Listen to this Post

A Silent Cyber War: The New Front in Targeting Tibet
As the world prepared to celebrate the Dalai Lama’s 90th birthday on July 6, 2025, a darker operation was unfolding behind the scenes. A Chinese-linked cyber espionage group launched two sophisticated hacking campaigns aimed at infiltrating Tibetan systems and communities. These attacks—named Operation GhostChat and Operation PhantomPrayers by cybersecurity firm Zscaler ThreatLabz—represent a strategic, multilayered offensive blending deception, malware, and psychological manipulation.
This article explores how Chinese threat actors used social engineering, fake websites, and advanced malware to compromise systems under the guise of birthday celebrations, why these attacks matter, and what it reveals about geopolitical cyber tactics.
🚫 the Covert Attacks Targeting the Tibetan Diaspora
In June 2025, a China-backed hacking group orchestrated a cyber espionage campaign timed with the Dalai Lama’s upcoming 90th birthday. The effort centered on two operations: Operation GhostChat and Operation PhantomPrayers, both of which involved the compromise of legitimate online resources trusted by the Tibetan community.
In Operation GhostChat, attackers hijacked a legitimate URL intended for the official 90th birthday event at tibetfund[.]org/90thbirthday. This link was altered to redirect users to a fraudulent domain: thedalailama90.niccenter[.]net. The clone website mimicked the original and promoted a deceptive chat app, TElement, which claimed to be a Tibetan version of the secure messaging platform Element. Instead, it was a trojanized version laced with Gh0st RAT malware—giving attackers access to victim devices.
The malicious software installed through this fake app was capable of:
Keylogging
Screen recording
Webcam access
File extraction
Remote command execution
Additionally, the attackers embedded JavaScript code to capture IP addresses and user-agent details, silently sending them back to a Chinese-controlled server.
Meanwhile, Operation PhantomPrayers unfolded with similar deception tactics. A fake app called DalaiLamaCheckin.exe, advertised as a “Global 90th Birthday Check-In” tool, was distributed through another spoofed domain: hhthedalailama90.niccenter[.]net. Users were invited to “send blessings” by clicking a world map—but doing so triggered malware called PhantomNet.
PhantomNet is a modular, backdoor malware equipped with AES-encrypted communications and the ability to receive and execute additional malicious plugins. It remained dormant unless triggered at specific times, showcasing a highly covert and adaptable framework.
Security researchers at Zscaler emphasized that this was not an isolated incident. In fact, it follows a pattern: over the past two years, Chinese-backed groups like EvilBamboo, Evasive Panda, and TAG-112 have consistently targeted the Tibetan diaspora using similar watering hole strategies. These attacks are designed to harvest sensitive political, personal, and diplomatic information in a prolonged effort to weaken the Tibetan resistance digitally.
🧠 What Undercode Say:
Strategic Watering Hole Attacks: Not Just Random Hacking
What makes these campaigns especially dangerous is the
Malware Customization Reflects High-Level Investment
The creation of custom malware like PhantomNet and the manipulation of open-source platforms like Element indicates significant investment. These aren’t off-the-shelf tools; they are modular, stealthy, and precise. The inclusion of configurable timers and encryption methods like AES shows the Chinese nexus group isn’t just looking to steal data—they want to persist in these systems silently and long-term.
Timing is Tactical: Why the Dalai Lama’s Birthday?
The psychological dimension here is undeniable. Launching these attacks around a spiritual milestone weaponizes the celebratory mood. It exploits emotional openness and communal unity, turning these positive sentiments into vulnerabilities.
This not only compromises devices but also erodes trust in Tibetan institutions, especially when apps claiming to support the Dalai Lama’s celebration are shown to be vectors of spyware.
Bigger Picture: Tibet as a Digital Battlefield
Tibet has long been a flashpoint for Chinese state control. But with increased global scrutiny, physical suppression has given way to covert cyber warfare. These operations reveal a shift in strategy—one focused on long-term infiltration, surveillance, and psychological manipulation of exiled communities and their networks.
The cyber tactics mirror geopolitical goals: suppress dissent, monitor influencers, and destabilize movements from within.
✅ Fact Checker Results:
Chinese-linked cyber groups have previously targeted Tibetan websites using watering hole attacks.
Gh0st RAT and PhantomNet malware are well-documented tools tied to Chinese threat actors.
The spoofed sites and DLL side-loading methods used in these campaigns match known APT behaviors.
🔮 Prediction:
Expect cyber threats to escalate around politically sensitive Tibetan events going forward. The success and stealth of these two campaigns will likely embolden other state-aligned APTs to develop more context-aware, culturally tailored malware. As long as Tibet remains a symbol of resistance, digital attacks from China’s shadowy cyber warriors will persist—becoming ever more personalized and psychologically manipulative.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2




