Russia-Linked TAG-110 Shifts Tactics in New Espionage Campaign Targeting Tajikistan

A Russia-aligned threat actor known as TAG-110, also tracked as UAC-0063, has launched a new cyber-espionage campaign targeting public institutions in Tajikistan, according to a report from Recorded Future’s Insikt Group.

Unlike previous campaigns that relied on HTA-based malware loaders, the group has adopted macro-enabled Microsoft Word templates (.DOTM) to initiate infection — signaling a tactical evolution in their initial access methods.

Change in Initial Access Vector

Historically, TAG-110 delivered its HATVIBE malware through HTML Application (.HTA) files embedded in phishing attachments. In this new campaign, first observed in January 2025, the attackers are distributing macro-enabled Word templates to gain persistent access without relying on HTA payloads.

These malicious documents use Tajikistan government-themed lures, consistent with TAG-110’s past use of trojanized official documents to target victims across government, education, and research sectors in Central Asia.

Macro-Based Infection Chain

The malicious documents contain VBA macros that install a global Word template into the Microsoft Word startup folder, ensuring automatic execution on Word launch. Once in place, the macro establishes a connection with a command-and-control (C2) server, potentially enabling attackers to deliver additional payloads via remote instructions.

While the second-stage malware was not identified in this campaign, researchers speculate it may involve familiar strains such as:

• HATVIBE – the group’s hallmark HTA loader

• CHERRYSPY (a.k.a. DownExPyer)

• LOGPIE

• PyPlunderPlug

• Or new, custom-built espionage tools

Regional Intelligence Objectives

TAG-110 is believed to operate with alignment to Russian state interests, and its campaigns are typically aimed at public sector entities in Central Asia, especially during periods of elevated geopolitical activity, such as elections or diplomatic negotiations.

Past activity has linked the group to malware operations targeting government institutions in Kazakhstan, Afghanistan, and Ukraine, with overlaps observed in APT28 infrastructure and tactics. CERT-UA formally labeled the group UAC-0063 in 2023 following its discovery of several malware strains in campaigns against Ukrainian state organizations.

Strategic Implications

The latest shift to macro-enabled templates reflects TAG-110’s adaptability and commitment to low-detection, persistent access strategies. The move also aligns with broader trends of state-backed actors turning to living-off-the-land techniques and fileless malware execution to avoid triggering endpoint defenses.

Organizations in Central Asia and other high-risk regions are advised to:

• Disable macros by default in Microsoft Office documents

• Implement network monitoring for unusual C2 traffic

• Educate users on phishing detection

• Conduct regular IOC-based threat hunting

Recorded Future concludes that TAG-110 remains a sophisticated and evolving cyber espionage actor likely to continue targeting key sectors to gather intelligence and support Russian geopolitical interests.