The Russia-aligned risk actor often called TAG-110 has been noticed conducting a spear-phishing marketing campaign focusing on Tajikistan utilizing macro-enabled Phrase templates as an preliminary payload.
The assault chain is a departure from the risk actor’s beforehand documented use of an HTML Utility (.HTA) loader dubbed HATVIBE, Recorded Future’s Insikt Group mentioned in an evaluation.
“Given TAG-110’s historic focusing on of public sector entities in Central Asia, this marketing campaign is probably going focusing on authorities, academic, and analysis establishments inside Tajikistan,” the cybersecurity firm famous.
“These cyber espionage operations possible purpose to assemble intelligence for influencing regional politics or safety, significantly throughout delicate occasions like elections or geopolitical tensions.”
TAG-110, additionally referred to as UAC-0063, is the title assigned to a risk exercise group that is identified for its focusing on of European embassies, in addition to different organizations in Central Asia, East Asia, and Europe. It is believed to be lively at the least since 2021.
Assessed to share overlaps with the Russian nation-state hacking crew APT28, actions related to the risk actor had been first documented by Romanian cybersecurity firm Bitdefender in Could 2023 in reference to a marketing campaign that delivered a malware codenamed DownEx (aka STILLARCH) focusing on authorities entities in Kazakhstan and Afghanistan.
Nevertheless, it was the Laptop Emergency Response Workforce of Ukraine (CERT-UA) that formally assigned the moniker UAC-0063 that very same month after it uncovered cyber assaults focusing on state our bodies within the nation utilizing malware strains like LOGPIE, CHERRYSPY (aka DownExPyer), DownEx, and PyPlunderPlug.
The most recent marketing campaign aimed toward Tajikistan organizations, noticed beginning January 2025, demonstrates a shift away from HATVIBE, distributed through HTA-embedded spear-phishing attachments, in favor of macro-enabled Phrase template (.DOTM) information, underscoring an evolution of their techniques.
“Beforehand, TAG-110 leveraged macro-enabled Phrase paperwork to ship HATVIBE, an HTA-based malware, for preliminary entry,” Recorded Future mentioned. “The newly detected paperwork don’t comprise the embedded HTA HATVIBE payload for making a scheduled activity and as a substitute leverage a worldwide template file positioned within the Phrase startup folder for persistence.”
The phishing emails have been discovered to make use of Tajikistan government-themed paperwork as lure materials, which aligns with its historic use of trojanized respectable authorities paperwork as a malware supply vector. Nevertheless, the cybersecurity firm mentioned it couldn’t independently confirm the authenticity of those paperwork.
Current with the information is a VBA macro that is chargeable for inserting the doc template within the Microsoft Phrase startup folder for computerized execution and subsequently initiating communications with a command-and-control (C2) server and doubtlessly executing further VBA code provided with C2 responses. The precise nature of the second-stage payloads shouldn’t be identified.
“Nevertheless, based mostly on TAG-110’s historic exercise and gear set, it’s possible that profitable preliminary entry through the macro-enabled templates would consequence within the deployment of further malware, reminiscent of HATVIBE, CHERRYSPY, LOGPIE, or doubtlessly a brand new, custom-developed payload designed for espionage operations,” the corporate mentioned.
