A Russia-linked cyberespionage group has made over 60 victims in Asia and Europe, mainly in the government, human rights, and education sectors, Recorded Future reports.
Initially identified in May 2023 and tracked as TAG-110, the threat actor’s activity overlaps that of UAC-0063, which Ukraine’s CERT team has linked to Russian state-sponsored advanced persistent threat (APT) actor APT28 (also known as BlueDelta, Fancy Bear, Forrest Blizzard, Sednit, and Sofacy).
TAG-110 has been active since at least 2021, targeting government, education, and research entities in Central Asia, India, Israel, Mongolia, and Ukraine with malware such as HatVibe, CherrySpy, LogPie, and StillArch.
As part of the ongoing cyberespionage campaign uncovered by Recorded Future, the threat actor was seen deploying HatVibe and CherrySpy against entities in Tajikistan, Kyrgyzstan, Turkmenistan, and Kazakhstan, with additional victims in Armenia, China, India, Greece, Ukraine, Uzbekistan, and Hungary.
Since July 2024, Recorded Future identified 62 unique TAG-110 victims, including Kazakh state-owned oil and gas company subsidiary KMG-Security, a Tajik educational and research institution, and Uzbekistan’s National Center for Human Rights.
The group has been observed relying on malicious email attachments and the exploitation of vulnerable internet-facing services such as Rejetto HTTP File Server (HFS) for initial access, and using HatVibe to load the CherrySpy backdoor.
A custom HTML Application (HTA) loader used since April 2023, HatVibe potentially allows the threat actor to execute any VBScript received from its command-and-control (C&C) server, Recorded Future says.
Also in use since April last year, CherrySpy is a custom Python backdoor that sets a scheduled task for persistence, uses a secure channel for C&C communication, and continuously polls the C&C server for tasks to execute.
TAG-110, Recorded Future notes, has been using the CherrySpy backdoor to monitor victims’ systems and exfiltrate sensitive information.
“TAG-110’s activities align with Russia’s geopolitical objectives, particularly in Central Asia, where Moscow seeks to maintain influence amid strained relations. Intelligence gathered through these campaigns likely aids in bolstering Russia’s military efforts and understanding regional dynamics,” Recorded Future says.
Related: Windows Zero-Day Exploited by Russia Triggered With File Drag-and-Drop, Delete Actions
Related: A New System Will Allow EU to Sanction People Waging Sabotage on Behalf of Russia
Related: Russian-Linked Cybercampaigns put a Bull’s-Eye on France. Their Focus? The Olympics and Elections
Related: German Cybersecurity Chief to be Sacked Over Alleged Russia Ties: Sources