Connect with us

Hi, what are you looking for?



Cyber-Espionage Campaigns Target Tibetan Community in India

Two cyberespionage campaigns targeting the Tibetan community based in India appear to be the work of Chinese threat actors, a new Recorded Future report reveals.

Two cyberespionage campaigns targeting the Tibetan community based in India appear to be the work of Chinese threat actors, a new Recorded Future report reveals.

Referred to as RedAlpha, the campaigns have been ongoing for the past two years, focused on cyber-espionage. As part of these attacks, which share light reconnaissance and selective targeting, various malicious tools were used, including new malware families.

The newly uncovered campaigns took place in 2017 (involving a custom dropper and the NetHelp infostealer implant) and 2018 (when a custom validator and the njRAT commodity malware were used). The latter campaign is still ongoing.

While the second campaign leveraged a scaled-down infrastructure, likely to reduce the impact of discovery, both attacks used payloads configured with several command and control (C&C) servers, but the malware employed the doc.internetdocss[.]com C&C domain in both cases.

The security researchers also observed the attackers using a malicious Microsoft Word document that exploited CVE-2017-0199 and managed to connect the attacks to previous activity due to the use of FF-RAT and common infrastructure used by NetTraveler, Icefog, and DeputyDog APTs, as well as the MILE TEA campaign.

Over the years, the Tibetan and Uyghur communities have been targeted by many threat actors, including Chinese attackers such as the original Winnti group, LuckyCat, and NetTraveler, but also MiniDuke.

As part of the RedAlpha campaigns, the actor used a “careful combination of victim reconnaissance and fingerprinting, followed by selective targeting with multi-stage malware,” Recorded Future reports.

Advertisement. Scroll to continue reading.

The first campaign started in June 2017 using two stages of largely custom malware for both 32- and 64-bit Windows systems: a straightforward dropper that would fetch a payload and establish persistence, and the NetHelp infostealer to collect system information, compress files and directories, and exfiltrate them. The attackers relied on a dual C&C infrastructure.

The email address used to register a C&C site was used to register a domain that resolves to a Hong Kong IP that was previously associated with a phishing campaign against Tibetans in 2016 and 2017. Thus, the researchers believe the same actor has been behind all three attacks.

A report on the phishing campaign suggested that a “low-level contractor” exhibiting “sloppy” tradecraft and utilizing inexpensive infrastructure was behind it. Thus, the 2017 campaign suggests “an increased level of sophistication for the attacker,” Recorded Future says.

The 2018 campaign started in January and continued until at least late April, showing a departure from the custom first-stage dropper and the adoption of a validator-style implant instead (which also checked PCs for security software). Based on the information gathered on the victim systems, the attackers would then selectively deploy njRAT onto specific machines.

This shift is part of a trend observed in the APT research community: both criminal and nation-state sponsored groups are increasingly relying on commodity malware and penetration testing tools, which not only allows them to blend in, but also means lower cost of retooling upon discovery.

Analyzing IPs and domains associated with these campaigns, the security researchers also discovered that Tibetans weren’t the only targets and say that the same group might have hit multiple targets since 2015.

The campaigns also appear connected to the FF-RAT malware that has been around since at least 2012, and which has been associated with Chinese APT activity exclusively. In 2015, the FBI said the malware was used to target the U.S. Office of Personnel Management (OPM).

“We assess FF-RAT was likely used by the same threat actors behind RedAlpha, possibly as early as 2016,” Recorded Future says.

“We do not currently possess enough evidence to categorically prove that the RedAlpha campaigns were conducted by a new threat actor. We have outlined some tentative connections, through infrastructure registrations to existing Chinese APTs, but a firm attribution requires further detail on the individuals and organizations behind the malicious activity,” the security firm concludes.

Related: Researchers Link Several State-Sponsored Chinese Spy Groups

Related: China-Linked Hackers Target U.S. Trade Group

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...