Full Report
The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload. The attack chain is a departure from the threat actor's previously documented use of an HTML Application (.HTA) loader dubbed HATVIBE, Recorded Future's Insikt Group said in an analysis. "Given TAG-110's historical
Analysis Summary
# Threat Actor: TAG-110 (also known as UAC-0063)
## Attribution & Identity
Russia-aligned threat actor. Assessed to share overlaps with the Russian nation-state hacking crew APT28. Active since at least 2021.
## Activity Summary
The actor was recently observed conducting a spear-phishing campaign targeting organizations in Tajikistan starting in January 2025. This campaign utilized macro-enabled Word template files (.DOTM) as the initial payload. Historically, TAG-110 has been known for targeting European embassies and other organizations in Central Asia, East Asia, and Europe. Earlier documented activities in May 2023 involved delivering the DownEx (aka STILLARCH) malware against government entities in Kazakhstan and Afghanistan.
## Tactics, Techniques & Procedures
- Spear-phishing using document lures.
- Use of macro-enabled Word template files (.DOTM) for initial access.
- Luring victims with Tajikistan government-themed documents.
- Persistence mechanism achieved by placing malicious global template files into the Microsoft Word startup folder.
- Previously documented use of an HTML Application (.HTA) loader dubbed HATVIBE, distributed via HTA-embedded spear-phishing attachments, to create scheduled tasks.
- Malware strains previously associated include LOGPIE, CHERRYSPY (aka DownExPyer), DownEx, and PyPlunderPlug.
## Targeting
- Sectors: Government, Educational, and Research institutions.
- Geography: Tajikistan (recent focus), Central Asia, East Asia, and Europe (historical focus).
- Victims: Tajikistan government entities.
## Tools & Infrastructure
- Malware families used: HATVIBE (previously), DownEx (aka STILLARCH), LOGPIE, CHERRYSPY (aka DownExPyer), PyPlunderPlug.
- Infrastructure: Not detailed in the provided context, except for the file placement mechanism leveraged via the Word startup folder.
## Implications
The continued targeting of public sector entities in Central Asia suggests ongoing cyber espionage operations aimed at gathering intelligence to influence regional politics or security, especially during sensitive times like elections or geopolitical tensions. The shift in TTPs, moving from HTA-based loaders (HATVIBE) to leveraging global Word template files (.DOTM) for initial access and persistence, indicates adaptation and evolution of their delivery methods.
## Mitigations
- Enhance email filtering and security awareness training focusing on macro-enabled documents and spear-phishing lures themed around government correspondence.
- Monitor for the placement of unexpected global template files (.DOTM) within the Microsoft Word startup folder, as this is the actor's current persistence mechanism.
- Review security postures against previous tactics involving HTA loading and scheduled task creation, as these tactics may be reactivated.