CyberSecurity news
FlagThis
Ddos@securityonline.info
//
A new cyber-espionage campaign has been uncovered, targeting public sector organizations in Tajikistan. The threat actor behind this campaign is TAG-110, a group linked to Russia and also known as UAC-0063 and APT28 (BlueDelta). Recorded Future’s Insikt Group discovered that TAG-110 is using macro-enabled Microsoft Word templates (.dotm files) to gain access to and exfiltrate intelligence from Tajik government, educational, and research institutions, particularly those involved in military affairs or electoral processes. This campaign reflects Russia’s strategic interest in Central Asia through intelligence-gathering operations.
These malicious Word templates are deployed through phishing lures disguised as official Tajik government documents. The templates are saved in the Microsoft Word STARTUP folder, ensuring automatic execution each time Word is launched. This tactic represents a shift from TAG-110’s previous use of HTA-based payloads like HATVIBE. The two malicious documents identified are themed around radiation safety for Tajikistan’s armed forces and election schedules in Dushanbe.
Upon execution, the embedded VBA macros collect system metadata such as username, computer name, language, and resolution. This data is then sent to a hardcoded command-and-control (C2) server. The macros also establish persistence by copying themselves to the %APPDATA%\Microsoft\Word\STARTUP\ directory. Researchers state that this evolution highlights a tactical shift prioritizing persistence. The use of .dotm files and VBA macros allows TAG-110 to maintain a stealthy presence and collect data from compromised systems, turning them into surveillance nodes.
ImgSrc: securityonline.
References :
These malicious Word templates are deployed through phishing lures disguised as official Tajik government documents. The templates are saved in the Microsoft Word STARTUP folder, ensuring automatic execution each time Word is launched. This tactic represents a shift from TAG-110’s previous use of HTA-based payloads like HATVIBE. The two malicious documents identified are themed around radiation safety for Tajikistan’s armed forces and election schedules in Dushanbe.
Upon execution, the embedded VBA macros collect system metadata such as username, computer name, language, and resolution. This data is then sent to a hardcoded command-and-control (C2) server. The macros also establish persistence by copying themselves to the %APPDATA%\Microsoft\Word\STARTUP\ directory. Researchers state that this evolution highlights a tactical shift prioritizing persistence. The use of .dotm files and VBA macros allows TAG-110 to maintain a stealthy presence and collect data from compromised systems, turning them into surveillance nodes.
ImgSrc: securityonline.
Share:
References :
- securityonline.info: Russian-Aligned TAG-110 Targets Tajikistan Governments with Stealthy Cyber-Espionage
- cyberpress.org: TAG-110 Hackers Use Malicious Word Templates for Targeted Attacks
- gbhackers.com: TAG-110 Hackers Deploy Malicious Word Templates in Targeted Attacks
- securityonline.info: Russian-Aligned TAG-110 Targets Tajikistan Governments with Stealthy Cyber-Espionage
- The Hacker News: The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload.
Classification:
- HashTags: #CyberEspionage #APT #Tajikistan
- Company: Microsoft
- Target: Tajikistan
- Attacker: TAG-110
- Product: Word
- Feature: Phishing
- Malware: HATVIBE
- Type: Espionage
- Severity: Medium