China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike

SUMMARY :

A Chinese state-sponsored threat group, TAG-112, has compromised two Tibetan websites to deliver Cobalt Strike malware. The attackers embedded malicious JavaScript in the sites, spoofing a TLS certificate error to trick visitors into downloading a disguised security certificate. This campaign highlights ongoing cyber-espionage efforts targeting Tibetan entities. TAG-112's infrastructure, hidden using Cloudflare, links this operation to other China-sponsored activities, particularly TAG-102 (Evasive Panda). The group exploited vulnerabilities in the Joomla content management system to implant the malicious code. This attack demonstrates the continued focus of Chinese cyber operations on ethnic and religious minority groups, emphasizing the need for proactive cybersecurity measures.

OPENCTI LABELS :

cobalt strike,cyber-espionage,state-sponsored,china-nexus,tibetan websites,joomla vulnerabilities,tls certificate spoofing,evasive panda,tag-102


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike