Menace researchers are warning of dual Chinese language-nexus espionage operations—“Operation Chat” and “Operation PhantomPrayers”—that erupted within the weeks previous the Dalai Lama’s ninetieth birthday, exploiting heightened visitors to Tibetan-themed web sites to seed Home windows hosts with subtle backdoors.
By compromising a professional greeting web page and quietly swapping its hyperlink, attackers funneled guests to look-alike domains underneath niccenter[.]web, the place doctored installers masked as Tibetan-language chat instruments awaited unsuspecting customers.
As soon as executed, these packages unleashed both Ghost RAT or the newer PhantomNet implant, giving operators in depth surveillance attain throughout information, webcams, microphones, and even system shutdown controls.
The schemes hinge on multi-stage loaders that abuse DLL sideloading in signed binaries—Component.exe for GhostChat and VLC.exe for PhantomPrayers—thereby piggy-backing on trusted certificates to evade signature checks.
From there, shellcode slips into the benign ImagingDevices.exe course of, mapping a contemporary copy of ntdll.dll to overwrite user-mode hooks earlier than reflectively loading the core trojan.
Zscaler analysts famous that each campaigns depend on low-level Nt* and Rtl* calls fairly than increased Win32 APIs, a alternative meant to sidestep many endpoint visibility hooks.
Ghost RAT beacons to 104.234.15[.]90:19999 over a bespoke “KuGou” TCP protocol, encrypting packets with a modified RC4 algorithm additionally used to cover its on-disk configuration.
PhantomNet, in contrast, helps both uncooked TCP or HTTPS to 45.154.12[.]93:2233, wrapping visitors in AES with a dynamically derived key.
Every implant extends itself through on-demand plugin DLLs—XOR- or AES-encoded till loaded—granting distant shells, keylogging, clipboard theft, and full registry manipulation.
Taken collectively, the intrusions illustrate how supply-chain-style sideloading and living-off-the-land APIs stay potent instruments for espionage crews looking for long-term footholds in diaspora communities.
An infection Mechanism: From Internet Lure to Persistent Foothold
Assault stream begins with a strategic net compromise. Victims lured to thedalailama90.niccenter[.]web press “Obtain” and obtain TBElement.zip, whose professional Component.exe silently masses a rogue ffmpeg.dll (Stage-1 loader).
That DLL decrypts embedded shellcode, injects it into ImagingDevices.exe, and writes a Run-key entry—HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunElement—so the loader restarts at each boot.
An analogous choreography powers PhantomPrayers: DalaiLamaCheckin.exe drops libvlc.dll plus an encrypted .tmp file into %APPDATApercentBirthday, then crops a Birthday Reminder.lnk shortcut within the Startup folder, guaranteeing VLC.exe sideloads the malicious DLL on logon.
Multi-stage assault chain for Operation PhantomPrayers (Supply – Zscaler)
Stage-2 shellcode is compressed with NRV2D; Stage-3 payloads are full PE executables whose headers are scrubbed (0x0d 0x0a) to foil static scanners.
The snippet beneath, recovered from libvlc.dll, reveals the dual-layer decryption that unlocks PhantomPrayers’ reflective loader:-
from Crypto.Cipher import ARC4, AES
shell = open(‘.tmp’,’rb’).learn()
rc4 = ARC4.new(b’x0Fx01x02x03x04x05x06x07x08x09x0Ax0Bx0Cx0Dx0Ex0F’)
stage1 = rc4.decrypt(shell)
aes = AES.new(b’x01x02x03x09x04x05x06x07x08x09x0Ax0Bx0Cx0Dx0Ex0F’,
AES.MODE_CBC,
b’x01x02x03x09x04x05x06x07x08x09x0Ax0Bx0Cx0Dx0Ex0F’)
loader = aes.decrypt(stage1 + b’x00′)
As soon as resident, Ghost RAT’s DllSerSt plugin can enumerate customers, whereas DllAudio information ambient sound; PhantomNet mirrors a lot of this arsenal however also can restrict C2 chatter to preset hours, lowering community noise.
Multi-stage assault chain for Operation GhostChat (Supply – Zscaler)
The operation chain within the authentic Zscaler report graphically summarizes the total chain, underscoring how a single misplaced click on interprets into covert, persistent surveillance on Home windows endpoints.
Enhance detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
