The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama’s 90th birthday on July 6, 2025.
The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz.
“The attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Gh0st RAT or PhantomNet (aka SManager) backdoor onto victim systems,” security researchers Sudeep Singh and Roy Tay said in a Wednesday report.
This is not the first time Chinese threat actors have resorted to watering hole attacks (aka strategic web compromises), a technique where adversaries break into websites frequently visited by a specific group to infect their devices with malware.
Over the past two years, hacking groups like EvilBamboo, Evasive Panda, and TAG-112 have all resorted to the approach to target the Tibetan diaspora with the ultimate goal of gathering sensitive information.
| Operation GhostChat |
The latest set of attacks observed by Zscaler entails the compromise of a web page to replace the link pointing to “tibetfund[.]org/90thbirthday” with a fraudulent version (“thedalailama90.niccenter[.]net”).
While the original web page is designed to send a message to the Dalai Lama, the replica page adds an option to send an encrypted message to the spiritual leader by downloading from “tbelement.niccenter[.]net” a secure chat application named TElement, which claims to be Tibetan version of Element.
Hosted on the website is a backdoored version of the open-source encrypted chat software containing a malicious DLL that’s sideloaded to launch Gh0st RAT, a remote access trojan widely used by various Chinese hacking groups. The web page also includes JavaScript code designed to collect the visitor’s IP address and user-agent information, and exfiltrate the details to the threat actor via an HTTP POST request.
| Operation PhantomPrayers |
Gh0st RAT is a fully-featured malware that supports file manipulation, screen capture, clipboard content extraction, webcam video recording, keylogging, audio recording and playback, process manipulation, and remote shell.
The second campaign, Operation PhantomPrayers, has been found to leverage another domain, “hhthedalailama90.niccenter[.]net,” to distribute a phony “90th Birthday Global Check-in” app (“DalaiLamaCheckin.exe,” dubbed PhantomPrayers) that, when opened, displays an interactive map and urges victims to “send your blessings” for the Dalai Lama by tapping their location on the map.
However, the malicious functionality is stealthily triggered in the background, using DLL side-loading techniques to launch PhantomNet, a backdoor that establishes contact with a command-and-control (C2) server over TCP to receive additional plugin DLLs for execution on the compromised machine.
“PhantomNet can be set to operate only during specific hours or days, but this capability is not enabled in the current sample,” the researchers said. “PhantomNet used modular plugin DLLs, AES-encrypted C2 traffic, and configurable timed operations, to stealthily manage compromised systems.”
