{
	"id": "4e10272c-63b0-4eb1-9ed1-8fe2ca3a52e3",
	"created_at": "2026-04-06T00:18:11.364567Z",
	"updated_at": "2026-04-10T13:12:57.254833Z",
	"deleted_at": null,
	"sha1_hash": "7de253d85c9b23e00252be3d1bd35603226f64d1",
	"title": "TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies | Recorded Future",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50837,
	"plain_text": "TAG-100 Uses Open-Source Tools in Suspected Global Espionage\r\nCampaign, Compromising Two Asia-Pacific Intergovernmental\r\nBodies | Recorded Future\r\nBy Insikt Group®\r\nArchived: 2026-04-02 10:43:26 UTC\r\nSummary\r\nRecorded Future’s Insikt Group identified a suspected cyber-espionage campaign by TAG-100, targeting global\r\ngovernment and private sector organizations. TAG-100 exploited internet-facing devices and used open-source\r\ntools like the Go backdoor Pantegana. The campaign compromised two Asia-Pacific intergovernmental\r\norganizations and targeted multiple diplomatic and trade entities.\r\nTAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two\r\nAsia-Pacific Intergovernmental Bodies\r\nTAG-100 employs open-source remote access capabilities and exploits various internet-facing devices to gain\r\ninitial access. This activity highlights the increasing trend of cyber-espionage using open-source tools, making it\r\neasier for less capable threat actors and reducing the need for customized capabilities. Two major Asia-Pacific\r\nintergovernmental organizations, along with multiple diplomatic, trade, and private sector entities globally, were\r\nlikely compromised by TAG-100.\r\nKey Findings\r\nTAG-100 has compromised organizations in at least ten countries across Africa, Asia, North America,\r\nSouth America, and Oceania.\r\nThe group used open-source Go backdoors Pantegana and SparkRAT post-exploitation.\r\nTAG-100 targeted various internet-facing products, including Citrix NetScaler, F5 BIG-IP, Zimbra,\r\nMicrosoft Exchange, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate.\r\nFollowing the release of a PoC exploit for Palo Alto Networks GlobalProtect firewall vulnerability CVE-2024-3400, TAG-100 conducted reconnaissance and attempted exploitation against dozens of US-based\r\norganizations.\r\nImpact and Implications\r\nThe exploitation of vulnerable internet-facing devices by TAG-100 is particularly concerning due to the limited\r\nvisibility and logging capabilities of these devices. This reduces the risk of detection post-exploitation and exposes\r\nhttps://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign\r\nPage 1 of 2\n\norganizations to operational downtime, reputational damage, and regulatory fines. The use of open-source tools\r\nalso allows state-sponsored threat actors to outsource cyber operations to less capable groups, increasing the\r\nintensity and frequency of attacks on enterprise networks.\r\nMitigations\r\nOrganizations should:\r\nConfigure intrusion detection and prevention systems to alert on and block suspicious IP addresses and\r\ndomains.\r\nEnsure security monitoring for all external-facing services and devices.\r\nPrioritize patching vulnerabilities, especially those exploited in the wild.\r\nImplement network segmentation and multi-factor authentication.\r\nUse the Recorded Future® Threat Intelligence module to detect and block malicious infrastructures like\r\nPantegana, SparkRAT, and Cobalt Strike command-and-control (C2) servers in real-time.\r\nThe Recorded Future® Third-Party Intelligence module helps monitor real-time outputs to identify\r\nsuspected intrusion activities involving key vendors and partners.\r\nMonitoring Malicious Traffic Analysis (MTA) enables Recorded Future clients to proactively alert and\r\nmonitor infrastructure involved in communication with known TAG-100 C2 IP addresses.\r\nOutlook\r\nTAG-100’s activities highlight a persistent threat to internet-facing devices, with both financially motivated and\r\nstate-sponsored threat actors likely to continue exploiting these vulnerabilities. The US and UK governments are\r\nworking to improve security, but vulnerable network edges remain a significant risk. Financially motivated and\r\nstate-sponsored threat actors will likely continue exploiting these vulnerabilities.\r\nTo read the entire analysis, click here to download the report as a PDF.\r\nSource: https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign\r\nhttps://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign"
	],
	"report_names": [
		"tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign"
	],
	"threat_actors": [
		{
			"id": "64a08f65-4ef8-4ad5-bac1-ce4e0fd2808c",
			"created_at": "2024-08-28T02:02:09.663698Z",
			"updated_at": "2026-04-10T02:00:04.927384Z",
			"deleted_at": null,
			"main_name": "TAG-100",
			"aliases": [
				"Storm-2077"
			],
			"source_name": "ETDA:TAG-100",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"CrossC2",
				"LESLIELOADER",
				"Pantegana",
				"SparkRAT",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "db5b833a-965e-4f46-b75d-7e829466a5fa",
			"created_at": "2024-12-21T02:00:02.843374Z",
			"updated_at": "2026-04-10T02:00:03.780907Z",
			"deleted_at": null,
			"main_name": "Storm-2077",
			"aliases": [
				"TAG-100",
				"RedNovember"
			],
			"source_name": "MISPGALAXY:Storm-2077",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434691,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7de253d85c9b23e00252be3d1bd35603226f64d1.pdf",
		"text": "https://archive.orkl.eu/7de253d85c9b23e00252be3d1bd35603226f64d1.txt",
		"img": "https://archive.orkl.eu/7de253d85c9b23e00252be3d1bd35603226f64d1.jpg"
	}
}