The actor aligned in Russia, known as the Tag-110, conducted a fashion company aimed at Tajikistan using macro-shaped words as the initial useful load.
The attack network is a departure from previously documented HTML -application (.hta), dubbed Hatvibe, recorded Hatvibe Hatvibe, recorded in the analysis “Insikt Group Future”.
“Given the historical orientation to the public sector organization in Central Asia, this company is likely noted.
“These cyber operations are probably aimed at gathering exploration to influence regional policy and security, especially during sensitive events, such as choices or geopolitical tensions.”
Tag -10, also called UAC-0063, is the name designed for A group of activity threatening it know for him bearings European embassies, as well as other organizations of Central Asia, East Asia and Europe. It is believed that it has been actively operating at least 2021.
Estimated to share overlappings with Russian national cracking crew APT28, activity related to the actor threats First documented In May 2023, the Romanian Cybersecurity Company Bitdefender Due to the Company, which delivered malicious software, codan of the said Downex (AKA Stilarch) aimed at government agencies in Kazakhstan and Afghanistan.
However, in the same month after her officially appointed a team of emergencies in emergencies (CERT-UA) disclosed Cyberattacks aimed at government agencies in the country using malware such as Logpie, CherrySpy (aka DownExpyer), Downex and PypLunderPlug.
The latest company aimed at Tajikistan’s organization, which has been observed since January 2025, demonstrates a deviation from Hatvibe, distributed by HTA, extended attachments, in favor of macro-shaped words (.dotm) files, revealing the evolution of their tactics.
“Previously, Tag -10 used macro-documents with words support to deliver Hatvibe, malicious HTA software for initial access,” the future recorded. “Recently identified documents do not contain built -in HTA HATVIBE load to create a planned task and instead use a global template file placed in the” Running “folder for sustainability.
It has been found that phishing emails use documents with the subject matter of Tajikistan as a bait material that corresponds to its historical use of the government’s legal documents as a vector of malware. However, the cybersecurity campaign said it could not independently check the authenticity of these documents.
Posted with Macros VBA files, which is responsible for placing the document template in the Microsoft Word launch folder for automatic execution and further initiation with the team server and control (C2) and potentially performs an additional VBA code that comes with C2 answers. The exact nature of the useful loads in the second stage is unknown.
“However, based on the historical activity and set of Tag -10 tools, it is likely that successful initial access through macro support templates will deploy additional malware, such as Hatvibe, CherrySpy, LogPie or potentially new, designed by customs load for emergency operations.
