A newly discovered APT campaign dubbed Swan Vector is targeting educational institutes and mechanical engineering industries in Taiwan and Japan. The attack uses a sophisticated multi-stage infection chain involving malicious LNK files, DLL implants (Pterois and Isurus), and Cobalt Strike payloads. The threat actor employs various evasion techniques including API hashing, direct syscalls, DLL sideloading, and self-deletion. Google Drive is abused as a command-and-control server. While attribution remains uncertain, similarities with Winnti, Lazarus, and APT10 techniques have been observed. The campaign has been active since December 2024 and is expected to continue with new implants targeting additional applications. Author: AlienVault
Related Tags:
Isurus
Pterois
T1055.004
multi-stage attack
T1055.003
T1218.011
Cobalt Strike – S0154
T1566.001
T1070.004
Associated Indicators:
9C83FAAE850406DF7DC991F335C049B0B6A64E12AF4BF61D5FB7281BA889CA82
DE839D6C361C7527EEAA4979B301AC408352B5B7EDEB354536BD50225F19CFA5
E1B2D0396914F84D27EF780DD6FDD8BAE653D721EEA523F0ADE8F45AC9A10FAF
9FB57A4C6576A98003DE6BF441E4306F72C83F783630286758F5B468ABAA105D
9DF9BB3C13E4D20A83B0AC453E6A2908B77FC2BF841761B798B903EFB2D0F4F7
7BF5E1F3E29BECCCA7F25D7660545161598BEFFF88506D6E3648B7B438181A75
E86FEAA258DF14E3023C7A74B7733F0B568CC75092248BEC77DE723DBA52DD12
C7B9AE61046EED01651A72AFE7A31DE088056F1C1430B368B1ACDA0B58299E28
C8ED52278EC00A6FBC9697661DB5FFBCBE19C5AB331B182F7FD0F9F7249B5896