Home > Security > Security News

Russia-Aligned TAG-110 Evolves Spear-Phishing Tactics in Tajikistan

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

An ongoing spear-phishing campaign was attributed to TAG-110, a Russia-aligned threat actor with links to UAC-0063 and APT28 (BlueDelta), which targeted Tajik government, educational, and research institutions with macro-enabled Word documents.

The campaign occurred between January and February 2025, TAG-110 marking a tactical shift designed to increase persistence and evade current detection protocols, a recent report by Insikt Group details.

Historically, TAG-110 leveraged trojanized legitimate documents embedded with HATVIBE, an HTA-based payload. The current spear-phishing campaign, however, adopts macro-enabled Word template files (.dotm), which are deployed in the Microsoft Word STARTUP directory. 

First page of document lure and corresponding machine translation
First page of document lure and corresponding machine translation | Source: Recorded Future

This tactic ensures the malicious macro executes automatically whenever Word launches, cementing persistence and complicating mitigation.

The malicious documents were themed around Tajik governmental notifications and electoral schedules and carried VBA macros that perform several key functions.

These included copying themselves to the Word STARTUP folder for automatic execution as a global template and collecting system information, such as computer name, region, and user credentials.

The malware could establish command-and-control (C2) communication with the IP 38.180.206[.]61, previously associated with HATVIBE campaigns, and download and execute additional payloads based on remote C2 instructions, potentially facilitating broader espionage objectives.

TAG-110’s operations support Russia’s objective to maintain influence across Central Asia through intelligence collection. The targeting of entities involved in sensitive events, such as elections, is likely to continue, according to Insikt Group. 

The group’s evolving technique—from HTA payloads to persistent .dotm templates—not only demonstrates adaptability but also highlights the broader trend of increasing sophistication among state-aligned APT actors.

Add a Comment
Related
TikTok logo with "O" depicting a stop sign
TikTok Infostealer Campaign Distributes Vidar and StealC via AI-Generated Videos
Ransomware Developer Arrest
US Indicts 16 Russian Nationals in DanaBot Case as Part of Global Operation Endgame
Anonymous hacker carrying out an attack in a server room
Qakbot Malware Leader Indicted in Global Law Enforcement Operation
Coinbase cryptocurrency market
Over 69,000 Customers Impacted in Recently Revealed 2024 Coinbase Security Breach
Cloudflare DDoS
Fake Cloudflare Verification Attack Targets WordPress Sites with Advanced Multi-Stage Malware
Microsoft
Critical Privilege Escalation Flaw Found in Microsoft Active Directory dMSA Feature
Most Popular
Lilo and Nani in Lilo & Stitch
Lilo & Stitch (2025) Live-Action film: Ending Explained, Post-Credit Scene Revealed, and more
TikTok logo with "O" depicting a stop sign
TikTok Infostealer Campaign Distributes Vidar and StealC via AI-Generated Videos
Ransomware Developer Arrest
US Indicts 16 Russian Nationals in DanaBot Case as Part of Global Operation Endgame
Fountain of Youth
Fountain of Youth Ending Explained: Owen’s fate, Fountain’s Mechanic, and more  
Julianne Moore in Sirens
Sirens: Where was the Julianne Moore and Milly Alcock Starrer show Filmed?
Sirens
Sirens Netflix Ending Explained: Michaela’s Freedom, Simone’s False Victory, Season 2 Possibilities, and more  
Lilo & Stitch (2025) Live-Action film: Ending Explained, Post-Credit Scene Revealed, and more
TikTok Infostealer Campaign Distributes Vidar and StealC via AI-Generated Videos
US Indicts 16 Russian Nationals in DanaBot Case as Part of Global Operation Endgame
Fountain of Youth Ending Explained: Owen’s fate, Fountain’s Mechanic, and more  
Sirens: Where was the Julianne Moore and Milly Alcock Starrer show Filmed?
Sirens Netflix Ending Explained: Michaela’s Freedom, Simone’s False Victory, Season 2 Possibilities, and more  

Most Popular
Lilo and Nani in Lilo & Stitch
Lilo & Stitch (2025) Live-Action film: Ending Explained, Post-Credit Scene Revealed, and more
TikTok logo with "O" depicting a stop sign
TikTok Infostealer Campaign Distributes Vidar and StealC via AI-Generated Videos
Ransomware Developer Arrest
US Indicts 16 Russian Nationals in DanaBot Case as Part of Global Operation Endgame
Fountain of Youth
Fountain of Youth Ending Explained: Owen’s fate, Fountain’s Mechanic, and more  
Julianne Moore in Sirens
Sirens: Where was the Julianne Moore and Milly Alcock Starrer show Filmed?
Sirens
Sirens Netflix Ending Explained: Michaela’s Freedom, Simone’s False Victory, Season 2 Possibilities, and more  
Lilo & Stitch (2025) Live-Action film: Ending Explained, Post-Credit Scene Revealed, and more
TikTok Infostealer Campaign Distributes Vidar and StealC via AI-Generated Videos
US Indicts 16 Russian Nationals in DanaBot Case as Part of Global Operation Endgame
Fountain of Youth Ending Explained: Owen’s fate, Fountain’s Mechanic, and more  
Sirens: Where was the Julianne Moore and Milly Alcock Starrer show Filmed?
Sirens Netflix Ending Explained: Michaela’s Freedom, Simone’s False Victory, Season 2 Possibilities, and more  

TechNadu keeps you informed with the latest in cybersecurity, VPNs, streaming, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: