New hacker group uses open-source tools to spy on entities in Asia-Pacific region

Avatar

A newly identified group is targeting “high-profile” government and private sector organizations, mostly in the Asia-Pacific region, in a suspected cyberespionage campaign, researchers say.

The group, tracked as TAG-100, has used open-source remote access tools and exploited various internet-facing devices for initial access.

Researchers at Recorded Future’s Insikt Group, who discovered the group, couldn’t attribute TAG-100 activity to a specific country, but said that its victim profile aligns with historical targeting by Chinese state-sponsored groups. The Record is an editorially independent unit within Recorded Future.

TAG-100’s targets include Asia-Pacific intergovernmental and diplomatic entities, religious organizations in the U.S. and Taiwan, and a political party that has supported an investigation into the treatment of the Uyghur people by the Chinese government.

Since at least February 2024, Insikt Group has identified suspected victims in Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, the Netherlands, Taiwan, the U.K, the U.S. and Vietnam.

Victims included industry trade associations as well as political, semiconductor supply-chain, nonprofit and religious organizations across these countries.

According to Recorded Future’s report, TAG-100 has likely compromised organizations in at least 10 countries in Africa, Asia, North America, South America and Oceania.

Following initial access to victims’ devices, the hackers employed the backdoors Pantegana and SparkRAT. Both are written in the open-source Go programming language. 

Pantegana can operate on different operating systems, including Windows, Linux, and macOS. It allows the attackers to gain remote access to infected computers, upload and download files, and gather system information.

Publicly reported use of Pantegana in the wild to date is minimal, researchers said, except for a campaign exploiting a zero-day vulnerability in the Sophos Firewall appliance attributed in 2022 to the suspected Chinese state-sponsored threat activity group DriftingCloud. The group has not been cited publicly by researchers since then.

Researchers found that TAG-100 likely compromised the secretariats of two major Asia-Pacific intergovernmental organizations using the Pantegana backdoor.

Researchers also observed the use of another backdoor, SparkRAT, previously identified by researchers at SentinelOne and Microsoft in 2023. Its memory dump was uploaded to a public malware repository that almost certainly originated from a Djibouti government network likely compromised by TAG-100.

Another feature of TAG-100 is the exploitation of internet-facing products, including those developed by Citrix, Microsoft, Cisco, Palo Alto Networks GlobalProtect, and Fortinet.

“The widespread availability of open-source tools allows state-sponsored threat actors to outsource certain cyber operations to a broader range of less capable proxy groups or private contractors who may not possess or require in-house development skills due to the widespread availability of open-source tools,” researchers said.

It also allows higher-tier groups to refrain from using customized tools during operations in which they are less concerned with being detected or in which heightened attribution obfuscation is desirable, they added.

Nation-stateNewsMalwareChina
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Von der Leyen pledges to tackle ransomware attacks against EU hospitals

Next Post

Indian crypto platform WazirX confirms $230 million stolen during cyberattack

Related Posts

GitHub, Telegram Bots, and ASCII QR Codes Abused in New Wave of Phishing Attacks

A new tax-themed malware campaign targeting insurance and finance sectors has been observed leveraging GitHub links in phishing email messages as a way to bypass security measures and deliver Remcos RAT, indicating that the method is gaining traction among threat actors. "In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were
Avatar
Read More

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up. "While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ
Avatar
Read More