Jul 24, 2025Ravie LakshmananCyber Espionage / Malware
The Tibetan group has been focused by a China-nexus cyber espionage group as a part of two campaigns performed final month forward of the Dalai Lama’s ninetieth birthday on July 6, 2025.
The multi-stage assaults have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz.
“The attackers compromised a authentic web site, redirecting customers through a malicious hyperlink and in the end putting in both the Gh0st RAT or PhantomNet (aka SManager) backdoor onto sufferer programs,” safety researchers Sudeep Singh and Roy Tay stated in a Wednesday report.
This isn’t the primary time Chinese language menace actors have resorted to watering gap assaults (aka strategic net compromises), a way the place adversaries break into web sites often visited by a selected group to contaminate their gadgets with malware.
Over the previous two years, hacking teams like EvilBamboo, Evasive Panda, and TAG-112 have all resorted to the strategy to focus on the Tibetan diaspora with the last word objective of gathering delicate info.
Operation GhostChat
The most recent set of assaults noticed by Zscaler entails the compromise of an online web page to exchange the hyperlink pointing to “tibetfund[.]org/90thbirthday” with a fraudulent model (“thedalailama90.niccenter[.]internet”).
Whereas the unique net web page is designed to ship a message to the Dalai Lama, the reproduction web page provides an choice to ship an encrypted message to the non secular chief by downloading from “tbelement.niccenter[.]internet” a safe chat utility named TElement, which claims to be Tibetan model of Ingredient.
Hosted on the web site is a backdoored model of the open-source encrypted chat software program containing a malicious DLL that is sideloaded to launch Gh0st RAT, a distant entry trojan broadly utilized by varied Chinese language hacking teams. The net web page additionally consists of JavaScript code designed to gather the customer’s IP deal with and user-agent info, and exfiltrate the small print to the menace actor through an HTTP POST request.
Operation PhantomPrayers
Gh0st RAT is a fully-featured malware that helps file manipulation, display screen seize, clipboard content material extraction, webcam video recording, keylogging, audio recording and playback, course of manipulation, and distant shell.
The second marketing campaign, Operation PhantomPrayers, has been discovered to leverage one other area, “hhthedalailama90.niccenter[.]internet,” to distribute a phony “ninetieth Birthday World Test-in” app (“DalaiLamaCheckin.exe,” dubbed PhantomPrayers) that, when opened, shows an interactive map and urges victims to “ship your blessings” for the Dalai Lama by tapping their location on the map.
Nevertheless, the malicious performance is stealthily triggered within the background, utilizing DLL side-loading strategies to launch PhantomNet, a backdoor that establishes contact with a command-and-control (C2) server over TCP to obtain extra plugin DLLs for execution on the compromised machine.
“PhantomNet will be set to function solely throughout particular hours or days, however this functionality will not be enabled within the present pattern,” the researchers stated. “PhantomNet used modular plugin DLLs, AES-encrypted C2 visitors, and configurable timed operations, to stealthily handle compromised programs.”
