UTG-Q-015, a Southeast Asia-based threat actor, escalated its operations in early 2025 by shifting to more aggressive tactics. Initially exposed in December 2024 for mounting attacks on Chinese developer forums, UTG-Q-015 evolved to exploit both 0-day and N-day vulnerabilities in March and April 2025, targeting government and enterprise systems. The group conducted widespread scanning and brute-force attacks using a distributed node network, aiming to plant backdoors and pivot laterally across internal networks. In April, they initiated a large-scale watering hole campaign, compromising over 100 websites in the blockchain, Web3, and financial tech spaces to deliver .NET-based backdoors via phishing prompts disguised as update links.
In parallel, UTG-Q-015 targeted financial institutions using a multi-stage payload delivery chain, beginning with web exploitation and escalating to IM-based phishing to lure victims into downloading sensitive files that established command-and-control (C2) communication. Additionally, the group targeted Linux systems in AI research environments, exploiting vulnerabilities such as CVE-2023-48022 and misconfigured ComfyUI components to deploy lightweight backdoors like Vshell and Xnote. Their activities reflect a mix of financially motivated and ideologically driven espionage, and they continue to leverage public-facing services, open-source tools, and supply chain vulnerabilities to infiltrate high-value targets across sectors.