{
	"id": "94bc3868-b4aa-46e2-b25e-29f4b98013a6",
	"created_at": "2026-04-06T00:13:44.282166Z",
	"updated_at": "2026-04-10T13:11:45.954426Z",
	"deleted_at": null,
	"sha1_hash": "b7823430522ae3449c7b213f3dfa9c6f18f01d9a",
	"title": "China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71914,
	"plain_text": "China-Linked Group TAG-28 Targets India’s “The Times Group”\r\nand UIDAI (Aadhaar) Government Agency With Winnti Malware\r\nBy PUBLISHED ON 21 SEP 2021\r\nArchived: 2026-04-02 10:36:31 UTC\r\nEditor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download\r\nthe report as a PDF.\r\nExecutive Summary\r\nIndia continues to bear the brunt of hostile cyber operations from Chinese state-sponsored groups. Earlier this\r\nyear, Insikt Group documented a RedEcho campaign targeting India’s critical national infrastructure following a\r\nrapid deterioration in bilateral relations after both countries clashed on the China-India border. We also recently\r\nidentified renewed RedFoxtrot operations targeting an Indian state-owned enterprise involved in the nuclear,\r\nspace, and defense sectors.\r\nFollowing this theme of Chinese targeting of Indian entities, we have identified further suspected intrusions\r\ntargeting the Indian media conglomerate Bennett Coleman And Co Ltd (BCCL), commonly known as “The Times\r\nGroup”; the Unique Identification Authority of India (UIDAI); and the Madhya Pradesh Police department. The\r\nUIDAI is the Indian government agency responsible for the national identification database, more commonly\r\ncalled “Aadhaar”, which contains private biometric information for over 1 billion Indian citizens. These intrusions\r\nwere conducted by an activity group we track using a temporary designation, TAG-28.\r\nChinese state-sponsored intrusions targeting news outlets is not a recent phenomenon. In 2013, the New York\r\nTimes, the Washington Post, and Bloomberg News were targeted by a Chinese group in a widespread intelligence-gathering operation following a series of published articles that were perceived as presenting China unfavorably.\r\nSubsequently in 2014, pro-democracy news outlets in Hong Kong were targeted during the Umbrella Movement\r\nprotests. TAG-28’s Winnti campaign targeting BCCL is the latest in a long line of targeted intrusions against\r\ninternational media outlets.\r\nKey Judgments\r\nTAG-28 highly likely targeted UIDAI due to its ownership of the Aadhaar database. Bulk personally\r\nidentifiable information (PII) data sets are valuable to state-sponsored threat actors. Likely uses of such\r\ndata include, but are not limited to, identifying high-value targets such as government officials, enabling\r\nsocial engineering attacks, or enriching other data sources.\r\nhttps://www.recordedfuture.com/blog/china-linked-tag-28-targets-indias-the-times-group\r\nPage 1 of 2\n\nGiven the reach of The Times Group publications and their consistent reporting on the “India China war”,\r\nTAG-28’s targeting of BCCL is likely motivated by wanting access to journalists and their sources as well\r\nas pre-publication content of potentially damaging articles focusing on China or its leadership.\r\nIt is less likely that TAG-28 would gain access to media entities to interfere with publishing platforms by\r\nchanging or disrupting articles supporting Chinese information operations.\r\nAs of early August 2021, Recorded Future data shows a 261% increase in the number of suspected state-sponsored Chinese cyber operations targeting Indian organizations and companies already in 2021\r\ncompared to 2020. This follows an increase of 120% between 2019 and 2020, demonstrating China’s\r\ngrowing strategic interest in India over the past few years.\r\nEditor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the\r\nreport as a PDF.\r\nSource: https://www.recordedfuture.com/blog/china-linked-tag-28-targets-indias-the-times-group\r\nhttps://www.recordedfuture.com/blog/china-linked-tag-28-targets-indias-the-times-group\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.recordedfuture.com/blog/china-linked-tag-28-targets-indias-the-times-group"
	],
	"report_names": [
		"china-linked-tag-28-targets-indias-the-times-group"
	],
	"threat_actors": [
		{
			"id": "0fca7692-4a21-482f-a113-9548b49e8531",
			"created_at": "2022-10-25T16:07:24.117599Z",
			"updated_at": "2026-04-10T02:00:04.870741Z",
			"deleted_at": null,
			"main_name": "RedEcho",
			"aliases": [],
			"source_name": "ETDA:RedEcho",
			"tools": [
				"POISONPLUG.SHADOW",
				"ShadowPad Winnti",
				"XShellGhost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1aead86d-0c57-4e3b-b464-a69f6de20cde",
			"created_at": "2023-01-06T13:46:38.318176Z",
			"updated_at": "2026-04-10T02:00:02.925424Z",
			"deleted_at": null,
			"main_name": "DAGGER PANDA",
			"aliases": [
				"UAT-7290",
				"Red Foxtrot",
				"IceFog",
				"RedFoxtrot",
				"Red Wendigo",
				"PLA Unit 69010"
			],
			"source_name": "MISPGALAXY:DAGGER PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "acd409e4-7c55-4110-a441-f3ecf6d20354",
			"created_at": "2024-01-23T13:22:35.073924Z",
			"updated_at": "2026-04-10T02:00:03.518289Z",
			"deleted_at": null,
			"main_name": "TAG-28",
			"aliases": [],
			"source_name": "MISPGALAXY:TAG-28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc91d469-ec69-497b-81d7-068b84501e63",
			"created_at": "2023-01-06T13:46:39.192791Z",
			"updated_at": "2026-04-10T02:00:03.242063Z",
			"deleted_at": null,
			"main_name": "RedEcho",
			"aliases": [],
			"source_name": "MISPGALAXY:RedEcho",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6cf5f006-5ed7-4a00-8103-1781bad5a5e1",
			"created_at": "2022-10-25T16:07:24.294829Z",
			"updated_at": "2026-04-10T02:00:04.925591Z",
			"deleted_at": null,
			"main_name": "TAG-28",
			"aliases": [],
			"source_name": "ETDA:TAG-28",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "64af9eaa-e528-42d2-95c6-f55aa0a13df5",
			"created_at": "2025-04-23T02:00:55.201298Z",
			"updated_at": "2026-04-10T02:00:05.33852Z",
			"deleted_at": null,
			"main_name": "RedEcho",
			"aliases": [
				"RedEcho"
			],
			"source_name": "MITRE:RedEcho",
			"tools": [
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695",
			"created_at": "2022-10-25T16:07:24.120424Z",
			"updated_at": "2026-04-10T02:00:04.871598Z",
			"deleted_at": null,
			"main_name": "RedFoxtrot",
			"aliases": [
				"Moshen Dragon",
				"Nomad Panda",
				"TEMP.Trident"
			],
			"source_name": "ETDA:RedFoxtrot",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"Chymine",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Fucobha",
				"GUNTERS",
				"Gen:Trojan.Heur.PT",
				"Icefog",
				"Impacket",
				"Kaba",
				"Korplug",
				"PCShare",
				"POISONPLUG.SHADOW",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"RoyalRoad",
				"SPIVY",
				"ShadowPad Winnti",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"XShellGhost",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434424,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b7823430522ae3449c7b213f3dfa9c6f18f01d9a.pdf",
		"text": "https://archive.orkl.eu/b7823430522ae3449c7b213f3dfa9c6f18f01d9a.txt",
		"img": "https://archive.orkl.eu/b7823430522ae3449c7b213f3dfa9c6f18f01d9a.jpg"
	}
}