A new and sophisticated cyber campaign, labeled UTG-Q-015, has targeted government web servers with large-scale brute-force attacks. Security researchers believe the malware is part of a state-sponsored operation aimed at compromising critical infrastructure across multiple countries.
The cyberattacks first appeared in early May 2025. Since then, several defense ministries and municipal government websites have reported server breaches. Experts warn that the malware behind the attacks uses advanced techniques to gain and maintain access to sensitive systems.
How the Malware Works
UTG-Q-015 uses a combination of methods to infiltrate its targets. The attackers begin by scanning web applications for weak login credentials. They then perform brute-force attacks using large dictionaries of common passwords. In some cases, they also use SQL injection to gain deeper access to backend systems.
Once inside, the malware scans for administrative portals and continues to guess passwords until it gains control. Researchers from Qianxin identified the malware through behavior analysis and found it uses polymorphic code to avoid detection by traditional antivirus software.
Modular and Adaptive Design
The malware has a modular structure, allowing it to adapt to different environments. This flexibility lets attackers deploy specific tools depending on the systems they compromise. In many cases, the goal is not just to steal information, but to set up long-term control over government networks.
Several agencies have reported continued service disruptions. There are also confirmed cases of unauthorized access to databases containing personal and classified information.
Advanced Techniques for Staying Hidden
One of the malware’s most dangerous features is its ability to stay hidden. UTG-Q-015 uses a method called process hollowing, where it injects malicious code into the memory of trusted system processes. This makes it hard for security software to detect the attack.
Here is a simplified version of how the injection works:
def inject_payload(target_process, malicious_code):
suspended_process = create_process(target_process, SUSPENDED)
unmap_memory(suspended_process.base_address)
allocate_memory(suspended_process, malicious_code.size)
write_memory(suspended_process, malicious_code)
resume_thread(suspended_process.main_thread)
To stay active even after system reboots, the malware edits registry files and creates scheduled tasks. These tactics make it extremely difficult to fully remove the malware once a system is infected.
Ongoing Investigation
Authorities are working to contain the spread of UTG-Q-015 and prevent further damage. Cybersecurity teams across different countries are coordinating efforts to better understand the malware and protect government systems from future attacks.
