Keypoints
- TAG-112 compromised at least two Tibetan community websites (Tibet Post and Gyudmed Tantric University) to distribute malware.
- Attackers exploited vulnerabilities in Joomla CMS to upload malicious JavaScript to the sites.
- The malicious script spoofed a Google Chrome TLS certificate warning to trick users into downloading a fake security certificate.
- The dropped payload was Cobalt Strike, used for remote access, lateral movement, and command-and-control.
- TAG-112 used infrastructure concealed behind Cloudflare and multiple domains/subdomains (maskrisks[.]com and subdomains).
- Insikt Group observed operational overlap with TAG-102 (Evasive Panda), though TAG-112 appears less sophisticated.
- Recorded Future recommends IDS/IPS tuning, user training, Cobalt Strike detection, and network monitoring as mitigations.
MITRE Techniques
- [T1071] Command and Control – Uses multiple C2 domains to maintain communications with compromised hosts; [‘the script initiates a connection with TAG-112s command-and-control (C2) domain, update[.]maskrisks[.]com…’]
- [T1190] Exploitation of Public-Facing Application – Exploits Joomla vulnerabilities to gain access and upload malicious JavaScript; [‘exploits vulnerabilities in the Joomla content management system (CMS) used by these sites to implant malicious JavaScript.’]
- [T1203] Exploitation for Client Execution (malicious JavaScript) – Embeds JavaScript in websites to execute on visitor browsers and deliver payloads; [‘The attackers embedded malicious JavaScript in these sites, which spoofed a TLS certificate error to trick visitors into downloading a disguised security certificate.’]
- [T1003] Credential Dumping – Potential post-exploitation activity to harvest credentials from compromised systems; [‘May be used post-exploitation to gather credentials from compromised systems.’]
- [T1219] Remote Access Software – Deploys Cobalt Strike for remote access, control, and post-exploitation actions; [‘This malware…highlights a continued cyber-espionage focus… delivering the Cobalt Strike malware.’]
Indicators of Compromise
- [Domains] C2 and infrastructure – maskrisks[.]com, update[.]maskrisks[.]com (and subdomains mail[.]maskrisks[.]com, checkupdate[.]maskrisks[.]com)
- [Compromised sites] – tibetpost[.]net, gyudmedtantricuniversity[.]org (sites serving malicious JavaScript)
- [Malware samples] Cobalt Strike Beacons – six distinct Beacon samples linked to TAG-112 with C2 directed to mail[.]maskrisks[.]com
- [Platform/Vulnerability] Joomla CMS – used as the exploitation vector to upload malicious JavaScript to the targeted sites
TAG-112 targeted Tibetan community websites by exploiting Joomla vulnerabilities to plant malicious JavaScript that mimicked a browser TLS certificate warning. Visitors seeing the fake error were prompted to download what appeared to be a security certificate, which actually delivered Cobalt Strike—an access tool frequently abused by threat actors for espionage.
Recorded Future’s Insikt Group found TAG-112’s infrastructure concealed with Cloudflare and linked to multiple maskrisks[.]com subdomains, and they identified six Cobalt Strike Beacon samples communicating with those servers. While TAG-112 shares tactics with TAG-102 (Evasive Panda), its operations lacked some sophistication such as JavaScript obfuscation and custom malware, suggesting a different subgroup or skill level.
Organizations, particularly those serving Tibetan and other at-risk communities, should strengthen CMS patching and monitoring, train users against unexpected downloads, and enable detection for Cobalt Strike C2 activity. Proactive IDS/IPS rules and continuous network traffic analysis can help detect and block similar drive-by download campaigns and C2 communications.
Read more: https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites