Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents - The Hacker News

Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents Ravie LakshmananMay 27, 2025Malware / Threat Intelligence The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload. The attack chain is a departure from the threat actor's previously documented use of an HTML Application (.HTA) loader dubbed HATVIBE, Recorded Future's Insikt Group said in an analysis. "Given TAG-110's historical targeting of public sector entities in Central Asia, this campaign is likely targeting government, educational, and research institutions within Tajikistan," the cybersecurity company noted. "These cyber espionage operations likely aim to gather intelligence for influencing regional politics or security, particularly during sensitive events like elections or geopolitical tensions." TAG-110, also called UAC-0063, is the name assigned to a threat activity group that's known for its targeting of European embassies, as well as other organizations in Central Asia, East Asia, and Europe. It's believed to be active at least since 2021. Assessed to share overlaps with the Russian nation-state hacking crew APT28, activities associated with the threat actor were first documented by Romanian cybersecurity company Bitdefender in May 2023 in connection with a campaign that delivered a malware codenamed DownEx (aka STILLARCH) targeting government entities in Kazakhstan and Afghanistan. However, it was the Computer Emergency Response Team of Ukraine (CERT-UA) that formally assigned the moniker UAC-0063 that same month after it uncovered cyber attacks targeting state bodies in the country using malware strains like LOGPIE, CHERRYSPY (aka DownExPyer), DownEx, and PyPlunderPlug. The latest campaign aimed at Tajikistan organizations, observed starting January 2025, demonstrates a shift away from HATVIBE, distributed via HTA-embedded spear-phishing attachments, in favor of macro-enabled Word template (.DOTM) files, underscoring an evolution of their tactics. "Previously, TAG-110 leveraged macro-enabled Word documents to deliver HATVIBE, an HTA-based malware, for initial access," Recorded Future said. "The newly detected documents do not contain the embedded HTA HATVIBE payload for creating a scheduled task and instead leverage a global template file placed in the Word startup folder for persistence." The phishing emails have been found to use Tajikistan government-themed documents as lure material, which aligns with its historical use of trojanized legitimate government documents as a malware delivery vector. However, the cybersecurity company said it could not independently verify the authenticity of these documents. Present with the files is a VBA macro that's responsible for placing the document template in the Microsoft Word startup folder for automatic execution and subsequently initiating communications with a command-and-control (C2) server and potentially executing additional VBA code supplied with C2 responses. The exact nature of the second-stage payloads is not known. "However, based on TAG-110’s historical activity and tool set, it is likely that successful initial access via the macro-enabled templates would result in the deployment of additional malware, such as HATVIBE, CHERRYSPY, LOGPIE, or potentially a new, custom-developed payload designed for espionage operations," the company said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cyber espionage, cybersecurity, Malware, Russian hackers, Spear Phishing, Threat Intelligence, Word Macros Trending News CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Popular Resources Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing