Analysis of TAG-112 Compromise of Tibetan Websites

This technical report details the compromise of two Tibetan community websites by a Chinese state-sponsored threat actor group identified as TAG-112. The report outlines how the group exploited vulnerabilities in Joomla installations to upload malicious JavaScript, which prompted users to download Cobalt Strike malware disguised as a security certificate. The malicious infrastructure utilized Cloudflare to obscure the threat actor's IP address, complicating attribution. The report presents key findings, including the identification of the compromised websites, the method of attack, and the ongoing risks associated with the compromised infrastructure. It also notes the overlap between TAG-112 and another group, TAG-102 (Evasive Panda), both of which target individuals and organizations opposing the Chinese government. The report emphasizes the persistence of the threat, as the compromised websites continue to host malicious content, posing risks to users. Responsible disclosure procedures were followed prior to publication.