Threat Intelligence Brief: Russia-Aligned TAG-110 Espionage Campaign Targets Tajik Institutions

A Russia-aligned state-sponsored threat group, TAG-110, has been conducting cyber espionage campaigns against government, research, and educational institutions in Tajikistan, with activity observed between January and February 2025. This campaign aligns with Russian geopolitical interests in maintaining influence across Central Asia.

  Vulnerability Alerts   May 27, 2025  Add to Reading List
Threat Intelligence Brief: Russia-Aligned TAG-110 Espionage Campaign Targets Tajik Institutions

A Russia-aligned state-sponsored threat group, TAG-110, has been conducting cyber espionage campaigns against government, research, and educational institutions in Tajikistan, with activity observed between January and February 2025. This campaign aligns with Russian geopolitical interests in maintaining influence across Central Asia.

TAG-110, overlapping with UAC-0063 and linked to APT28 (Fancy Bear), reflects Russia’s broader cyber activities beyond Ukraine, targeting critical sectors across the region.

Key Findings

  • TTP Shift: This latest campaign abandoned the previously used HATVIBE (HTA-based loader). Instead, it uses macro-enabled Word templates (.DOTM) as lures for infection, focusing on persistent template injection via the Word startup folder.

  • Infection Vector: Lure documents reference legitimate-looking topics (e.g., military radiation safety, election schedules). Once macros are enabled, the document silently installs a global template that communicates with a C2 server and potentially downloads additional payloads.

  • Payloads Delivered:

    • CHERRYSPY (DownExPyer)

    • LOGPIE

    • PyPlunderPlug

    • Possibly others in the TAG-110 malware suite

  • Persistence Mechanism: Global templates dropped into the Microsoft Word startup folder, ensuring automatic execution on program launch, without traditional malware indicators at initial stages.

Indicators of Compromise

  • Creation/modification of .dotm Files in Word startup directories

  • Unexpected macro executions or outbound connections following Office document usage

  • Domains or IPs related to known TAG-110 infrastructure (details in Recorded Future’s IoC release)

Recommendations

  • Disable macros by default in all Microsoft Office applications

  • Use Group Policy Objects (GPOs) to prevent users from enabling macros without explicit approval

  • Monitor file system activity in Word startup folders (%APPDATA%\Microsoft\Word\STARTUP)

  • Conduct threat hunting for known TAG-110 malware families

  • Increase staff phishing awareness, especially in government and academic sectors

  • Apply network segmentation and behavioral monitoring for lateral movement detection

Strategic Implications

TAG-110’s targeting in Tajikistan aligns with Russia’s broader policy of post-Soviet influence. According to Insikt Group, the goal is to maintain geopolitical dominance in Central Asia, gather regional intelligence, and potentially support Russian military operations in Ukraine by monitoring diplomatic and defense-related activities.

As tensions remain high in the region, further activity is expected targeting:

  • Election infrastructure

  • Military institutions

  • Diplomatic and foreign affairs entities