A sophisticated cyber espionage campaign dubbed “Swan Vector” has emerged targeting organizations across East Asia, particularly in Taiwan and Japan.

The threat actors behind this operation have deployed a multi-stage attack chain utilizing malicious LNK shortcuts and custom DLL implants to compromise educational institutions and mechanical engineering firms.

Security researchers have uncovered evidence suggesting this campaign has been active since at least December 2024.

The attacks begin with a malicious ZIP file containing a deceptive shortcut file and a disguised PNG that is actually a DLL implant.

These files utilize social engineering tactics, masquerading as business documents with file names like “Detailed Documentation of Withdrawal Delay Issues and Related Transaction Records.pdf.lnk.”

Once executed, the malware deploys a sophisticated four-stage infection chain that ultimately leads to complete system compromise.

Seqrite Labs researchers identified the campaign in April 2025, noting that the threat actors employ Japanese-language resume decoys as part of their social engineering tactics.

The malware’s extensive use of advanced evasion techniques suggests a well-resourced adversary with significant technical capabilities.

“The entire malware ecosystem involved in this campaign comprises a total of four stages, starting with a malicious LNK file and ending with Cobalt Strike,” noted Subhajeet Singha, Security Researcher at Seqrite.

“The sophistication of the attack and targeting patterns suggest possible connections to known APT groups operating in the East Asian region.”

What makes Swan Vector particularly concerning is its robust anti-analysis features and stealthy execution methods.

The initial stage involves a malicious LNK file that triggers the execution of a disguised DLL implant named “Pterois” via rundll32.exe.

This first-stage implant employs sophisticated API resolution techniques through a custom hashing algorithm to evade detection.

Infection Mechanism

The infection mechanism showcases advanced tradecraft, particularly in how the malware resolves necessary Windows APIs.

Rather than directly calling suspicious functions, the malware implements a custom SDBM hashing algorithm to resolve APIs at runtime:-

def sdbm_case_insensitive_32bit(s):
    hash_val = 0
    mod_value = 2**32
    for char in s:
        if 'a' <= char <= 'z':
            char = char.upper()
        hash_val = (hash_val * 65599 + ord(char)) % mod_value
    return hash_val

This technique allows the malware to locate critical system functions without hardcoding their names, making static analysis more difficult.

The subsequent stages involve DLL sideloading attacks that leverage legitimate Windows executables to load malicious code.

The second implant, named “Isurus,” extracts and executes encrypted Cobalt Strike shellcode from a file named “ra.ini.”

Perhaps most notably, the threat actor abuses legitimate cloud services, employing Google Drive as their command-and-control infrastructure.

This approach helps malicious traffic blend with legitimate business communications. The attackers use properly formatted OAuth exchanges to authenticate with Google’s servers before retrieving additional malicious payloads.

While attribution remains challenging, Seqrite researchers observed techniques similar to those used by multiple threat actors, including Winnti, Lazarus Group, and APT10.

Based on linguistic analysis, implant sophistication, and targeting patterns, researchers attribute this campaign to threat actors operating from East Asia with medium confidence.

Organizations in the targeted regions should implement defense-in-depth strategies and remain vigilant against socially-engineered attacks disguised as business documents or job applications.

How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers