and executed to steal system controls.

SectorE03 group was found to be active in China, Hong Kong, and Russia. The group used a Word format malware disguised under a specific format adapted by documents and resumes used by government institutions in this activity. In the final stage, the ransomware generates and executes a DLL file which carries out the functions of collecting system information, information of files with a specific extension, and network information and sending them to the C2 server.

SectorE04 group was found to be active in Pakistan and Netherlands. The group disseminated MS Word documents disguised as government documents. The Word document utilizing the template injection technique downloads an additional file inserted with macros from the C2 server, which was using a domain like the impersonated government institution in order to deceive the target.

SectorE05 group was found to be active in China and Albania. The group used CHM (Compiled HTML Help) format malware in their attacks, which were disguised under titles such as an invitation to the Chinese Medical Device conference and a meeting for space cooperation institution. In the final stage, the malware was registered in the scheduler to maintain persistency in the infected system and exploited Windows utilities to send computer name and username to the C2 server.

Hacking activities of SectorE hacking groups that continue to date are seen to be aiming to collect advanced information regarding such as political, diplomatic, military activities. However, considering that they have expanded their targets to East Asian countries including China and other areas recently, it is analyzed that the proportion of hacking activities to collect advanced information related to politics, diplomacy, and technology from these countries have increased.

6. Characteristics of SectorH Group Activities

In September 2022, activities by a total of 1 hacking groups were identified, and the groups were SectorH03 groups

SectorH03 group was found to be active in India and the United States. The group targeted on government, military, and national defense institutions to disseminate Windows LNK format malware disguised as training payment guidelines of national defense institution employees, which carried out malicious activities such as keylogging, and collection of clipboard data or screenshots.

Hacking activities of SectorH hacking group consists of cybercrime hacking activities and government supported hacking activities. Diplomatic clashes has been ongoing between the backing country and the bordering country, India, so it is analyzed that they will continue activities to collect advanced information regarding Indian government agencies’ military and politics to their need.

7. Characteristics of cybercrime group activities

In September 2022, activities by a total of 4 hacking groups were identified, and the groups were SectorJ09, SectorJ25, SectorJ26, SectorJ48 groups

Unlike other government-supported hacking groups, they steal online information of monetary value in the real world or directly hacks specific companies and organizations to distribute ransomware in their internal networks, or steal important industrial confidential information and threaten to demand ransom in return.

SectorJ09 group continued using their hacking technique of inserting obfuscated skimming scripts in websites to collect username, address, email, phone numbers and credit card payment details at the payment page. In this activity, JavaScript malwares with a format like those that have been found in the past were identified.

SectorJ25 group was found to be active in the United States and England. The group targeted on Linux based systems to use Shell format malwares, and attempted giving additional commands for execution and crypto jacking.

SectorJ26 group was found to be active in the United States, Canada, Germany, and Luxembourg. The group used MS Word format malwares disguised as TIC (Testing, Inspection and Certification) documents, and used Cobalt Strike in the final stage to steal system controls and information.

SectorJ48 group was found to be active in Turkey, France, England, the United States, Italy, Russia, Vietnam, and Japan. The group targeted on NGO (Nongovernmental Organizations), government institutions and various industries including hospitality services to carry out their attacks. In the final stage, Cobalt Strike was installed in the target system for stealing system authorization and information.

The full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is available to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.