VERY IMPORTANT

A Chinese state-sponsored threat group, TAG-112, has compromised two Tibetan websites to deliver Cobalt Strike malware. The attackers embedded malicious JavaScript in the sites, spoofing a TLS certificate error to trick visitors into downloading a disguised security certificate. This campaign highlights ongoing cyber-espionage efforts targeting Tibetan entities. TAG-112's infrastructure, hidden using Cloudflare, links this operation to other China-sponsored activities, particularly TAG-102 (Evasive Panda). The group exploited vulnerabilities in the Joomla content management system to implant the malicious code. This attack demonstrates the continued focus of Chinese cyber operations on ethnic and religious minority groups, emphasizing the need for proactive cybersecurity measures.