A complex cyber espionage campaign on the government of Tajikistan has been underway, and it is believed to be the work of a hacking group with connections to Russia, researchers have found.
TAG-110, aka UAC-0063, is using weaponized Microsoft Word documents to breach government, educational and research organizations in Tajikistan for espionage, according to researchers with Recorded Future’s Insikt Group.
This is a change in strategy for TAG-110, previously it employed a bespoke HTML Application (.< HTA) loader known as HATVIBE for their initial access. The present campaign (monitored as of January 2025) uses macro-enabled Word template (. /Figaro) archive files via spear-phishing emails. These emails include lure documents that appear to be related to Tajikistani government issues, but could not be verified independently.
The malware authors used Word documents with VBA macros to copy a global template file into the Microsoft Word startup folder, researchers said. This will automatically run and continue to establish a foothold on the victimized machine.
Upon execution, the macro contacts a command-and-control (C2) server, which may enable the attackers to run more malicious VBA code provided to the C2 infrastructure.
The precise second-stage payloads are currently unclear, although HATVIBE, CHERRYSPY, LOGPIE or even newly developed bespoke tools for espionage by means of the TAG malware might be delivered, according to experts.
TAG-110, it said, has a history of targeting public sector organizations in Central Asia, as well as European embassies and organizations in East Asia and Europe since at least 2021. The group is said to share characteristics with the Russian state-sponsored hacking group APT28, also known as Fancy Bear.
Insikt Group analysts indicate that the objectives of these cyber espionage campaigns are presumably to collect intelligence in support of shaping regional politics and security, especially during crucial moments like elections or geopolitical tensions. The focus on Tajikistan is consistent with Russia’s overarching strategic goal of preserving dominance over Central Asia.
Hunter Stuart, cybersecurity expert, advises Tajikistani government and associated organisations to proceed with extra care and set up strong security measures to prevent the danger from this continuing danger.
Enterprises must train their employees to be aware of spear-phishing and to disable or restrict macros in Microsoft Office unless they are needed.
