The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama’s 90th birthday on July 6, 2025.
The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz.
“The attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Gh0st RAT or PhantomNet (aka SManager) backdoor onto victim systems,” security researchers Sudeep Singh and Roy Tay said in a Wednesday report.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
This is not the first time Chinese threat actors have resorted to watering hole attacks (aka strategic web compromises), a technique where adversaries break into websites frequently visited by a specific group to infect their devices with malware.
Over the past two years, hacking groups like EvilBamboo, Evasive Panda, and TAG-112 have all resorted to the approach to target the Tibetan diaspora with the ultimate goal of gathering sensitive information.
Operation GhostChat
The latest set of attacks observed by Zscaler entails the compromise of a web page to replace the link pointing to “tibetfund[.]org/90thbirthday” with a fraudulent version (“thedalailama90.niccenter[.]net”).
While the original web page is designed to send a message to the Dalai Lama, the replica page adds an option to send an encrypted message to the spiritual leader by downloading from “tbelement.niccenter[.]net” a secure chat application named TElement, which claims to be Tibetan version of Element.
Hosted on the website is a backdoored version of the open-source encrypted chat software containing a malicious DLL that’s sideloaded to launch Gh0st RAT, a remote access trojan widely used by various Chinese hacking groups. The web page also includes JavaScript code designed to collect the visitor’s IP address and user-agent information, and exfiltrate the details to the threat actor via an HTTP POST request.
Operation PhantomPrayers
Gh0st RAT is a fully-featured malware that supports file manipulation, screen capture, clipboard content extraction, webcam video recording, keylogging, audio recording and playback, process manipulation, and remote shell.
The second campaign, Operation PhantomPrayers, has been found to leverage another domain, “hhthedalailama90.niccenter[.]net,” to distribute a phony “90th Birthday Global Check-in” app (“DalaiLamaCheckin.exe,” dubbed PhantomPrayers) that, when opened, displays an interactive map and urges victims to “send your blessings” for the Dalai Lama by tapping their location on the map.
However, the malicious functionality is stealthily triggered in the background, using DLL side-loading techniques to launch PhantomNet, a backdoor that establishes contact with a command-and-control (C2) server over TCP to receive additional plugin DLLs for execution on the compromised machine.
“PhantomNet can be set to operate only during specific hours or days, but this capability is not enabled in the current sample,” the researchers said. “PhantomNet used modular plugin DLLs, AES-encrypted C2 traffic, and configurable timed operations, to stealthily manage compromised systems.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Storm-2603 Exploits SharePoint Flaws to Deploy Warlock Ransomware on Unpatched Systems