Full Report
A China-linked nation-state group called TAG-112 compromised Tibetan media and university websites in a new cyber espionage campaign designed to facilitate the delivery of the Cobalt Strike post-exploitation toolkit for follow-on information collection. "The attackers embedded malicious JavaScript in these sites, which spoofed a TLS certificate error to trick visitors into downloading a
Analysis Summary
# Threat Actor: TAG-112
## Attribution & Identity
* **Attribution:** China-linked nation-state group.
* **Associated Groups:** Described as a possible sub-group of **Evasive Panda** (aliases: Bronze Highland, Daggerfly, StormBamboo, TAG-102) due to tactical overlaps and shared historical targeting of Tibetan entities.
## Activity Summary
TAG-112 was observed conducting a cyber espionage campaign, specifically targeting Tibetan media and university websites in late May 2024. The goal was to facilitate the delivery of the Cobalt Strike post-exploitation toolkit for subsequent information gathering. The group compromised websites such as Tibet Post (tibetpost\[.\]net) and Gyudmed Tantric University (gyudmedtantricuniversity\[.\]org).
## Tactics, Techniques & Procedures
- **Initial Compromise/Access:** Exploitation of a security vulnerability, specifically in the **Joomla** content management system, to upload malicious JavaScript.
- **Deception/Social Engineering:** Implanting malicious JavaScript that spoofed a **TLS certificate error** page on the compromised websites.
- **Execution:** The malicious JavaScript was triggered upon page load, checked if the user was running a Windows OS, and communicated with a remote server.
- **Payload Delivery:** Prompting visitors to download a malicious executable disguised as a "security certificate," which subsequently loaded a Cobalt Strike payload.
- **Filtering:** The script attempted to filter out non-Windows operating systems before proceeding with the lure.
## Targeting
* **Sectors:** Media, Universities (Education).
* **Geography:** Related to Tibetan entities (implying targeting of individuals or organizations associated with the Tibetan community globally).
* **Victims:** Tibet Post (tibetpost\[.\]net) and Gyudmed Tantric University (gyudmedtantricuniversity\[.\]org).
## Tools & Infrastructure
* **Malware Families Used:** **Cobalt Strike** (used as the post-exploitation toolkit).
* **Infrastructure:**
* C2/Exfiltration Node: update\[.\]maskrisks\[.\]com
## Implications
This campaign demonstrates a persistent, state-sponsored cyber espionage focus by China-linked actors against the Tibetan community. The use of common web vulnerabilities (Joomla) combined with sophisticated social engineering (spoofing TLS errors) to deliver advanced remote access tools like Cobalt Strike indicates a high-priority, long-term intelligence collection objective against specific diaspora communities.
## Mitigations
* Organizations running vulnerable CMS platforms like Joomla should ensure rigorous patch management and vulnerability scanning.
* Implement application allow-listing or endpoint detection and response (EDR) solutions capable of detecting and blocking the execution of files masquerading as security certificates.
* Train users to be extremely cautious when prompted to download security certificates or executables from websites, especially following unexpected browser warnings.
* Monitor for suspicious network beaconing traffic associated with Cobalt Strike beacons connecting to external infrastructure.