China-Linked TAG-112 Targets Tibetan Media with Cobalt Strike Espionage Campaign - #Daggerfly
A China-linked nation-state group, TAG-112, has been reported to target Tibetan media and university websites in a cyber espionage campaign to deliver the Cobalt Strike post-exploitation toolkit. This group, potentially related to Evasive Panda, used malicious JavaScript to deceive visitors into downloading a disguised security certificate, thereby loading a Cobalt Strike payload. The attack exploited a TLS certificate error and a vulnerability in the Joomla content management system. Despite operational similarities, TAG-112's campaign is distinct from those of TAG-102, another group targeting similar entities but with different techniques and malware. Recorded Future's Insikt Group highlighted the lower sophistication of TAG-112 compared to TAG-102, underscoring the diverse threat landscape faced by Tibetan organizations.