Zscaler ThreatLabz and TibCERT discovered two Chinese state-sponsored campaigns, Operation GhostChat and Operation PhantomPrayers, targeting the Tibetan community during a culturally significant period. These campaigns employed sophisticated multi-stage malware techniques and impersonated legitimate Tibetan platforms, resulting in infections with Ghost RAT and PhantomNet backdoors. #GhostRat #PhantomNet #TA428
Keypoints
- Both campaigns targeted the Tibetan community with culturally themed lures during the Dalai Lamaβs birthday period.
- Attackers used phishing websites and malicious links impersonating Tibetan platforms and communication apps.
- Operation GhostChat involved malware delivery through a fake version of the Element encrypted messaging app.
- Operation PhantomPrayers employed a malicious prayer check-in app with multi-stage payloads and modular RAT infrastructure.
- Attribution links both campaigns to China-nexus APT groups based on shared malware techniques and infrastructure.