Threat actors located in Russia, known as TAG-10, have been observed to run a spear phishing campaign targeting Tajikistan using macro-enabled word templates as the initial payload.
Attack chains are the deviation from the use of threat actors from the use of HTML application (.HTA) loaders called HATVIBE in HTML application (.HTA).
“In light of the historical targeting of Central Asian public sector entities in TAG-10, the campaign is likely to be targeted at governments, education and research institutions within Tajikistan,” the cybersecurity company said.
“These cyberespionage activities may aim to gather intelligence to influence local politics and security, especially during sensitive events such as elections and geopolitical tensions.”
TAG-10, also known as UAC-0063, is the name assigned to a threat activity group known for targeting the European Embassy. They are also other organizations in Central Asia, East Asia and Europe. It is believed to be active since at least 2021.
Activities relating to threat actors assessed to share overlap with Russian nation-state hacking crew APT28 were first documented in May 2023 by Romanian cybersecurity company Bitdefender in connection with a campaign that provides malware (StillArce) targeting government entities in Kazakhstan and Afghanistan.
However, it was the Ukrainian Computer Emergency Response Team (CERT-UA) who officially assigned the Moniker UAC-0063 in the same month after discovering a cyberattack targeting state state groups using malware strains such as Logpi, Cherry Spy (aka Downexpyer), Doundex and Pyplunderplug.
The latest campaign, which has been observed since January 2025, targeted at Tajikistan organizations, is a move from Hatobib, delivered via HTA-embedded spear phishing attachments in favor of macro-enabled word templates (.DOTM) files, showing a transition from Hatobib, which highlights the evolution of tactics.
“Previously, TAG-110 leveraged macro-enabled word documents to deliver HTA-based malware Hatvibe for initial access,” said recorded Future. “The newly discovered documents do not include an embedded HTA Hatvibe payload to create scheduled tasks and instead are not leveraging them to persist global template files located in the Word Startup folder.”
The phishing emails are known to use documents themed on the Tajikistan government as lure material. This is consistent with the historical use of troilized legitimate government documents as malware delivery vectors. However, cybersecurity companies said they cannot independently verify the reliability of these documents.
Introducing the file is a VBA macro that may place the document template in a Microsoft Word startup folder for automatic execution, then initiate communication with the Command and Control (C2) server and run additional VBA code that provides a C2 response. The exact nature of the second stage payload is unknown.
“However, based on the historic activity and toolset of the TAG-10, successful initial access via macro-enabled templates could potentially deploy a new custom-developed payload with Hatvibe, Cherryspy, Logpie, or potentially new custom-developed payloads designed for spying,” the company said.
Source link
