216.73.217.80

China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike

· Published 13/11/2024 04:45 · Modified 13/11/2024 09:28

Export JSON

Essential information

Published
13/11/2024 04:45
Modified
13/11/2024 09:28
Tags
2024-11-13 china-nexus cobalt strike cyber espionage evasive panda joomla vulnerabilities state-sponsored tag-102 tibetan websites tls certificate spoofing
Related entities
19 observables, 1 intrusion sets (apt), 11 techniques (mitre), 1 malware, 1 others

Description

A Chinese threat group, TAG-112, has compromised two to deliver malware. The attackers embedded malicious JavaScript in the sites, spoofing a TLS certificate error to trick visitors into downloading a disguised security certificate. This campaign highlights ongoing cyber-espionage efforts targeting Tibetan entities. TAG-112's infrastructure, hidden using Cloudflare, links this operation to other China-sponsored activities, particularly (). The group exploited vulnerabilities in the Joomla content management system to implant the malicious code. This attack demonstrates the continued focus of Chinese cyber operations on ethnic and religious minority groups, emphasizing the need for proactive cybersecurity measures.

External references