Illusory Wishes: China-nexus APT Targets the Tibetan Community

In June 2025, two coordinated cyberattacks, Operation GhostChat and Operation PhantomPrayers, targeted the Tibetan community leveraging the Dalai Lama’s 90th birthday to distribute Ghost RAT and PhantomNet backdoors via malicious web compromises. These attacks employed sophisticated multi-stage infection chains involving DLL sideloading, shellcode injection, and encrypted payloads, attributed to a China-nexus APT group. #GhostRAT #PhantomNet #ChinaAPT #TibetanCommunity

Keypoints

Operation GhostChat replaced a legitimate Tibetan greeting webpage link with a malicious link redirecting users to download a backdoored version of the Element encrypted chat application.
The multi-stage attack chain used DLL sideloading of a malicious ffmpeg.dll, shellcode injection into ImagingDevices.exe, and dynamic API resolution to evade endpoint security.
Ghost RAT variant communicated with its C2 server using an encrypted custom TCP protocol and supported extensive remote control capabilities including file management, keylogging, screen capture, and system shutdown.
Operation PhantomPrayers distributed a fake “prayer check-in” application built with PyQT5 and Folium, which collected user data and displayed fabricated user check-ins on an interactive map to enhance social engineering.
PhantomPrayers used DLL sideloading with VLC.exe and a complex dual-layer encrypted shellcode loader to deploy a PhantomNet backdoor variant with AES-encrypted C2 communication and modular plugin support.
Both campaigns established persistence via registry autorun keys or startup folder shortcuts and utilized native Windows APIs and reflective code loading to bypass detection.
Attribution strongly points to China-nexus state-sponsored threat actors due to malware choices, victim targeting, and TTP similarities with known campaigns.

MITRE Techniques

[T1106] Native API – Low level Windows native APIs like Nt* and Rtl* were used during code injection and execution to evade detection (‘The threat actors use less common Windows native APIs like Nt* and Rtl*, likely to evade detection by EDR solutions’).
[T1204.002] User Execution: Malicious File – Victims were tricked into running trojanized software downloaded via socially engineered links (‘The victim is tricked into running the trojanized software to initiate the attack chain’).
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Malware established persistence through registry autorun keys and startup shortcuts (‘To achieve persistence, the malware adds a registry value under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun and creates a shortcut in the STARTUP directory’).
[T1574.001] Hijack Execution Flow: DLL Sideloading – DLL sideloading vulnerabilities in legitimate signed executables were exploited to load malicious DLLs (‘DLL sideloading infection chain with ffmpeg.dll and libvlc.dll malicious DLLs sideloaded by Element.exe and VLC.exe’).
[T1055.002] Process Injection: Portable Executable Injection – Shellcode was injected into legitimate processes such as ImagingDevices.exe to execute payloads stealthily (‘The stage 1 shellcode loader injects stage 2 shellcode into ImagingDevices.exe’).
[T1036] Masquerading – Malicious software masqueraded as legitimate or useful Tibetan community applications (‘The software downloaded by users masquerades as software useful to the Tibetan community’).
[T1027.007] Obfuscated Files or Information: Dynamic API Resolution – APIs were dynamically resolved in loaders to hinder analysis (‘APIs are dynamically resolved in the stage 1 and 2 loaders’).
[T1027.009] Obfuscated Files or Information: Embedded Payloads – Next-stage executables were embedded within loader binaries (‘The stage 1 and 2 loaders embed their next stages within themselves’).
[T1027.015] Obfuscated Files or Information: Compression – Payload executables were compressed and embedded to evade detection (‘The stage 3 executables are compressed and embedded in the stage 2 shellcode’).
[T1620] Reflective Code Loading – Decompressed executables were reflectively loaded into memory for execution (‘The stage 2 loaders use reflective code loading’).
[T1070.001] Indicator Removal: Clear Windows Event Logs – Ghost RAT supports clearing event logs to cover tracks (‘Ghost RAT supports a command to clear the Windows Event Logs’).
[T1056.001] Input Capture: Keylogging – Ghost RAT supports keylogging functionality (‘Ghost RAT supports keylogging’).
[T1083] File and Directory Discovery – Ghost RAT enumerates files and directories on victims’ systems (‘Ghost RAT supports file and directory enumeration’).
[T1057] Process Discovery – Ghost RAT supports discovery of running processes (‘Ghost RAT supports process enumeration’).
[T1012] Query Registry – Ghost RAT supports querying and modifying registry keys (‘Ghost RAT supports querying and modifying registry keys’).
[T1518.001] Software Discovery: Security Software Discovery – PhantomNet enumerates antivirus products via WMI (‘PhantomNet enumerates AV products via WMI’).
[T1082] System Information Discovery – Both backdoors collect OS version and machine details (‘Ghost RAT and PhantomNet can collect system information such as OS version and machine name’).
[T1033] System Owner/User Discovery – Ghost RAT supports user enumeration (‘Ghost RAT supports user enumeration’).
[T1123] Audio Capture – Ghost RAT supports audio recording and playback (‘Ghost RAT supports audio capture’).
[T1115] Clipboard Data – Ghost RAT can collect clipboard information (‘Ghost RAT supports the collection of clipboard data’).
[T1005] Data from Local System – Ghost RAT can read files from local system storage (‘Ghost RAT can read local files’).
[T1113] Screen Capture – Ghost RAT supports screen capture functionality (‘Ghost RAT supports screen capture’).
[T1125] Video Capture – Ghost RAT supports webcam video capture (‘Ghost RAT supports webcam video capture’).
[T1573.001] Encrypted Channel: Symmetric Cryptography – Encrypted C2 communication using symmetric cryptography was implemented (‘Ghost RAT uses a symmetric cryptography algorithm to encrypt C2 traffic’).
[T1095] Non-Application Layer Protocol – Custom binary protocol over TCP was used for C2 communications (‘Ghost RAT and PhantomNet use a custom binary protocol for C2 communication over TCP’).
[T1071.001] Application Layer Protocol: Web Protocols – PhantomNet supports HTTP and HTTPS for C2 communications (‘PhantomNet supports C2 communication over HTTP and HTTPS’).
[T1529] System Shutdown/Reboot – Ghost RAT has a command to shutdown infected systems (‘Ghost RAT supports a command to shutdown the infected machine’).

Indicators of Compromise

[File Hash] Malicious ZIP archive and executables – TBElement.zip (42d83a46250f…), malicious ffmpeg.dll (f77f01037d9…), and backdoored DalaiLamaCheckin.exe (a139e01de40…).
[File Name] Malicious binaries and DLLs – TBElement.zip, Element.exe (legitimate but vulnerable), ffmpeg.dll (malicious), VLC.exe (legitimate but vulnerable), libvlc.dll (malicious), Birthday Reminder.lnk (startup shortcut).
[Domain] Malicious domains used for hosting and distribution – thedalailama90.niccenter[.]net, tbelement.niccenter[.]net, beijingspring.niccenter[.]net, penmuseum.niccenter[.]net.
[URL] Payload hosting and download URLs – https://tbelement.niccenter[.]net/Download/TBElement.zip, http://hhthedalailama90.niccenter[.]net/DalaiLamaCheckin.exe.
[IP Address and Port] Command and Control servers – Ghost RAT C2 at 104.234.15[.]90:19999, PhantomNet C2 at 45.154.12[.]93:2233, and check-in API server at 104.234.15[.]90:59999.
[File Path] Installed malicious files by DalaiLamaCheckin.exe – %appdata%BirthdayVLC.exe, %appdata%Birthdaylibvlc.dll, %appdata%Birthday.tmp, and startup shortcut at %appdata%MicrosoftWindowsStart MenuProgramsStartupBirthday Reminder.lnk.
[Process] Targeted process for code injection – ImagingDevices.exe used for shellcode injection and execution of Ghost RAT and PhantomNet payloads.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print