UTG-Q-015 Hackers Launch Massive Brute-Force Attacks on Government Web Servers
The hacker group UTG-Q-015, first identified in December 2024 for mounting attacks on major websites like CSDN, has escalated its malicious activities, targeting government and enterprise web servers with unprecedented aggression.
Initially disclosed for their tactics of website manipulation, the group has since pivoted to exploiting 0day and Nday vulnerabilities, launching widespread brute-force scanning and blasting campaigns as early as March 2025.
Brute-Force Attacks on Government Web Servers
This Southeast Asia-based threat actor, known for providing penetration and intelligence services, has demonstrated adaptability by altering tactics post-exposure, focusing on high-value targets such as blockchain platforms, financial institutions, and AI research servers.
UTG-Q-015’s operations took a menacing turn in March 2025 when they deployed a network of scanning nodes to execute brute-force attacks on publicly accessible government and enterprise web servers.
After successfully compromising systems, the group deployed Cobalt Strike backdoors and manipulated nps tunnels for persistence, using tools like fscan for lateral movement with harvested credentials.
Brute-Force to Sophisticated Exploits
By April, their arsenal expanded to include Nday exploits such as CVE-2021-38647, CVE-2017-12611, and CVE-2017-9805, showcasing their growing technical sophistication.
Their April campaign also saw a targeted “puddle mounting” operation against blockchain-related websites, digital signature backends, Bitcoin systems, and GitLab interfaces, impacting numerous government and enterprise clients.
Victims were lured into downloading malicious payloads from domains like hxxps://updategoogls.cc/tools.exe, often via phishing pages embedded with deceptive JavaScript code on compromised Web3 and blockchain project sites.
Beyond these sectors, UTG-Q-015 has infiltrated financial institutions using a multi-stage attack chain.
Starting with unknown web vulnerabilities to compromise border servers, they employed IM phishing to deliver bait files like “confidential XXXX.exe” to internal personnel, ultimately fetching a third-stage payload via intranet-linked C2 servers.
Their reach extends to Linux-based AI platforms as well, exploiting vulnerabilities like CVE-2023-48022 and unauthorized flaws in ComfyUI-Manager plugins to load backdoors such as Vshell, targeting AI research servers for espionage.
According to the Report, this persistent focus on AI infrastructure in 2025, especially through offshore APT collaborations, underscores the strategic intent behind their operations, posing a severe risk to инновация-critical sectors.
The narrative of Chinese-speaking attackers, often generalized as “CN-Nexus” by international partners, oversimplifies a complex ecosystem spanning East and Southeast Asia.
UTG-Q-015, while a professional outfit, operates in a tense landscape of ideological and political conflicts, often clashing with regional outsourcing groups like Operation EviLoong and Operation Giant.
Their retaliatory attacks on domestic programming forums in 2024 reflect deeper rivalries masked as “outsourcing wars.”
To counter such threats, solutions like cloud-based threat detection and ASRock’s capability to neutralize UTG-Q-015’s weaponry are strongly recommended for government and enterprise clients.
Additionally, platforms from Qi’anxin, including SkyRock, SkyEye, and NGSOC, provide robust detection against these sophisticated incursions.
IOC Table
| Indicator Type | Value |
|---|---|
| FileHash-MD5 | c313868c3e3e470fc7dde07ebaac0a87 |
| FileHash-MD5 | fb68d6affca239ba4f9315889fcf6d61 |
| FileHash-MD5 | e9ab0bc9d47c84285b82b25834aeae03 |
| FileHash-MD5 | 53a83040fea6dbe2845747d69da6504e |
| FileHash-MD5 | e89a6d6a0ca026317456594211ccb007 |
| C2 Domain/IP | updategoogls.cc |
| C2 Domain | safe-controls.oss-cn-hongkong.aliyuncs.com |
| C2 IP | 209.250.254.130:13389 |