From January to February 2025, TAG-110, a Russia-aligned threat actor linked to APT28, conducted a phishing campaign targeting Tajikistan using macro-enabled Word templates to deploy malware. This campaign marks a tactical shift away from HTA-based payloads towards persistence via Word startup folder templates, aiming to gather intelligence on government and academic institutions in Central Asia. #TAG110 #HATVIBE #APT28 #CHERRYSPY
Keypoints
- TAG-110 executed a phishing campaign in early 2025 targeting Tajikistan, employing macro-enabled Word template files (.dotm) instead of previous HTA-based payloads like HATVIBE.
- The campaign utilized Tajikistan government-themed documents as lures, consistent with TAG-110’s historical espionage targeting of Central Asian public sector entities.
- Macro-enabled Word templates were placed in the Microsoft Word STARTUP folder for automatic execution, enhancing persistence across system reboots.
- TAG-110’s attribution is supported by reusing VBA code, shared command-and-control (C2) infrastructure, and the use of suspected legitimate government documents for lures.
- The malicious documents collected system information and communicated with a C2 server located at IP 38.180.206[.]61 using HTTP POST requests with encoded headers.
- Registry modifications targeting AccessVBOM were used to enable and manipulate VBA macro behavior, facilitating the execution of additional malicious code.
- TAG-110 continues to align with Russia’s strategic interests in maintaining influence over Central Asia by targeting government ministries, educational institutions, and diplomatic missions.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – TAG-110 used malicious macro-enabled Word documents (.dotm) as spearphishing lures to gain initial access. (‘Macro-enabled Word template files (.dotm) placed in the Microsoft Word STARTUP folder’)
- [T1204.002] Execution: Malicious File – The macro code executed automatically via document open and AutoExec macros to run payloads. (‘Upon opening the malicious file, the document.open event is triggered…’)
- [T1137.001] Persistence: Office Template Macros – Persistence was achieved by copying malicious templates to the Word startup folder for automatic execution on Word launch. (‘Copy itself to the Word startup folder… with macros enabled for persistence’)
- [T1027.013] Defense Evasion: Encrypted/Encoded File – The VBA macros encoded User-Agent headers using Base64 when communicating with the C2 server. (‘User-Agent header set to a Base64-encoded ID’)
- [T1071.001] Command-and-Control: Web Protocols – Communication with the C2 server was conducted via HTTP POST requests to hxxp://38.180.206[.]61/engine.php. (‘Creates an HTTP request object and makes an HTTP POST to the URL…’)
Indicators of Compromise
- [IP Address] Command-and-control servers associated with TAG-110 – 38.180.206[.]61, 188.130.234[.]189
- [SHA256 Hash] Malicious macro-enabled Word templates used in campaign – d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7, 8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7, and 6c81d2af950e958f4872d3ced470d9f70b7d73bc0b92c20a34ce8bf75d551609
- [File Name] Lure documents used – documents.php
Read more: https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled