Targeting Taiwan & Japan with DLL Implants

May 13, 2025, 8:28 a.m.

Description

A newly discovered APT campaign dubbed Swan Vector is targeting educational institutes and mechanical engineering industries in Taiwan and Japan. The attack uses a sophisticated multi-stage infection chain involving malicious LNK files, DLL implants (Pterois and Isurus), and Cobalt Strike payloads. The threat actor employs various evasion techniques including API hashing, direct syscalls, DLL sideloading, and self-deletion. Google Drive is abused as a command-and-control server. While attribution remains uncertain, similarities with Winnti, Lazarus, and APT10 techniques have been observed. The campaign has been active since December 2024 and is expected to continue with new implants targeting additional applications.

External References

https://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/
https://otx.alienvault.com/pulse/68223f4977c1758083ae5b19
Tags
apt
cobalt strike
dll sideloading
taiwan
multi-stage attack
japan
2025-05-12
google drive
isurus
pterois
dll implants

Date

  • Created: May 12, 2025, 6:34 p.m.
  • Published: May 12, 2025, 6:34 p.m.
  • Modified: May 13, 2025, 8:28 a.m.

Indicators

  • e86feaa258df14e3023c7a74b7733f0b568cc75092248bec77de723dba52dd12
  • e1b2d0396914f84d27ef780dd6fdd8bae653d721eea523f0ade8f45ac9a10faf
  • e0c6f9abfc11911747a7533f3282e7ff0c10fc397129228621bcb3a51f5be980
  • de839d6c361c7527eeaa4979b301ac408352b5b7edeb354536bd50225f19cfa5
  • c8ed52278ec00a6fbc9697661db5ffbcbe19c5ab331b182f7fd0f9f7249b5896
  • a9b33572237b100edf1d4c7b0a2071d68406e5931ab3957a962fcce4bfc2cc49
  • 9c83faae850406df7dc991f335c049b0b6a64e12af4bf61d5fb7281ba889ca82
  • 9df9bb3c13e4d20a83b0ac453e6a2908b77fc2bf841761b798b903efb2d0f4f7
  • 7bf5e1f3e29beccca7f25d7660545161598befff88506d6e3648b7b438181a75
  • 8710683d2ec2d04449b821a85b6ccd6b5cb874414fd4684702f88972a9d4cfdd
  • 7a942f65e8876aeec0a1372fcd4d53aa1f84d2279904b2b86c49d765e5a29d6f
  • 777961d51eb92466ca4243fa32143520d49077a3f7c77a2fcbec183ebf975182
  • 0f303988e5905dffc3202ad371c3d1a49bd3ea5e22da697031751a80e21a13a7
  • 040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92
  • c7b9ae61046eed01651a72afe7a31de088056f1c1430b368b1acda0b58299e28
  • 9fb57a4c6576a98003de6bf441e4306f72c83f783630286758f5b468abaa105d
Download all indicators here!

Attack Patterns

  • Isurus
  • Pterois
  • Cobalt Strike - S0154
  • Swan Vector

Additional Informations

  • Education
  • Manufacturing
  • Taiwan
  • Japan