New hacker group uses open-source tools to spy on entities in Asia-Pacific region

A newly identified group is targeting “high-profile” government and private sector organizations, mostly in the Asia-Pacific region, in a suspected cyberespionage campaign, researchers say.

The group, tracked as TAG-100, has used open-source remote access tools and exploited various internet-facing devices for initial access.

Researchers at Recorded Future’s Insikt Group, who discovered the group, couldn’t attribute TAG-100 activity to a specific country, but said that its victim profile aligns with historical targeting by Chinese state-sponsored groups. The Record is an editorially independent unit within Recorded Future.

TAG-100’s targets include Asia-Pacific intergovernmental and diplomatic entities, religious organizations in the U.S. and Taiwan, and a political party that has supported an investigation into the treatment of the Uyghur people by the Chinese government.

Since at least February 2024, Insikt Group has identified suspected victims in Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, the Netherlands, Taiwan, the U.K, the U.S. and Vietnam.

Victims included industry trade associations as well as political, semiconductor supply-chain, nonprofit and religious organizations across these countries.

According to Recorded Future’s report, TAG-100 has likely compromised organizations in at least 10 countries in Africa, Asia, North America, South America and Oceania.

Following initial access to victims’ devices, the hackers employed the backdoors Pantegana and SparkRAT. Both are written in the open-source Go programming language. 

Pantegana can operate on different operating systems, including Windows, Linux, and macOS. It allows the attackers to gain remote access to infected computers, upload and download files, and gather system information.

Publicly reported use of Pantegana in the wild to date is minimal, researchers said, except for a campaign exploiting a zero-day vulnerability in the Sophos Firewall appliance attributed in 2022 to the suspected Chinese state-sponsored threat activity group DriftingCloud. The group has not been cited publicly by researchers since then.

Researchers found that TAG-100 likely compromised the secretariats of two major Asia-Pacific intergovernmental organizations using the Pantegana backdoor.

Researchers also observed the use of another backdoor, SparkRAT, previously identified by researchers at SentinelOne and Microsoft in 2023. Its memory dump was uploaded to a public malware repository that almost certainly originated from a Djibouti government network likely compromised by TAG-100.

Another feature of TAG-100 is the exploitation of internet-facing products, including those developed by Citrix, Microsoft, Cisco, Palo Alto Networks GlobalProtect, and Fortinet.

“The widespread availability of open-source tools allows state-sponsored threat actors to outsource certain cyber operations to a broader range of less capable proxy groups or private contractors who may not possess or require in-house development skills due to the widespread availability of open-source tools,” researchers said.

It also allows higher-tier groups to refrain from using customized tools during operations in which they are less concerned with being detected or in which heightened attribution obfuscation is desirable, they added.