The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload.
The attack chain is a departure from the threat actor’s previously documented use of an HTML Application (.HTA) loader dubbed HATVIBE, Recorded Future’s Insikt Group said in an analysis.
“Given TAG-110’s historical targeting of public sector entities in Central Asia, this campaign is likely targeting government, educational, and research institutions within Tajikistan,” the cybersecurity company noted.
“These cyber espionage operations likely aim to gather intelligence for influencing regional politics or security, particularly during sensitive events like elections or geopolitical tensions.”
TAG-110, also called UAC-0063, is the name assigned to a threat activity group that’s known for its targeting of European embassies, as well as other organizations in Central Asia, East Asia, and Europe. It’s believed to be active at least since 2021.
Assessed to share overlaps with the Russian nation-state hacking crew APT28, activities associated with the threat actor were first documented by Romanian cybersecurity company Bitdefender in May 2023 in connection with a campaign that delivered a malware codenamed DownEx (aka STILLARCH) targeting government entities in Kazakhstan and Afghanistan.
However, it was the Computer Emergency Response Team of Ukraine (CERT-UA) that formally assigned the moniker UAC-0063 that same month after it uncovered cyber attacks targeting state bodies in the country using malware strains like LOGPIE, CHERRYSPY (aka DownExPyer), DownEx, and PyPlunderPlug.
The latest campaign aimed at Tajikistan organizations, observed starting January 2025, demonstrates a shift away from HATVIBE, distributed via HTA-embedded spear-phishing attachments, in favor of macro-enabled Word template (.DOTM) files, underscoring an evolution of their tactics.
“Previously, TAG-110 leveraged macro-enabled Word documents to deliver HATVIBE, an HTA-based malware, for initial access,” Recorded Future said. “The newly detected documents do not contain the embedded HTA HATVIBE payload for creating a scheduled task and instead leverage a global template file placed in the Word startup folder for persistence.”
The phishing emails have been found to use Tajikistan government-themed documents as lure material, which aligns with its historical use of trojanized legitimate government documents as a malware delivery vector. However, the cybersecurity company said it could not independently verify the authenticity of these documents.
Present with the files is a VBA macro that’s responsible for placing the document template in the Microsoft Word startup folder for automatic execution and subsequently initiating communications with a command-and-control (C2) server and potentially executing additional VBA code supplied with C2 responses. The exact nature of the second-stage payloads is not known.
“However, based on TAG-110’s historical activity and tool set, it is likely that successful initial access via the macro-enabled templates would result in the deployment of additional malware, such as HATVIBE, CHERRYSPY, LOGPIE, or potentially a new, custom-developed payload designed for espionage operations,” the company said.
