{ "id": "a61e971e-006e-4ff4-baad-eac418dbec86", "created_at": "2026-04-06T00:08:07.600923Z", "updated_at": "2026-04-10T03:36:48.125745Z", "deleted_at": null, "sha1_hash": "1fbc10dde6f8afd41b8e439120d9d29882eda30c", "title": "Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 875894, "plain_text": "Chinese State-Sponsored Activity Group TAG-22 Targets Nepal,\r\nthe Philippines, and Taiwan\r\nBy INSIKT GROUP\r\nArchived: 2026-04-05 14:47:44 UTC\r\nRecorded Future has identified a suspected Chinese state-sponsored group that we track as Threat Activity Group\r\n22 (TAG-22) targeting telecommunications, academia, research and development, and government organizations\r\nin Nepal, the Philippines, Taiwan, and more historically, Hong Kong. In this most recent activity, the group likely\r\nused compromised GlassFish servers and Cobalt Strike in initial access operations before switching to the\r\nbespoke Winnti, ShadowPad, and Spyder backdoors for long-term access using dedicated actor-provisioned\r\ncommand and control infrastructure.\r\nBackground\r\nIn September 2020, Recorded Future clients received a report on activity linked to a user of the shared custom\r\nbackdoors Winnti and ShadowPad. This activity targeted a Hong Kong university and airport. The infrastructure\r\nand malware used in these intrusions directly overlap with previous reporting by ESET and NTT Group on Winnti\r\nGroup activity. There are also numerous infrastructure and malware overlaps with activity recently reported by\r\nAvast, which described an installer backdoored with Cobalt Strike found on the official website of MonPass, a\r\nmajor certification authority (CA) in Mongolia. Both the ShadowPad and Winnti backdoors are shared across\r\nmultiple Chinese activity groups. Winnti in particular has been historically used by both APT41/Barium and\r\nAPT17 and is commonly associated with activity linked to multiple groups of loosely connected private\r\ncontractors operating on behalf of China’s Ministry of State Security (MSS). In this case, Insikt Group tracks the\r\ncluster of activity described in this and our previous report using the temporary name Threat Activity Group 22\r\n(TAG-22), while we note some historical overlap with activity clustered as APT41 and Barium by FireEye and\r\nMicrosoft, respectively.\r\nVictimology and Use of Compromised GlassFish Infrastructure\r\nInsikt Group tracks known infrastructure and domains linked to TAG-22 using a combination of passive DNS data\r\nand adversary C2 detection techniques for ShadowPad, Winnti, and the Spyder Backdoor. In June 2021, we\r\nidentified TAG-22 intrusions targeting the following organizations in Taiwan, Nepal, and the Philippines using\r\nRecorded Future Network Traffic Analysis (NTA) data:\r\nThe Industrial Technology Research Institute (ITRI) in Taiwan\r\nNepal Telecom\r\nDepartment of Information and Communications Technology (The Philippines)\r\nhttps://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan\r\nPage 1 of 8\n\nIn particular, the targeting of the ITRI is notable due to its role as a technology research and development\r\ninstitution that has set up and incubated multiple Taiwanese technology firms. According to the ITRI’s website,\r\nthe organization is particularly focused on research and development projects related to smart living, quality\r\nhealth, sustainable environment, and technology, many of which map to development priorities under China’s 14th\r\n5-year plan, previously highlighted by Insikt Group as likely areas of future Chinese economic espionage efforts.\r\nIn recent years, Chinese groups have targeted multiple organizations across Taiwan’s semiconductor industry to\r\nobtain source code, software development kits, and chip designs.\r\nWhile we believe these 4 organizations were likely the intended end targets of TAG-22 intrusion activity, we also\r\nidentified several suspected compromised GlassFish Servers communicating with TAG-22 C2 infrastructure. This\r\nis in line with recent NTT reporting, which identified the group exploiting GlassFish Server software version 3.1.2\r\nand below and using the compromised infrastructure to conduct onward intrusion activity, specifically scanning\r\nusing the Acunetix scanner and deploying the Cobalt Strike offensive security tool (OST). Per NTT researchers,\r\nthe group likely used this infrastructure in the early stages of intrusions before transitioning to dedicated\r\ninfrastructure for controlling ShadowPad, Spyder, and Winnti implants. For its dedicated infrastructure, TAG-22\r\nprimarily used domains registered via Namecheap and Choopa (Vultr) virtual private servers (VPS) for hosting.\r\nNepal Telecom Tradecraft Case Study\r\nBy querying the TAG-22 C2 domain vt.livehost[.]live in the Recorded Future Threat Intelligence Platform, we\r\nidentified links to the Shadowpad and Spyder backdoors that combine Recorded Future C2 detections and passive\r\nDNS data.\r\nFigure 1: Malicious Infrastructure Verdict for vt.livehost[.]com (Source: Recorded Future)\r\nThis allows us to pivot and identify the TAG-22 IP address 139.180.141[.]227, which we have detected being used\r\nby the group for both Shadowpad and Spyder command and control.\r\nhttps://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan\r\nPage 2 of 8\n\nFigure 2: Intelligence Card for TAG-22 C2 139.180.141[.]227 (Source: Recorded Future)\r\nhttps://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan\r\nPage 3 of 8\n\nFigure 3: Sample exfiltration event from Nepal Telecom to TAG-22 C2 Infrastructure (Source: Recorded Future)\r\nIn addition to identifying additional related malicious infrastructure, using Network Traffic Analysis Events, we\r\nwere also able to pinpoint specific victims of TAG-22 activity. The screenshot above shows an exfiltration event\r\nfrom the Nepal Telecom IP to the Shadowpad and Spyder backdoor C2 139.180.141[.]227, which hosted the\r\ndomain vt.livehost[.]live at the time of exfiltration. While the victim IP address is assigned to Nepal Telecom, for\r\ntelecommunication companies, this is often insufficient for attributing the true victim organization because the\r\nmajority of infrastructure owned by those entities is leased or provided to its customers. In this case, we can use\r\nthe new, proprietary VPN and Geographical Information extension alongside other enrichments to try to pinpoint\r\nthe victim of this activity.\r\nhttps://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan\r\nPage 4 of 8\n\nFigure 4: VPN and Geographical Information extension for Nepal Telecom IP 202.70.66[.]146 (Source: Recorded\r\nFuture)\r\nBy clicking on the Google Maps view within the VPN and Geographical Information extension for this IP address,\r\nwe can pinpoint a location and confirm that Nepal Telecom is likely the victim of this activity — the location\r\ndirectly points to Nepal Telecom’s head office in Kathmandu.\r\nFigure 5: VPN and Geographical Information extension for Nepal Telecom IP 202.70.66[.]146 (Source: Recorded\r\nFuture)\r\nMalware Analysis\r\nThrough analyzing the identified TAG-22 operational infrastructure, we identified several Cobalt Strike samples\r\nlikely used by the group to gain an initial foothold in the target environment. The group also used a custom Cobalt\r\nhttps://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan\r\nPage 5 of 8\n\nStrike loader the malware authors appear to have called Fishmaster based on a debugging string present within\r\nseveral samples:\r\n(C:\\Users\\test\\Desktop\\fishmaster\\x64\\Release\\fishmaster.pdb)\r\nThe string “fish_master” was also present across others.\r\nFor initial access, the group typically used double extensions for Fishmaster Portable Executable (PE) files to\r\nmake them appear like Microsoft Office or PDF files:\r\n2af96606c285542cb970d50d4740233d2cddf3e0fe165d1989afa29636ea11db - Advertising Cooperation-DUKOU ICU.pdf.exe\r\nC2df9f77b7c823543a0528a28de3ca7acb2b1d587789abfe40f799282c279f7d - 履歷-王宣韓.docx.exe\r\nIn each case, following execution, the user is shown a decoy document, such as the resume shown below for a\r\nlikely Taiwanese national. In other instances, the group used malicious macros to drop the Fishmaster loader. As\r\nboth sample lure documents are written in traditional Chinese characters and the CV features a Taiwanese\r\nuniversity, and because the group has more widely targeted Taiwan, we believe that Taiwanese organizations were\r\nlikely the targets for these particular lures.\r\nhttps://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan\r\nPage 6 of 8\n\nFigure 6: Decoy documents used in TAG-22 activity\r\nMany of the Cobalt Strike beacon payloads used by TAG-22 across this campaign were configured using the\r\nBackoff malleable C2 profile, which contains the following high level network traffic characteristics:\r\nhttps://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan\r\nPage 7 of 8\n\nUser Agent: “Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\"\r\nHTTP POST URI (multiple choices):\r\n/windebug/updcheck.php\r\n/aircanada/dark.php\r\n/aero2/fly.php\r\n/windowsxp/updcheck.php\r\n/hello/flash.php\r\nHTTP GET URI:\r\n/updates\r\nAll of the configurations contain the watermark 305419896, which is associated with a cracked version of Cobalt\r\nStrike.\r\nOutlook\r\nAt this time, Insikt Group continues to track TAG-22 activity as an independent activity cluster that overlaps with\r\nthe wider group defined as Winnti Group by ESET. TAG-22 uses shared custom backdoors likely unique to\r\nChinese state-sponsored groups, including ShadowPad and Winnti, while also employing open-source or offensive\r\nsecurity tools such as Cobalt Strike and Acunetix. TAG-22’s continued use of publicly reported infrastructure is\r\nindicative of a group experiencing a high degree of operational success despite a breadth of public reporting\r\nregarding its operations. Insikt Group has primarily identified TAG-22 operating within Asia. However, apart from\r\nthis campaign, the group has a relatively broad targeting scope both geographically and by industry. This wider\r\ntargeting scope, coupled with the use of the Winnti backdoor, is typical of several suspected MSS contractors,\r\nincluding APT17 and APT41.\r\nFor a full list of indicators of compromise, please refer to Insikt Group’s Github repository.\r\nSource: https://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan\r\nhttps://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan" ], "report_names": [ "chinese-group-tag-22-targets-nepal-philippines-taiwan" ], "threat_actors": [ { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434087, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1fbc10dde6f8afd41b8e439120d9d29882eda30c.pdf", "text": "https://archive.orkl.eu/1fbc10dde6f8afd41b8e439120d9d29882eda30c.txt", "img": "https://archive.orkl.eu/1fbc10dde6f8afd41b8e439120d9d29882eda30c.jpg" } }