The Tibetan community was targeted by Chinese and Nexus cyberspy groups as part of two campaigns run last month ahead of the Dalai Lama’s 90th birthday on July 6, 2025.
Multi-stage attacks are codenamed Operation GhostChat and Phantomprayers Operations by Zscaler Threatlabz.
“The attackers breached a legal website, redirected users via malicious links, and eventually installed a GH0st rat or PhantomNet (aka Smanager) backdoor on the victim system,” security researchers Sudeep Singh and Roy Tay said in a report Wednesday.
This is not the first time a Chinese threat actor has resorted to a hole attack (aka strategic web compromise). This is a technology in which enemies enter websites where certain groups frequently visit and infect malware.
For the past two years, hacking groups such as Evilbamboo, Evasive Panda and Tag-112 have all relied on an approach to targeting the Tibetan diaspora, with the ultimate goal of gathering sensitive information.
Operation Ghostchat
The latest set of attacks observed by Zscaler involves compromise on web pages to replace links pointing to “TibetFund”[.]org/90thbirthday “Invalid Version (” thedalailama90.niccenter[.]net”).
The original webpage is designed to send messages to Dalai Lama, but the replica page will be downloaded from “tbelement.niccenter” and add the option to send the encrypted message to the spiritual reader.[.]A secure chat application named Net “Telement. It claims to be an element of the Tibetan version.
Hosted on the website is a background version of open source encrypted chat software that contains malicious DLLs sideloaded to launch Gh0st Rat, a remote access trojan widely used by various Chinese hacking groups. The web page also contains JavaScript code designed to collect visitor IP addresses and user agent information and portray details to threat actors via HTTP POST requests.
Phantom Operation
Gh0st Rat is a fully-dished malware that supports file manipulation, screen capture, clipboard content extraction, webcam video recording, keylogs, audio recording and playback, process manipulation, and remote shells.
The second campaign, Operation Phantomrayers, is known to utilize another domain, “hhthedalailama90.niccenter.”[.]The Net, “Distribute Fony” 90th birthday global check-in “App (“dalailamacheckin.exe”, called Phantom Player”) will display an interactive map when opened and encourage victims to “send a blessing.”
However, malicious features use a backdoor that establishes contact with a command and control (C2) server via TCP using DLL sideload technology, and launches a backdoor that establishes additional plug-in (C2) servers for running on complex machines.
“PhantomNet can be configured to work only within a certain time or a few days, but this feature is not enabled in the current sample,” the researchers said. “PHANTOMNET used modular plug-in DLLs, AES encrypted C2 traffic, and configurable timing operations to stealthly manage compromised systems.”
Source link
