The Tibetan neighborhood has been focused by a China-nexus cyber espionage group as a part of two campaigns performed final month forward of the Dalai Lama’s ninetieth birthday on July 6, 2025.
The multi-stage assaults have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz.
“The attackers compromised a legit web site, redirecting customers by way of a malicious hyperlink and in the end putting in both the Gh0st RAT or PhantomNet (aka SManager) backdoor onto sufferer methods,” safety researchers Sudeep Singh and Roy Tay mentioned in a Wednesday report.
This isn’t the primary time Chinese language menace actors have resorted to watering gap assaults (aka strategic net compromises), a method the place adversaries break into web sites steadily visited by a selected group to contaminate their gadgets with malware.
Over the previous two years, hacking teams like EvilBamboo, Evasive Panda, and TAG-112 have all resorted to the method to focus on the Tibetan diaspora with the final word purpose of gathering delicate info.
 |
| Operation GhostChat |
The newest set of assaults noticed by Zscaler entails the compromise of an online web page to exchange the hyperlink pointing to “tibetfund[.]org/90thbirthday” with a fraudulent model (“thedalailama90.niccenter[.]web”).
Whereas the unique net web page is designed to ship a message to the Dalai Lama, the duplicate web page provides an choice to ship an encrypted message to the non secular chief by downloading from “tbelement.niccenter[.]web” a safe chat utility named TElement, which claims to be Tibetan model of Ingredient.
Hosted on the web site is a backdoored model of the open-source encrypted chat software program containing a malicious DLL that is sideloaded to launch Gh0st RAT, a distant entry trojan broadly utilized by varied Chinese language hacking teams. The net web page additionally consists of JavaScript code designed to gather the customer’s IP tackle and user-agent info, and exfiltrate the main points to the menace actor by way of an HTTP POST request.
 |
| Operation PhantomPrayers |
Gh0st RAT is a fully-featured malware that helps file manipulation, display seize, clipboard content material extraction, webcam video recording, keylogging, audio recording and playback, course of manipulation, and distant shell.
The second marketing campaign, Operation PhantomPrayers, has been discovered to leverage one other area, “hhthedalailama90.niccenter[.]web,” to distribute a phony “ninetieth Birthday World Verify-in” app (“DalaiLamaCheckin.exe,” dubbed PhantomPrayers) that, when opened, shows an interactive map and urges victims to “ship your blessings” for the Dalai Lama by tapping their location on the map.
Nonetheless, the malicious performance is stealthily triggered within the background, utilizing DLL side-loading strategies to launch PhantomNet, a backdoor that establishes contact with a command-and-control (C2) server over TCP to obtain further plugin DLLs for execution on the compromised machine.
“PhantomNet will be set to function solely throughout particular hours or days, however this functionality isn’t enabled within the present pattern,” the researchers mentioned. “PhantomNet used modular plugin DLLs, AES-encrypted C2 site visitors, and configurable timed operations, to stealthily handle compromised methods.”
