TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Volexity

APT Meets GPT: Targeted Operations with Untamed LLMs

Steven Adair · 2025-10-08 · Read original ↗

ATT&CK techniques detected

22 predictions
T1566.002Spearphishing Link
100%
"assesses with a high degree of confidence that they are a china - aligned threat actor. this assessment is based both on technical artifacts and the targeting profile of the campaigns. over the course of three months, volexity observed uta0388 using various themes and fictional i…"
T1053.005Scheduled Task
99%
"however, likely by mistake, this is done twice. the traffic is formatted as follows : ( 17 03 03 [ len word ] ( 17 03 03 [ len word ] ( encoded payload ) ) ) there is no authentification with the c2 server for this variant. the payload, however, is encoded using a custom encoding…"
T1059.001PowerShell
99%
"malware registers the victim ’ s device with the c2. to do so it generates two ids : this registration message has the following json format : { “ id ” : “ < agentid > ”, ” host _ id ” : “ < hostid > ”, ” metadata ” : { “ hostname ” : “ … ”, ” os ” : “ … ”, ” arch ” : “ … ”, ” us…"
T1566.002Spearphishing Link
99%
"apt meets gpt : targeted operations with untamed llms starting in june 2025, volexity detected a series of spear phishing campaigns targeting several customers and their users in north america, asia, and europe. the initially observed campaigns were tailored to the targets, and t…"
T1053.005Scheduled Task
99%
"variant of uta0388 ’ s govershell backdoor. this attack path is summarized in the image below. govershell at the time of writing, volexity has identified five distinct variants of the govershell malware family. throughout various campaigns volexity observed active changes in the …"
T1566.002Spearphishing Link
98%
"##388 used would support both endpoints and serve up both rar and zip archives containing the same malicious files. uta0388 would often use the same sending email address, but vary the “ friendly name ” and identity used in the actual email body. in the above example, an immediat…"
T1053.005Scheduled Task
98%
"the formatted current time on the victim ’ s machine example : “ 2006 - 01 - 02 15 : 04 : 05 ” sysinfo retrieve the following information about the victim ’ s machine : os cpu architecture number of cpu cores hostname interval set the malware polling rate in seconds persistence i…"
T1573.001Symmetric Cryptography
94%
"a file named te32. dll located in a directory named lib. c2 communication this variant attempts to blend in with legitimate network traffic by wrapping its c2 communications with a tlsv1. 2 header and encrypts its content with the aes ( cfb ) cypher. the aes key used is supersecr…"
T1053.005Scheduled Task
94%
"detail for each of the observed variants. govershell variant 1 ( early ) capabilities can execute commands directly on the windows command prompt ( cmd. exe / c < command > ). persistence check for the presence of the - run command - line argument ; if this is not present, it wil…"
T1566.002Spearphishing Link
91%
". in most cases, the initial email sent by uta0388 contained a link to phishing content hosted on a cloud - based service that would lead to malware. in a limited set of cases, volexity observed uta0388 hosting malware on their own servers. once the initial and broader campaigns …"
T1204.002Malicious File
87%
", it led to the download of a remotely hosted archive file. users would then need to open and execute the executable file within the archive in order to become infected. an example body from one such email is included below. in this example, the email message body designed to loo…"
T1053.005Scheduled Task
87%
"> persistence it checks for the presence of the cuvn command - line argument. if this is not present, it will set up persistence and exit. the malware is first copied to the following persistence location : c : programdata { random _ dir _ 8 _ char }. persistence is then achieved…"
T1566.002Spearphishing Link
79%
"of llm - generated output : fabrications and nonsensical details, often known as hallucinations lack of coherence, such as false reasoning and improper token prediction beyond these linguistic patterns, there are also statistical methods that have been used with varied success to…"
T1573.001Symmetric Cryptography
78%
"the session field, which is encrypted by the malware ’ s master key aes ( gcm ). the master key used varie per sample. further exchanges are then encrypted using the established session key. the following is a list of the observed master keys : topibapru76wra8rebrib1it52h6b9ap 62…"
T1566.001Spearphishing Attachment
56%
"conversation first. phishing emails sent by uta0388 that were observed by volexity have all been sent from webmail providers that include protonmail, outlook, and gmail. throughout june and july 2025, uta0388 made use of netlify to host their malicious rar and zip archives, but t…"
T1566.002Spearphishing Link
52%
"nor “ dr. michael andersen ” are real entities. the phone number includes “ 3 45 67 89, ” a sequential pattern that suggests fabrication. the pgp key identifier intermingles “ 1234 ” and “ abcd ” patterns, which is another clue that this was fabricated. use of predictable pattern…"
T1583.001Domains
45%
"[. ] online, and windows - app [. ] store uta0388 domains are consistently registered and hosted behind cloudflare. the c2 servers for the websocket variant have a default response showing “ secure c2 server is running ”. a screenshot of censys platform ’ s record of this is show…"
T1566.002Spearphishing Link
41%
"[. ] online, and windows - app [. ] store uta0388 domains are consistently registered and hosted behind cloudflare. the c2 servers for the websocket variant have a default response showing “ secure c2 server is running ”. a screenshot of censys platform ’ s record of this is show…"
T1566.001Spearphishing Attachment
38%
"@ domain ), individuals no longer working at the target organization, and the email address of a podcast, all of which were available online. this pattern suggests automation, llm or otherwise, that is not fully context aware. other incoherent details in the phishing emails inclu…"
T1566.001Spearphishing Attachment
36%
". in most cases, the initial email sent by uta0388 contained a link to phishing content hosted on a cloud - based service that would lead to malware. in a limited set of cases, volexity observed uta0388 hosting malware on their own servers. once the initial and broader campaigns …"
T1204.002Malicious File
35%
"conversation first. phishing emails sent by uta0388 that were observed by volexity have all been sent from webmail providers that include protonmail, outlook, and gmail. throughout june and july 2025, uta0388 made use of netlify to host their malicious rar and zip archives, but t…"
T1573Encrypted Channel
31%
"the session field, which is encrypted by the malware ’ s master key aes ( gcm ). the master key used varie per sample. further exchanges are then encrypted using the established session key. the following is a list of the observed master keys : topibapru76wra8rebrib1it52h6b9ap 62…"

Summary

Starting in June 2025, Volexity detected a series of spear phishing campaigns targeting several customers and their users in North America, Asia, and Europe. The initially observed campaigns were tailored […]

The post APT Meets GPT: Targeted Operations with Untamed LLMs appeared first on Volexity.