Illusory Wishes China-nexus APT Targets the Tibetan Community

Key Takeaways
ThreatLabz observed targeted malware intrusions that employed social engineering tactics, leveraging the Dalai Lama’s 90th birthday through strategic web compromises to lure Tibetan community members and redirect them to attacker-controlled sites.

Operation GhostChat and Operation PhantomPrayers relied on multi-stage infection chains to deploy Ghost RAT and PhantomNet backdoors. These chains included DLL sideloading, shellcode injections, and encrypted payloads to execute their attacks.

The campaigns employed evasion techniques like code injection, using low-level APIs, and overwriting user mode API hooks to evade endpoint security solutions.

Based on the victimology targeting the Tibetan community, the use of Ghost RAT and PhantomNet, and the deployment of tailored TTPs, we attribute these campaigns with high confidence to a China-nexus APT group.

To read the complete article see: https://www.zscaler.com/blogs/security-research/illusory-wishes-china-nexus-apt-targets-tibetan-community