[threat-actors] Add TAG-112

This commit is contained in:
Mathieu4141 2024-11-15 03:42:18 -08:00
parent 7ad7d3605a
commit 8aeb150619

View file

@ -17400,6 +17400,17 @@
},
"uuid": "714f76b2-a8fd-49b0-8605-0eb1c9703140",
"value": "UAC-0194"
},
{
"description": "TAG-112 is a Chinese state-sponsored APT that compromised Tibetan websites, including Tibet Post and Gyudmed Tantric University, to deliver Cobalt Strike malware. The group exploited vulnerabilities in the Joomla CMS to embed malicious JavaScript that spoofed a TLS certificate error, tricking users into downloading a compromised security certificate. TAG-112's infrastructure, concealed using Cloudflare, shows notable overlap with TAG-102, but it employs less sophisticated tactics, relying on Cobalt Strike rather than custom malware. The campaign reflects ongoing cyber-espionage efforts targeting Tibetan entities, likely for information collection and surveillance.",
"meta": {
"country": "CN",
"refs": [
"https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites"
]
},
"uuid": "9eeb11a0-3fcf-4036-844a-2500c72f8b69",
"value": "TAG-112"
}
],
"version": 320