{ "id": "c47109da-4389-4fe0-b8fc-7e5003e47bcf", "created_at": "2026-04-06T00:21:58.714663Z", "updated_at": "2026-04-10T03:35:59.970997Z", "deleted_at": null, "sha1_hash": "40b30a63e7740f48d3db9a6825bc38db41641d0d", "title": "China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54892, "plain_text": "China-Nexus TAG-112 Compromises Tibetan Websites to\r\nDistribute Cobalt Strike\r\nBy Insikt Group®\r\nArchived: 2026-04-05 13:17:46 UTC\r\nSummary\r\nIn a recent cyber campaign, the Chinese state-sponsored threat group TAG-112 compromised two Tibetan\r\nwebsites, Tibet Post and Gyudmed Tantric University, to deliver the Cobalt Strike malware. Recorded Future’s\r\nInsikt Group discovered that the attackers embedded malicious JavaScript in these sites, which spoofed a TLS\r\ncertificate error to trick visitors into downloading a disguised security certificate. This malware, often used by\r\nthreat actors for remote access and post-exploitation, highlights a continued cyber-espionage focus on Tibetan\r\nentities. TAG-112’s infrastructure, concealed using Cloudflare, links this campaign to other China-sponsored\r\noperations, particularly TAG-102 (Evasive Panda).\r\nCyberattacks targeting ethnic and religious minority groups in China continue, with new developments pointing to\r\na targeted campaign against Tibetan organizations. In a recent investigation, Recorded Future’s Insikt Group\r\ndiscovered a Chinese state-sponsored threat actor group, designated TAG-112, responsible for compromising\r\nTibetan community websites and delivering Cobalt Strike, a potent cyber-espionage tool.\r\nKey Findings\r\nIn late May 2024, TAG-112 compromised at least two Tibetan community websites: Tibet Post (tibetpost[.]net)\r\nand Gyudmed Tantric University (gyudmedtantricuniversity[.]org). The attackers exploited vulnerabilities in the\r\nJoomla content management system (CMS) used by these sites to implant malicious JavaScript. This JavaScript\r\nprompted visitors to download a fake security certificate, which, when opened, deployed the Cobalt Strike\r\npayload.\r\nTAG-112’s infrastructure shows notable overlap with TAG-102 (Evasive Panda), a more sophisticated Chinese\r\nstate-sponsored group known for targeting Tibetan entities. However, Insikt Group has identified TAG-112 as a\r\nseparate entity due to differences in attack maturity and tactics, such as using Cobalt Strike rather than custom\r\nmalware and foregoing JavaScript obfuscation.\r\nMalicious JavaScript and Spoofed TLS Error\r\nThe attack begins with the malicious JavaScript embedded in the compromised websites. When a user visits one\r\nof these sites, the script detects the operating system and browser type, confirming compatibility with Windows. If\r\nhttps://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites\r\nPage 1 of 3\n\ncompatible, the script initiates a connection with TAG-112’s command-and-control (C2) domain,\r\nupdate[.]maskrisks[.]com, which then returns an HTML page spoofing a legitimate TLS certificate error.\r\nThis spoofed error page is crafted to mimic Google Chrome’s TLS certificate warning, deceiving users into\r\nclicking a link to \"download a security certificate.\" Upon clicking, users unknowingly initiate the download of\r\nCobalt Strike, a legitimate tool commonly used by security testers but often exploited by attackers for remote\r\naccess and command execution.\r\nExploiting Website Vulnerabilities\r\nTAG-112 likely gained access to the compromised Tibetan websites through vulnerabilities in Joomla, a popular\r\nCMS. Websites built on Joomla are frequently targeted by attackers if they are not adequately maintained and\r\nupdated. Likely by exploiting these weaknesses, TAG-112 was able to upload the malicious JavaScript file, which\r\nremains active on these sites as of early October 2024.\r\nInfrastructure and Obfuscation Tactics\r\nTAG-112’s infrastructure shows a level of sophistication in concealing its origins. The group used Cloudflare to\r\nshield its servers' IP addresses, complicating efforts to trace the infrastructure back to its origin. Insikt Group\r\nidentified multiple IP addresses linked to TAG-112’s C2 servers, some active as early as March 2024. The primary\r\ndomain, maskrisks[.]com, was registered in March 2024 through Namecheap, with subdomains such as\r\nmail[.]maskrisks[.]com and checkupdate[.]maskrisks[.]com added for further operational flexibility.\r\nTAG-112’s Use of Cobalt Strike\r\nCobalt Strike is a commercial penetration testing tool that has become a favorite among threat actors due to its\r\nversatility and powerful capabilities for remote access, lateral movement, and command-and-control. Insikt Group\r\nidentified six distinct Cobalt Strike Beacon samples linked to TAG-112, with their C2 communication directed to\r\nmail[.]maskrisks[.]com. This malware enables TAG-112 to monitor and control compromised systems, gathering\r\nintelligence and potentially leveraging these infected systems for further espionage activities.\r\nConnections to TAG-102 (Evasive Panda)\r\nTAG-112 shares several operational characteristics with TAG-102 (Evasive Panda), another Chinese APT known\r\nfor targeting the Tibetan community. Both groups have used similar methods, including spoofed error pages to\r\ndeliver malicious files. However, TAG-112’s operations are less sophisticated than TAG-102, indicating that it\r\nmay be a subgroup or less experienced branch. For instance, while TAG-102 has deployed customized malware\r\nand used obfuscation techniques, TAG-112 relies on the readily available Cobalt Strike tool without obfuscating\r\nits JavaScript.\r\nDespite the lack of obfuscation, TAG-112’s tactics and overlaps with TAG-102 highlight the Chinese\r\ngovernment’s ongoing interest in Tibetan and other ethnic and religious minority communities. Such campaigns\r\nare part of a broader strategy of surveillance and control, targeting groups perceived as threats to the stability and\r\ncontrol of the Chinese Communist Party (CCP).\r\nhttps://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites\r\nPage 2 of 3\n\nMitigation Recommendations\r\nTAG-112’s campaign underscores the importance of proactive cybersecurity measures, particularly for\r\norganizations that may be high-value targets for state-sponsored actors. Recorded Future recommends the\r\nfollowing steps:\r\n1. Intrusion Detection and Prevention: Configure intrusion detection (IDS) and intrusion prevention\r\nsystems (IPS) to alert on any indicators of compromise (IoCs) associated with TAG-112. Consider blocking\r\nconnections to known TAG-112 infrastructure after a thorough review.\r\n2. User Training: Educate users to exercise caution when handling files downloaded from untrusted sources.\r\nAdvise users against opening files that download automatically without input, as these could be part of\r\nphishing or drive-by download attacks.\r\n3. Cobalt Strike Detection: Enable real-time monitoring for malicious Cobalt Strike C2 servers using threat\r\nintelligence modules such as Recorded Future’s Intelligence Cloud.\r\n4. Network Monitoring: Regularly monitor network traffic for signs of compromise, particularly for\r\nconnections to known threat infrastructure. Malicious Traffic Analysis (MTA) can help detect unusual\r\nactivity, alerting security teams to potential C2 communications.\r\nOutlook\r\nTAG-112’s operations against Tibetan organizations reflect a longstanding objective within Chinese cyber-espionage campaigns to monitor and control ethnic and religious minorities, especially those seen as potentially\r\ndestabilizing. Other groups and regions with similar CCP-designated risk profiles are likely targets of similar\r\nstate-sponsored attacks.\r\nTo read the entire analysis, click here to download the report as a PDF.\r\nAppendix A — Indicators of Compromise\r\nAppendix B — Mitre ATT\u0026CK Techniques\r\nSource: https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites\r\nhttps://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites" ], "report_names": [ "china-nexus-tag-112-compromises-tibetan-websites" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0ed62b86-b1a8-4463-a157-1db21e91e7f4", "created_at": "2024-11-16T02:00:03.81128Z", "updated_at": "2026-04-10T02:00:03.770291Z", "deleted_at": null, "main_name": "TAG-112", "aliases": [], "source_name": "MISPGALAXY:TAG-112", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434918, "ts_updated_at": 1775792159, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/40b30a63e7740f48d3db9a6825bc38db41641d0d.pdf", "text": "https://archive.orkl.eu/40b30a63e7740f48d3db9a6825bc38db41641d0d.txt", "img": "https://archive.orkl.eu/40b30a63e7740f48d3db9a6825bc38db41641d0d.jpg" } }