216.73.217.22

Illusory Wishes: China-nexus APT Targets the Tibetan Community

· Published 23/07/2025 15:42 · Modified 23/07/2025 16:45

Export JSON

Essential information

Published
23/07/2025 15:42
Modified
23/07/2025 16:45
Tags
2025-07-23 dll sideloading ghost rat multi-stage attack phantomnet social engineering tibetan community web compromise
Related entities
26 observables, 1 intrusion sets (apt), 17 techniques (mitre), 2 malware, 2 others

Description

Two cyberattack campaigns, Operation GhostChat and Operation PhantomPrayers, targeted the in June 2025, coinciding with the Dalai Lama's 90th birthday. These attacks involved strategic web compromises, , and multi-stage infection chains to deploy and backdoors. The attackers used tactics, impersonating legitimate platforms and leveraging culturally significant events to lure victims. Both campaigns employed sophisticated evasion techniques, including code injection and API hook bypassing. The attacks are attributed to China-nexus APT groups based on victimology, malware used, and employed tactics. The campaigns highlight the ongoing cyber threats faced by the and the evolving tactics of state-sponsored threat actors.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (26)

  • 45.154.12.93
  • 104.234.15.90
  • https://tbelement.niccenter.net/Download/TBElement.zip.
  • http://tibetfund.org/90thbirthday
  • http://tbelement.niccenter.net/Download/TBElement.zip
  • http://hhthedalailama90.niccenter.net/DalaiLamaCheckin.exe
  • http://104.234.15.90:59999/api/checkins.
  • http://104.234.15.90:59999/api/checkins
  • thedalailama90.niccenter.net
  • tbelement.niccenter.net
  • penmuseum.niccenter.net
  • hhthedalailama90.niccenter.net
  • beijingspring.niccenter.net
  • niccenter.net
  • f6b42e4d0e810ddbd0c1649abe74497dad7f0e9ada91e8e0e4375255925dd4d2
  • d896953447088e5dc9e4b7b5e9fb82bcb8eb7d4f6f0315b5874b6d4b0484bd69
  • a0b5d6ea1f8be6dbdbf3c5bb469b111bd0228bc8928ed23f3ecc3dc4a2c1f480
  • c9dac9ced16e43648e19a239a0be9a9836b80ca592b9b36b70d0b2bdd85b5157
  • 8809b874da9a23e5558cc386dddf02ea2b9ae64f84c9c26aca23a1c7d2661880
  • 98d30b44560a0dde11927b477b197daf75fb318c40bdeed4f9e27235954f9e71
  • 45fd64a2e3114008f400bb2d9fa775001de652595ffe61c01521eb227a0ba320
  • 1e5c37df2ace720e79e396bbb4816d7f7e226d8bd3ffc3cf8846c4cf49ab1740
  • 0eed1cca80c658d82fd041c2d757ff126616adc9901dc9e4962c38bfa0be025c
  • 037d95510c4aa747332aa5a2e33c58828de4ad0af8a1e659a20393f2448e48d7
  • 0ad4835662b485f3a1d0702f945f1a3cf17e0a5d75579bea165c19afd1f8ea00
  • 9ffb61f1360595fc707053620f3751cb76c83e67835a915ccd3cbff13cf97bed

Intrusion sets (APT) (1)

  • China-nexus APT
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:48 · Modified 21/12/2025 15:49

Techniques (MITRE) (17)

Malware (2)

  • PhantomNet
    Family
    Published 23/07/2025 15:42 · Modified 23/07/2025 15:42
  • Ghost RAT
    Family
    Published 09/10/2025 16:38 · Modified 09/10/2025 16:38

Others (2)

  • NGO
  • Government

External references