TAG-110 Hackers Deploy Malicious Word Templates in Targeted Attacks

The Russia-aligned threat actor TAG-110, also linked to UAC-0063 and APT28 (BlueDelta) with medium confidence by CERT-UA, has shifted tactics to target government, educational, and research entities in Tajikistan.

According to analysis by Insikt Group from Recorded Future Report, TAG-110 has moved away from its traditional use of HTA-based payloads like HATVIBE, which it has employed since at least 2023, to leveraging macro-enabled Microsoft Word template files (.dotm) for initial access and persistence.

These malicious templates, designed to blend in with legitimate Tajikistan government-themed documents, represent a tactical evolution aimed at bolstering Russia’s influence in Central Asia through intelligence gathering during sensitive regional events like elections or military operations.

New Phishing Tactics Target Tajikistan Institutions

The campaign involves two specific documents identified by their SHA256 hashes: d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7, themed around radiation safety for Tajikistan’s armed forces, and 8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7, related to election schedules in Dushanbe.

Both ...