A newly discovered spear-phishing campaign conducted by the Russia-aligned threat actor TAG-110 has been targeting organizations in Tajikistan, utilizing macro-enabled Word templates as the initial payload.
This campaign marks a significant departure from the group’s previously documented tactics, which involved the use of an HTML Application (.HTA) loader known as HATVIBE, as reported by Recorded Future’s Insikt Group.
Recorded Future analysts have noted that “given TAG-110’s historical targeting of public sector entities in Central Asia, this campaign is likely aimed at government, educational, and research institutions within Tajikistan.” The cybersecurity company also suggests that these cyber espionage operations are likely intended to gather intelligence for influencing regional politics or security, particularly during sensitive events such as elections or geopolitical tensions.
“These operations likely aim to gather intelligence for the purpose of influencing regional politics or security, particularly during sensitive events like elections or geopolitical tensions,” the company stated.
TAG-110, also referred to as UAC-0063, is a threat activity group known for targeting European embassies, as well as organizations in Central Asia, East Asia, and Europe, with activities dating back to at least 2021. The group is believed to have ties to the Russian nation-state hacking crew APT28.
The group’s activities were first documented by Bitdefender in May 2023, in connection with a campaign delivering the DownEx malware, targeting government entities in Kazakhstan and Afghanistan. The Computer Emergency Response Team of Ukraine (CERT-UA) formally assigned the moniker UAC-0063 later that month, after uncovering cyber attacks targeting state bodies in the country using various malware strains.
The latest campaign, observed starting January 2025, demonstrates a shift in tactics, as the group now uses macro-enabled Word template (.DOTM) files instead of HATVIBE, distributed via HTA-embedded spear-phishing attachments.
“The newly detected documents do not contain the embedded HTA HATVIBE payload for creating a scheduled task and instead leverage a global template file placed in the Word startup folder for persistence,” according to Recorded Future.
The phishing emails use Tajikistan government-themed documents as lure material, consistent with the group’s historical use of trojanized legitimate government documents as a malware delivery vector. However, the authenticity of these documents could not be independently verified by the cybersecurity company.
A VBA macro is present in the files, responsible for placing the document template in the Microsoft Word startup folder for automatic execution and initiating communications with a command-and-control (C2) server, potentially executing additional VBA code supplied with C2 responses. The exact nature of the second-stage payloads is not known.
However, based on TAG-110’s historical activity and toolset, it is likely that successful initial access via the macro-enabled templates would result in the deployment of additional malware, such as HATVIBE, CHERRYSPY, LOGPIE, or potentially a new, custom-developed payload designed for espionage operations, according to the company.
