In early 2025, a cyber espionage campaign attributed to the Russia-aligned threat actor TAG-110, also known as UAC-0063, targeted government entities in Tajikistan. This operation utilized macro-enabled Word templates to infiltrate systems, marking a strategic evolution in the group’s attack methodologies.
Background on TAG-110
Active since at least 2021, TAG-110 has a history of targeting public sector organizations across Central Asia, East Asia, and Europe. The group is believed to have affiliations with the Russian state-sponsored hacking collective APT28, also known as Fancy Bear. APT28 is notorious for its cyber espionage activities, including the 2016 breach of the Democratic National Committee in the United States. TAG-110’s operations are characterized by their focus on intelligence gathering to influence regional politics and security dynamics.
Evolution of Attack Techniques
Historically, TAG-110 employed HTML Application (.HTA) loaders, such as HATVIBE, to deliver malware payloads. However, the recent campaign against Tajikistan signifies a tactical shift. The group now uses macro-enabled Word template files (.DOTM) as the initial vector for system compromise. This method involves embedding malicious macros within Word documents that, when executed, establish persistence on the target system by placing a global template file in the Word startup folder. This ensures the malware runs automatically upon launching Microsoft Word.
Attack Chain and Payload Delivery
The spear-phishing emails associated with this campaign are crafted to appear as official communications from the Tajikistan government, leveraging trojanized legitimate documents to enhance credibility. Upon opening the malicious attachment, the embedded VBA macro executes, installing the template in the startup folder and initiating communication with a command-and-control (C2) server. This setup allows the attackers to deploy additional payloads remotely. While the specific secondary payloads used in this campaign remain unidentified, TAG-110’s previous operations have utilized malware strains such as CHERRYSPY, LOGPIE, and DownEx.
Implications for Regional Security
The targeting of Tajikistan’s government institutions underscores the persistent cyber threats facing Central Asian nations. These cyber espionage activities aim to collect sensitive information that could be exploited to influence political and security developments in the region. The shift in TAG-110’s tactics reflects a broader trend among state-sponsored actors to adapt their methods to circumvent improved cybersecurity defenses.
Recommendations for Mitigation
To defend against such sophisticated threats, organizations should implement comprehensive cybersecurity measures, including:
– User Education: Conduct regular training sessions to raise awareness about phishing tactics and the risks associated with opening unsolicited attachments.
– Macro Management: Disable macros by default in Microsoft Office applications and enable them only for trusted documents.
– Email Filtering: Deploy advanced email filtering solutions to detect and block phishing attempts before they reach end-users.
– Endpoint Protection: Utilize robust endpoint detection and response (EDR) tools to identify and mitigate malicious activities promptly.
– Regular Updates: Ensure all software and systems are up-to-date with the latest security patches to reduce vulnerabilities.
Conclusion
The recent activities of TAG-110 highlight the evolving landscape of cyber threats in Central Asia. By adopting new techniques and targeting government entities, these state-sponsored actors pose significant challenges to regional security. Proactive cybersecurity strategies and international cooperation are essential to counteract these threats and protect sensitive information from unauthorized access.
