East Asian Group NGC4141 Attacks Custom Web Applications of Russian Organizations

Analysts from the Solar 4RAYS cyber threat research center, part of the Solar Group of Companies, have identified a previously unknown East Asian hacking group that used public tools to attack the web application of an unnamed Russian federal agency. The targeted system ran on a custom-built engine. According to investigators, the attackers successfully penetrated the organization’s infrastructure and executed commands on the server’s operating system.

Discovery and Initial Findings

The investigation revealed that the group attempted to use the internal server names of the compromised agency in follow-up attacks against other government entities. Solar 4RAYS specialists analyzed the incident and ultimately succeeded in cutting off the hackers’ access to the victim’s infrastructure.

Attribution to East Asia is supported by several indicators — including web server requests originating from that region and the timing of the attacks, which began around 4:00 a.m. Moscow time (the start of the workday in East Asia). The group has been designated NGC4141, where NGC stands for new generic cluster — referring to malicious activity that has not yet been attributed to any known APT group.

Attack Timeline and Methodology

Researchers determined that the intrusion campaign began in December 2024. Over several days, the attackers conducted intensive automated scanning of the targeted web resource, generating thousands of requests per hour in search of vulnerabilities.

A few weeks later, the group shifted to manual vulnerability probing. After identifying weaknesses, they exploited undocumented features in a public API platform to deploy web shells on the victim’s server. This gave them remote access, allowing the deployment of malware and further movement within the organization’s infrastructure.

The compromised web application ran on a custom engine, either written from scratch or heavily modified from an existing framework. Because there were no publicly available exploits, the platform was inherently more resilient than popular systems like WordPress or Tilda. Nonetheless, the attackers successfully breached it.

Defense Evasion and Skill Level

The web server was protected by both antivirus software and a Web Application Firewall (WAF). Despite these measures, NGC4141 gained access — demonstrating a high level of technical proficiency. While the WAF and antivirus solutions did not prevent the breach, they slowed the attackers’ progress and triggered alerts that ultimately led to detection.

During the same period, the hackers attempted to use the internal server names obtained from the victim organization in attacks on other government systems, apparently hoping for a match. This behavior suggests possible information sharing with other threat groups and points to a wider campaign targeting the Russian public sector.

Expert Commentary

“In our opinion, attacks on custom web applications to gain access to internal networks represent an underestimated threat for online resource owners,” said Ivan Syukhin, head of the incident investigation group at the Solar 4RAYS research center, Solar Group.

“This case shows that automated protection tools require ongoing monitoring and event analysis. The presence of technical safeguards complicates an attack but does not make it impossible. When developing custom web applications, we recommend assessing potential risks through code audits or full penetration testing to evaluate their resilience against cyberattacks.”

Editorial Summary

The NGC4141 campaign underscores a growing trend: threat actors are shifting attention toward bespoke, internally developed systems, recognizing that defenders often overlook them. Unlike off-the-shelf platforms with mature patch cycles, custom web applications may contain undocumented behaviors and untested vulnerabilities — making them an increasingly attractive target for state-aligned or well-resourced hacking groups.