{ "id": "b72dfc61-a1c4-4288-9175-b93191b1a69d", "created_at": "2026-04-06T00:13:02.362102Z", "updated_at": "2026-04-10T03:34:18.910736Z", "deleted_at": null, "sha1_hash": "7e608859b7651b4e5b220a800fe228ba15fac4e4", "title": "Tibetan Uprising Day Malware Attacks - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 84627, "plain_text": "Tibetan Uprising Day Malware Attacks - The Citizen Lab\r\nArchived: 2026-04-05 16:25:58 UTC\r\nKey Findings\r\nHundreds of members of the Tibetan community are being targeted by email-based malware attacks that\r\nleverage the March 10 Tibetan Uprising anniversary as a theme.\r\nThis report analyzes two March 10 related attacks. One using a new malware family we call “MsAttacker”\r\nthat we have not observed before, and another using the ShadowNet malware family and command and\r\ncontrol infrastructure related to previous campaigns known to have targeted the Tibetan community.\r\nWe include user recommendations for preventing infection and indicators of compromise for researchers to\r\nidentify MsAttacker.\r\nBackground\r\nOn March 10 1959, amidst growing unrest, Tibetans took to the streets of the capital Lhasa to protest the Chinese\r\noccupation of Tibet. Thousands surrounded the Potala Palace, then the home of His Holiness the Dalai Lama\r\n(HHDL), spurred by fears that he was to be arrested by the Chinese authorities. Following this event, escalation of\r\ntensions between Chinese and Tibetan forces led to HHDL escaping Tibet and taking up exile in northern India.\r\nThe anniversary of the March 10 Tibetan Uprising is a major event in the Tibetan diaspora, commemorated with a\r\nday of protest around the world to raise awareness around Tibetan rights issues. It is a period of intensive activism\r\nand mobilization for many Tibetan organizations.\r\nIn previous research, we described how attackers leverage the heightened activity around the event with social\r\nengineering campaigns, seeding targeted malware.  For example, we have found personalized e-mails that use\r\nreferences to the anniversary to trick recipients into opening malicious attachments.\r\nIn this report we analyze two separate email-based targeted malware attacks that use the March 10 anniversary as\r\na theme.\r\nAttack 1: MsAttacker\r\nOn March 5 2015, an email with the subject line “10th March 2015 campaign for Tibet” was sent to hundreds of\r\nindividuals and organizations from the Tibetan community. The email purported to come from a well-known\r\nTibetan NGO and contained information about a series of events planned to commemorate the 56th anniversary of\r\nthe Tibetan Uprising.\r\nAttached to the email was a malicious Microsoft Word file “10th March.doc” that used the exploit CVE-2012-\r\n0158, which is a vulnerability in how Microsoft Word handles RTF documents. This vulnerability has been\r\npatched since April 10, 2012 but has remained the most frequently used CVE we have observed in malware\r\nhttps://citizenlab.ca/2015/03/tibetan-uprising-day-malware-attacks/\r\nPage 1 of 5\n\nattacks against Tibetan groups for the last two years. Its repeated usage suggests that attackers are successfully\r\ncompromising members of the community, because their systems do not have the latest software updates.\r\nThe exploit was used to deliver a malware family that does not match any available signatures and has not been\r\nobserved by us in previous attacks against the Tibetan community.\r\nThe malware first connects to a command and control server (C2) 122.10.117.152 located in Guangzhou, China.\r\nThe malware then downloads a stage 2 binary:  [c2 ip]/download/ms/MiniJs.dll\r\nThis file is copied to  c:windowssystem32teamviewsvc.dll and creates a service to run on startup. It then\r\nconnects to 23.27.127.200 to receive further requests.\r\nWe call this family “MsAttacker” after an event name in the stage 2 binary.\r\nWe were also provided with another sample of MsAttacker that was also sent on March 5 in a highly targeted\r\nattack against a Tibet-related NGO. The email contained information about a private event the group was planning\r\nthat was unrelated to March 10 activities. The attachment contained the same payload as the first March 10 related\r\nattack.\r\nWe found one other example of this malware in the wild. On March 5, an analysis of a file “WTO. non-market\r\nstatus China _1_.doc” was posted to Malwr (a community malware analysis platform). This sample was from the\r\nsame family and also connected to 122.10.117.152.\r\nAttack 2: ShadowNet\r\nIn another attack on March 5, members of a Tibetan human rights organization received an email appearing to\r\ncome from the group’s organizational mailing list. The email message contained information from the secretary of\r\nthe Bureau of His Holiness the Dalai Lama regarding events related to March 10. Attached was a malicious\r\nMicrosoft Word file that had the same filename as the previous attack (10th March.doc) and also used CVE-2012-\r\n0158. However, the malware used in this attack is from the ShadowNet family.\r\nShadowNet malware leverages Windows Management Instrumentation (WMI), a system tool meant for\r\nadministrators. Its intended usage as a tool for collecting system information and automation makes it an ideal\r\nmechanism for gathering and exfiltrating data. The use of legitimate Windows features can make it more difficult\r\nfor administrators to identify activity as malicious.\r\nShadowNet typically uses multi-layered C2 infrastructure that first connects to blog websites and then retrieves\r\nC2 information from encoded strings left on the blog. By using blog sites as intermediaries the attackers can\r\nmaintain control of compromised machines even if a C2 is blocked by a network firewall or otherwise goes down.\r\nIf a C2 needs to be updated the attackers can simply point the intermediaries to new servers.\r\nThe sample used in this attack includes a WMI Script with links to three blogs\r\n( hxxp://johnsmith152.typepad.com/blog/rss.xml; hxxp://mynewshemm.wordpress.com/feed/;\r\nhxxp://johnsmith5382.thoughts.com/feed ). The blogs contain an encoded string that points to the actual C2:\r\nhxxp://www.semamail.info/firex/test.php , which has the IP 122.10.117.5 and is on the same Autonomous\r\nhttps://citizenlab.ca/2015/03/tibetan-uprising-day-malware-attacks/\r\nPage 2 of 5\n\nSystem ( AS 24544 ) as the C2 for the MsAttacker sample. Apart from this commonality and the timing of the\r\nattack we do not observe any other linkages between the MsAttacker and ShadowNet attacks.\r\nThe domain ( semamail.info ) has questionable whois information:\r\nRegistrant Name: Kasong Dolma\r\nRegistrant Street: New York\r\nRegistrant City:New York\r\nRegistrant State/Province:guangdong\r\nRegistrant Postal Code:10001\r\nRegistrant Country:CN\r\nRegistrant Phone:+1.9175608889\r\nRegistrant Email: mike.fly@email.com\r\nThis same registration information has been used for a number of other domains including\r\nconamail.info , convmail.info , and fifamp3.info . The domain fifamp3.info resolves to 122.10.117.35 .\r\nPassive DNS records show that the same IP has pointed to rukiyeangel.dyndns.pro , which is related to C2\r\ninfrastructure used in the Lucky Cat and TseringKanyaq campaigns.  ShadowNet was also used in both of these\r\ncampaigns. The overlap between C2 infrastructure and malware families suggests some level of coordination\r\nbetween this new attack and the previous campaigns.\r\nConclusion and Recommendations\r\nThese attacks are a reminder that members of the Tibetan community are consistently targeted, and that the threat\r\nseems to increase during important Tibetan events.\r\nThese kinds of  attacks can be mitigated through greater user awareness and changes in behaviour. Users in\r\ntargeted communities should always be cautious about unsolicited emails containing links or attachments and\r\nshould carefully examine the email sender addresses in suspicious messages.\r\nViewing documents through the Gmail preview feature, or by uploading them to Google Docs to view them can\r\nmake it possible to look at the content of attachments without risking infection of a machine.  Suspicious files can\r\nalso be submitted to VirusTotal (but should not be submitted if the files contain personal information) or shared\r\nwith technical experts within the community.\r\nFor further resources on digital security the Citizen Lab recommends Tibet Action Institute’s Be a Cyber Super\r\nHero project.\r\nWe are continuing to closely analyze these attacks and the MsAttacker malware family. We will post further\r\ndetails as they become available.\r\nIndicators\r\nMsAttacker Samples\r\nhttps://citizenlab.ca/2015/03/tibetan-uprising-day-malware-attacks/\r\nPage 3 of 5\n\nStage 0\r\nMD5: 8346b50c3954b5c25bf13fcd281eb11a\r\nSHA1: d9a74528bb56a841cea1fe5fa3e0c777a8e96402\r\nSHA256: de7058700f06c5310c26944b28203bc82035f9ff74021649db39a24470517fd1\r\nStage 0\r\nMD5: 6fc909a57650daff9a8b9264f38444a7\r\nSHA1: 2a2a1fae6be0468d388aa2c721a0edd93fb37649\r\nSHA256: a264cec4096a04c47013d41dcddab9f99482f8f83d61e13be4bcf4614f79b7a0\r\nStage 1\r\nMD5: 69a0f490de6ae9fdde0ad9cc35305a7d\r\nSHA1: e3532fc890f659fb6afb9115b388e0024565888c\r\nSHA256: 3de8fb09d79166f10f4a10aef1202c2cb45849943f224dc6c61df8d18435e064\r\nStage 2\r\nMD5: 2782c233ddde25040fb1febf9b13611e\r\nSHA1: be50ef6c94f3b630886e1b337e89f4ea9d6e7649\r\nSHA256: 50aebd2a1e3b8917d6c2b5e88c2e2999b2368fca550c548d0836aa57e35c463f\r\nC2s\r\n122.10.117.152\r\n23.27.127.200\r\nMs Attacker Identifiers\r\nStage 1 Strings\r\nhttp://122.10.117.152/download/ms/CryptBase.32.cab\r\nhttp://122.10.117.152/download/ms/CryptBase.64.cab\r\nhttp://122.10.117.152/download/ms/MiniJS.dll\r\nMiniJS.dll\r\ngupdate.exe\r\nrundll32.exe %s install %s\r\nhttps://citizenlab.ca/2015/03/tibetan-uprising-day-malware-attacks/\r\nPage 4 of 5\n\n%s;new Downloader('%s', '%s').Fire();\r\nrundll32.exe %s RealService %s\r\nStage 2 Strings\r\nMiniJS.dll\r\nRealService\r\n%s \"rundll32.exe %s RealService %s\" /f\r\nreg delete HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun /v \"Start Pages\" /f\r\nTeamView\r\n3111431114311121270018000127001808012700180\r\nGlobalMSAttacker %d\r\nShadowNet Samples\r\nStage 0\r\nMD5: 72707089512762fce576e29a0472eb16\r\nSHA1: 4ab039da14acf7d80fbb11034ef9ccc861c5ed24\r\nSHA256: ddfa44ebb181282e815e965a1c531c7e145128aa7306b508a563e10d5f9f03fb\r\nStage 1\r\nMD5: d8ae44cd65f97654f066edbcb501d999\r\nSHA1: 602a762dca46f7639210e60c59f89a6e7a16391b\r\nSHA256: e8f36317e29206d48bd0e6dd6570872122be44f82ca1de01aef373b3cdb2c0e1\r\nC2s\r\nhxxp://www.semamail.info/firex/test.php (122.10.117.5)\r\nAcknowledgements\r\nThanks to Chris Davis, PassiveTotal, and Adam Senft.\r\nSource: https://citizenlab.ca/2015/03/tibetan-uprising-day-malware-attacks/\r\nhttps://citizenlab.ca/2015/03/tibetan-uprising-day-malware-attacks/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://citizenlab.ca/2015/03/tibetan-uprising-day-malware-attacks/" ], "report_names": [ "tibetan-uprising-day-malware-attacks" ], "threat_actors": [ { "id": "9792e41f-4165-474b-99fa-e74ec332bd87", "created_at": "2023-01-06T13:46:38.986789Z", "updated_at": "2026-04-10T02:00:03.172308Z", "deleted_at": null, "main_name": "Lucky Cat", "aliases": [ "TA413", "White Dev 9" ], "source_name": "MISPGALAXY:Lucky Cat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a651080-cb2f-49bb-87cb-b9c6f6f99ce9", "created_at": "2022-10-25T16:07:23.809467Z", "updated_at": "2026-04-10T02:00:04.756067Z", "deleted_at": null, "main_name": "Lucky Cat", "aliases": [], "source_name": "ETDA:Lucky Cat", "tools": [ "Comfoo", "Comfoo RAT", "Lucky Cat", "LuckyCat", "Sojax", "Syndicasec", "WMI Ghost", "Wimmie" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434382, "ts_updated_at": 1775792058, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e608859b7651b4e5b220a800fe228ba15fac4e4.pdf", "text": "https://archive.orkl.eu/7e608859b7651b4e5b220a800fe228ba15fac4e4.txt", "img": "https://archive.orkl.eu/7e608859b7651b4e5b220a800fe228ba15fac4e4.jpg" } }