Might 27, 2025Ravie LakshmananMalware / Risk Intelligence
The Russia-aligned menace actor often known as TAG-110 has been noticed conducting a spear-phishing marketing campaign concentrating on Tajikistan utilizing macro-enabled Phrase templates as an preliminary payload.
The assault chain is a departure from the menace actor’s beforehand documented use of an HTML Utility (.HTA) loader dubbed HATVIBE, Recorded Future’s Insikt Group stated in an evaluation.
“Given TAG-110’s historic concentrating on of public sector entities in Central Asia, this marketing campaign is probably going concentrating on authorities, academic, and analysis establishments inside Tajikistan,” the cybersecurity firm famous.
“These cyber espionage operations probably purpose to assemble intelligence for influencing regional politics or safety, notably throughout delicate occasions like elections or geopolitical tensions.”
TAG-110, additionally known as UAC-0063, is the title assigned to a menace exercise group that is identified for its concentrating on of European embassies, in addition to different organizations in Central Asia, East Asia, and Europe. It is believed to be energetic not less than since 2021.
Assessed to share overlaps with the Russian nation-state hacking crew APT28, actions related to the menace actor had been first documented by Romanian cybersecurity firm Bitdefender in Might 2023 in reference to a marketing campaign that delivered a malware codenamed DownEx (aka STILLARCH) concentrating on authorities entities in Kazakhstan and Afghanistan.
Nonetheless, it was the Pc Emergency Response Staff of Ukraine (CERT-UA) that formally assigned the moniker UAC-0063 that very same month after it uncovered cyber assaults concentrating on state our bodies within the nation utilizing malware strains like LOGPIE, CHERRYSPY (aka DownExPyer), DownEx, and PyPlunderPlug.
The most recent marketing campaign geared toward Tajikistan organizations, noticed beginning January 2025, demonstrates a shift away from HATVIBE, distributed by way of HTA-embedded spear-phishing attachments, in favor of macro-enabled Phrase template (.DOTM) recordsdata, underscoring an evolution of their ways.
“Beforehand, TAG-110 leveraged macro-enabled Phrase paperwork to ship HATVIBE, an HTA-based malware, for preliminary entry,” Recorded Future stated. “The newly detected paperwork don’t include the embedded HTA HATVIBE payload for making a scheduled job and as a substitute leverage a world template file positioned within the Phrase startup folder for persistence.”
The phishing emails have been discovered to make use of Tajikistan government-themed paperwork as lure materials, which aligns with its historic use of trojanized legit authorities paperwork as a malware supply vector. Nonetheless, the cybersecurity firm stated it couldn’t independently confirm the authenticity of those paperwork.
Current with the recordsdata is a VBA macro that is answerable for inserting the doc template within the Microsoft Phrase startup folder for automated execution and subsequently initiating communications with a command-and-control (C2) server and probably executing further VBA code provided with C2 responses. The precise nature of the second-stage payloads just isn’t identified.
“Nonetheless, based mostly on TAG-110’s historic exercise and power set, it’s probably that profitable preliminary entry by way of the macro-enabled templates would consequence within the deployment of further malware, reminiscent of HATVIBE, CHERRYSPY, LOGPIE, or probably a brand new, custom-developed payload designed for espionage operations,” the corporate stated.
Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.
