From 8aeb150619d35bba39f66d03c9266959ca0280fd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 15 Nov 2024 03:42:18 -0800 Subject: [PATCH] [threat-actors] Add TAG-112 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ee382e9..082a628 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17400,6 +17400,17 @@ }, "uuid": "714f76b2-a8fd-49b0-8605-0eb1c9703140", "value": "UAC-0194" + }, + { + "description": "TAG-112 is a Chinese state-sponsored APT that compromised Tibetan websites, including Tibet Post and Gyudmed Tantric University, to deliver Cobalt Strike malware. The group exploited vulnerabilities in the Joomla CMS to embed malicious JavaScript that spoofed a TLS certificate error, tricking users into downloading a compromised security certificate. TAG-112's infrastructure, concealed using Cloudflare, shows notable overlap with TAG-102, but it employs less sophisticated tactics, relying on Cobalt Strike rather than custom malware. The campaign reflects ongoing cyber-espionage efforts targeting Tibetan entities, likely for information collection and surveillance.", + "meta": { + "country": "CN", + "refs": [ + "https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites" + ] + }, + "uuid": "9eeb11a0-3fcf-4036-844a-2500c72f8b69", + "value": "TAG-112" } ], "version": 320