The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload.
The attack chain is a departure from the threat actor’s previously documented use of an HTML Application (.HTA) loader dubbed HATVIBE, Recorded Future’s Insikt Group said in an analysis.
“Given TAG-110’s historical targeting of public sector entities in Central Asia, this campaign is likely targeting government, educational, and research institutions within Tajikistan,” the cybersecurity company noted.
“These cyber espionage operations likely aim to gather intelligence for influencing regional politics or security, particularly during sensitive events like elections or geopolitical tensions.”
TAG-110, also called UAC-0063, is the name assigned to a threat activity group that’s known for its targeting of European embassies, as well as other organizations in Central Asia, East Asia, and Europe. It’s believed to be active at least since 2021.
Assessed to share overlaps with the Russian nation-state hacking crew APT28, activities associated with the threat actor were first documented by Romanian cybersecurity company Bitdefender in May 2023 in connection with a campaign that delivered a malware codenamed DownEx (aka STILLARCH) targeting government entities in Kazakhstan and Afghanistan.
However, it was the Computer Emergency Response Team of Ukraine (CERT-UA) that formally assigned the moniker UAC-0063 that same month after it uncovered cyber attacks targeting state bodies in the country using malware strains like LOGPIE, CHERRYSPY (aka DownExPyer), DownEx, and PyPlunderPlug.
The latest campaign aimed at Tajikistan organizations, observed starting January 2025, demonstrates a shift away from HATVIBE, distributed via HTA-embedded spear-phishing attachments, in favor of macro-enabled Word template (.DOTM) files, underscoring an evolution of their tactics.
“Previously, TAG-110 leveraged macro-enabled Word documents to deliver HATVIBE, an HTA-based malware, for initial access,” Recorded Future said. “The newly detected documents do not contain the embedded HTA HATVIBE payload for creating a scheduled task and instead leverage a global template file placed in the Word startup folder for persistence.”
Source: The Hacker News