APT Meets GPT: Targeted Operations with Untamed LLMs

Oct. 8, 2025, 4:11 p.m.

Description

Over the course of three months, Volexity observed UTA0388 using various themes and fictional identities across dozens of spear phishing campaigns. As time passed, Volexity observed UTA0388 broaden their targeting and send emails in a variety of different languages, including English, Chinese, Japanese, French, and German. In most cases, the initial email sent by UTA0388 contained a link to phishing content hosted on a cloud-based service that would lead to malware.

External References

https://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/
https://otx.alienvault.com/pulse/68e68c8d506e04cc0474a83b
Tags
phishing
powershell
persistence
zip
websocket
rar
2025-10-08
uta0388
govershell
llms
randomdir8char
govershell c2
archive file

Date

  • Created: Oct. 8, 2025, 4:08 p.m.
  • Published: Oct. 8, 2025, 4:08 p.m.
  • Modified: Oct. 8, 2025, 4:11 p.m.

Indicators

  • fbade9d8a040ed643b68e25e19cba9562d2bd3c51d38693fe4be72e01da39861
  • ad5718f6810714bc6527cc86d71d34d8c556fe48706d18b5d14f0261eb27d942
  • a5ee55a78d420dbba6dec0b87ffd7ad6252628fd4130ed4b1531ede960706d2d
  • 998e314a8babf6db11145687be18dc3b8652a3dd4b36c115778b7ca5f240aae4
  • 88782d26f05d82acd084861d6a4b9397d5738e951c722ec5afed8d0f6b07f95e
  • 7d7d75e4d524e32fc471ef2d36fd6f7972c05674a9f2bac909a07dfd3e19dd18
  • 53af82811514992241e232e5c04e5258e506f9bc2361b5a5b718b4e4b5690040
  • 2ffe1e4f4df34e1aca3b8a8e93eee34bfc4b7876cedd1a0b6ca5d63d89a26301
  • 4c041c7c0d5216422d5d22164f83762be1e70f39fb8a791d758a816cdf3779a9
  • 126c3d21a1dae94df2b7a7d0b2f0213eeeec3557c21717e02ffaed690c4b1dbd
  • 0414217624404930137ec8f6a26aebd8a3605fe089dbfb9f5aaaa37a9e2bad2e
  • 82.118.16.173
  • 80.85.157.117
  • 74.119.193.175
  • 31.192.234.22
  • 104.194.152.152
  • 104.194.152.137
  • 185.144.28.68
  • 80.85.156.234
  • 80.85.154.48
  • 45.141.139.222
  • https://app-site-association.cdn-apple.info:443/updates.rss
  • http://outlook.windows-app.store/ws
  • http://onedrive.azure-app.store/ws
  • http://api.twmoc.info/ws
  • http://82.118.16.173:443
  • http://80.85.157.117:443
  • http://80.85.154.48:443
  • https://aesthetic-donut-1af43s2.netlify.app/index/file/A_Introduction_Docs_v00546823.rar
  • https://aesthetic-donut-1af43s2.netlify.app/file/rar
  • www.twmoc.info
  • outlook.windows-app.store
  • onedrive.azure-app.store
  • app-site-association.cdn-apple.info
  • api.twmoc.info
  • windows-app.store
  • twmoc.info
  • sliddeshare.online
  • doccloude.info
  • cdn-apple.info
  • azure-app.store
Download all indicators here!

Attack Patterns

  • UTA0388
  • govershell
  • UTA0388