Listen to this Post
Introduction
In the ever-shifting world of cyber warfare, Russia-aligned threat actors are constantly evolving their techniques to stay ahead of detection. One such group, known as TAG-110 (also referred to as UAC-0063), has recently shifted its tactics in a targeted phishing campaign against institutions in Tajikistan. This article examines the group’s latest activities, delves into the technical details, and analyzes the implications for cybersecurity in Central Asia and beyond.
TAG-110’s Latest Campaign: A Tactical Shift
The Russia-backed hacking group TAG-110 has launched a new cyber espionage operation targeting organizations in Tajikistan, marking a significant evolution in their methodology. Previously known for distributing malware via HTML Application (.HTA) files—specifically through a loader called HATVIBE—the group is now utilizing macro-enabled Microsoft Word templates (.DOTM files) to initiate attacks. These templates are embedded with malicious macros designed to persistently execute upon system startup and contact command-and-control (C2) servers.
This pivot in technique represents a departure from their previously documented strategies. The attackers are now exploiting the Microsoft Word startup folder, placing global template files there to ensure automatic execution every time Word is opened. This subtle change improves stealth and persistence on infected systems.
Recorded
TAG-110, believed to have ties to the Russian state-sponsored APT28 group, first drew attention in May 2023 through Bitdefender’s analysis of a malware campaign dubbed DownEx (also known as STILLARCH). These attacks, aimed at government institutions in Kazakhstan and Afghanistan, demonstrated the group’s technical sophistication and geopolitical motivations.
The Ukrainian Computer Emergency Response Team (CERT-UA) officially labeled the group UAC-0063 after detecting additional attacks using malware families like LOGPIE, CHERRYSPY, DownEx, and PyPlunderPlug. These attacks often used documents disguised as legitimate government communications to lure victims into opening them.
In the latest Tajikistan campaign, these spoofed documents continue to play a central role, although their authenticity remains unverified. The included macros initiate C2 communications and can potentially execute further malicious VBA code received in real time. While the specific second-stage payloads remain unknown, it’s highly probable—based on TAG-110’s past behavior—that they involve advanced spyware or custom tools tailored for data exfiltration and surveillance.
What Undercode Say: 🧠
TAG-110’s move from HTA-based malware to macro-enabled templates illustrates not only an evolution in tools but also a deepening of strategic cyber espionage techniques. The transition to leveraging Word’s startup functionality signals a tactical refinement aimed at better evading endpoint detection systems and enhancing long-term system access.
The group’s consistent targeting of Central Asian states suggests a broader intelligence strategy by Russian-aligned actors to maintain influence in a region of strategic geopolitical interest. By infiltrating government and research institutions, TAG-110 can access sensitive data that may affect diplomatic decisions, policy formulations, and international alliances.
Moreover, this campaign indicates how threat actors adapt quickly in response to cybersecurity countermeasures. With HTA-based vectors being increasingly flagged by modern security platforms, TAG-110 appears to be staying ahead of the curve by reverting to trusted but updated tactics like macro abuse. This aligns with global trends where threat groups continually recycle old techniques with new delivery mechanisms to reduce detection rates.
From a defensive standpoint, organizations must re-evaluate their security configurations, especially with regard to Microsoft Office macros, which remain a common yet powerful attack vector. Disabling macros by default and enforcing application whitelisting are crucial preventative measures.
Also worth noting is the operational overlap with other malware families used in prior campaigns. The presence of CHERRYSPY, LOGPIE, and PyPlunderPlug hints at a modular malware ecosystem within TAG-110’s arsenal. This increases the flexibility and impact of their attacks, as the malware can be customized based on the target profile.
Overall, the current campaign against Tajikistan is not merely a local issue—it reflects the global cyber threat landscape where state-sponsored hacking groups are continuously refining their operations for maximum stealth, persistence, and effectiveness.
🕵️♂️ Fact Checker Results:
✅ TAG-110 has previously used HTA-based payloads like HATVIBE in spear-phishing campaigns.
✅ Their recent activity aligns with historic targeting patterns across Central Asia.
✅ The shift to macro-enabled Word templates is confirmed by multiple cybersecurity sources.
🔮 Prediction
With elections and political restructuring expected in Central Asia over the next year, TAG-110 is likely to intensify its surveillance and intelligence operations. Future campaigns may leverage more sophisticated document lures and deeper integration with living-off-the-land binaries (LOLBins) to further evade detection. Cybersecurity teams in the region must remain alert and adapt quickly to evolving TTPs (Tactics, Techniques, and Procedures).
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
