A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community websites to deliver Cobalt Strike malware, according to a recent investigation by Recorded Future’s Insikt Group.
According to a report from Recorded Future, the investigation revealed that TAG-112 compromised at least two websites belonging to Tibetan organizations: Tibet Post (tibetpost[.]net) and Gyudmed Tantric University (gyudmedtantricuniversity[.]org).
The attackers exploited vulnerabilities in the Joomla content management system (CMS), embedding malicious code that would deceive visitors into downloading malware disguised as a security certificate.
This incident marks a significant escalation in cyber-espionage activities targeting Tibetan communities and organizations.
Cobalt Strike, a legitimate penetration testing tool often misused by cybercriminals, allows attackers to remotely control infected systems, furthering espionage efforts.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
TAG-112’s attack begins when a user visits one of the compromised websites. Embedded within the site is a malicious JavaScript that detects the user’s operating system and browser.
If compatible, the user is redirected to a domain controlled by TAG-112, where they are presented with a fake Google Chrome TLS certificate error.
This spoofed error page tricks users into downloading what appears to be a security certificate. In reality, this download deploys Cobalt Strike, granting TAG-112 remote access to the victim’s system for further espionage and data collection.
The attackers likely gained access to the Tibetan websites via unpatched vulnerabilities in Joomla, a widely used CMS.
Weaknesses in outdated Joomla installations allowed TAG-112 to inject malicious JavaScript into the sites, a tactic that has remained active at least until early October 2024.
TAG-112 shares infrastructure and tactics with TAG-102, also known as Evasive Panda, another Chinese state-sponsored group known for targeting Tibetan entities.
However, TAG-112 operates with less sophistication, relying on publicly available tools like Cobalt Strike instead of developing custom malware.
To defend against this ongoing threat, cybersecurity experts recommend:
This latest campaign underscores the Chinese government’s persistent efforts to surveil and control groups it perceives as threats, such as the Tibetan community.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
Google has once again raised the bar for mobile security by introducing two new AI-powered…
Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and a…
Google Cloud has announced a significant step forward in its commitment to transparency and security…
GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community Edition…
A newly discovered zero-day vulnerability, CVE-2024-43451, has been actively exploited in the wild, targeting Windows systems…
Keeping track of who has access and managing their permissions has gotten a lot more…