Illusory Wishes: China-nexus APT Targets the Tibetan Community

July 23, 2025, 4:45 p.m.

Description

Two cyberattack campaigns, Operation GhostChat and Operation PhantomPrayers, targeted the Tibetan community in June 2025, coinciding with the Dalai Lama's 90th birthday. These attacks involved strategic web compromises, DLL sideloading, and multi-stage infection chains to deploy Ghost RAT and PhantomNet backdoors. The attackers used social engineering tactics, impersonating legitimate platforms and leveraging culturally significant events to lure victims. Both campaigns employed sophisticated evasion techniques, including code injection and API hook bypassing. The attacks are attributed to China-nexus APT groups based on victimology, malware used, and employed tactics. The campaigns highlight the ongoing cyber threats faced by the Tibetan community and the evolving tactics of state-sponsored threat actors.

External References

https://www.zscaler.com/blogs/security-research/illusory-wishes-china-nexus-apt-targets-tibetan-community
https://otx.alienvault.com/pulse/688102de8dd7f5be86b60306
Tags
social engineering
dll sideloading
phantomnet
multi-stage attack
2025-07-23
ghost rat
web compromise
tibetan community

Date

  • Created: July 23, 2025, 3:42 p.m.
  • Published: July 23, 2025, 3:42 p.m.
  • Modified: July 23, 2025, 4:45 p.m.

Indicators

  • f6b42e4d0e810ddbd0c1649abe74497dad7f0e9ada91e8e0e4375255925dd4d2
  • d896953447088e5dc9e4b7b5e9fb82bcb8eb7d4f6f0315b5874b6d4b0484bd69
  • a0b5d6ea1f8be6dbdbf3c5bb469b111bd0228bc8928ed23f3ecc3dc4a2c1f480
  • c9dac9ced16e43648e19a239a0be9a9836b80ca592b9b36b70d0b2bdd85b5157
  • 8809b874da9a23e5558cc386dddf02ea2b9ae64f84c9c26aca23a1c7d2661880
  • 98d30b44560a0dde11927b477b197daf75fb318c40bdeed4f9e27235954f9e71
  • 45fd64a2e3114008f400bb2d9fa775001de652595ffe61c01521eb227a0ba320
  • 1e5c37df2ace720e79e396bbb4816d7f7e226d8bd3ffc3cf8846c4cf49ab1740
  • 0eed1cca80c658d82fd041c2d757ff126616adc9901dc9e4962c38bfa0be025c
  • 037d95510c4aa747332aa5a2e33c58828de4ad0af8a1e659a20393f2448e48d7
  • 0ad4835662b485f3a1d0702f945f1a3cf17e0a5d75579bea165c19afd1f8ea00
  • 9ffb61f1360595fc707053620f3751cb76c83e67835a915ccd3cbff13cf97bed
  • 45.154.12.93
  • 104.234.15.90
  • https://tbelement.niccenter.net/Download/TBElement.zip.
  • http://tibetfund.org/90thbirthday
  • http://tbelement.niccenter.net/Download/TBElement.zip
  • http://hhthedalailama90.niccenter.net/DalaiLamaCheckin.exe
  • http://104.234.15.90:59999/api/checkins.
  • http://104.234.15.90:59999/api/checkins
  • thedalailama90.niccenter.net
  • tbelement.niccenter.net
  • penmuseum.niccenter.net
  • hhthedalailama90.niccenter.net
  • beijingspring.niccenter.net
  • niccenter.net
Download all indicators here!

Attack Patterns

  • PhantomNet
  • Ghost RAT
  • China-nexus APT

Additional Informations

  • NGO
  • Government