Cyber Security News

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community websites to deliver Cobalt Strike malware, according to a recent investigation by Recorded Future’s Insikt Group.

According to a report from Recorded Future, the investigation revealed that TAG-112 compromised at least two websites belonging to Tibetan organizations: Tibet Post (tibetpost[.]net) and Gyudmed Tantric University (gyudmedtantricuniversity[.]org).

The attackers exploited vulnerabilities in the Joomla content management system (CMS), embedding malicious code that would deceive visitors into downloading malware disguised as a security certificate.

This incident marks a significant escalation in cyber-espionage activities targeting Tibetan communities and organizations.

Cobalt Strike, a legitimate penetration testing tool often misused by cybercriminals, allows attackers to remotely control infected systems, furthering espionage efforts.

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Attack Mechanism: Spoofed TLS Error and Malicious JavaScript

TAG-112’s attack begins when a user visits one of the compromised websites. Embedded within the site is a malicious JavaScript that detects the user’s operating system and browser.

If compatible, the user is redirected to a domain controlled by TAG-112, where they are presented with a fake Google Chrome TLS certificate error.

This spoofed error page tricks users into downloading what appears to be a security certificate. In reality, this download deploys Cobalt Strike, granting TAG-112 remote access to the victim’s system for further espionage and data collection.

The attackers likely gained access to the Tibetan websites via unpatched vulnerabilities in Joomla, a widely used CMS.

Weaknesses in outdated Joomla installations allowed TAG-112 to inject malicious JavaScript into the sites, a tactic that has remained active at least until early October 2024.

TAG-112 shares infrastructure and tactics with TAG-102, also known as Evasive Panda, another Chinese state-sponsored group known for targeting Tibetan entities.

However, TAG-112 operates with less sophistication, relying on publicly available tools like Cobalt Strike instead of developing custom malware.

To defend against this ongoing threat, cybersecurity experts recommend:

  • Intrusion Detection: Deploy systems to monitor indicators of compromise related to TAG-112.
  • User Awareness: Educate users about the risks of downloading files from untrusted sources.
  • Cobalt Strike Detection: Employ real-time monitoring to detect communication with known Cobalt Strike command-and-control servers.

This latest campaign underscores the Chinese government’s persistent efforts to surveil and control groups it perceives as threats, such as the Tibetan community.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and automate…

10 hours ago

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin nodes,…

11 hours ago

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its game…

12 hours ago

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that could…

14 hours ago

QNAP High Severity Vulnerabilities Let Remote attackers to Compromise System

QNAP Systems, Inc. has identified multiple high-severity vulnerabilities in its operating systems, potentially allowing attackers…

16 hours ago

Healthcare Security Strategies for 2025

Imagine this: It's a typical Tuesday morning in a bustling hospital. Doctors make their rounds,…

16 hours ago