Operation GhostChat & PhantomPrayers: China-Linked APTs Target Tibetan Community with Stealthy Spyware

In a coordinated investigation with TibCERT, Zscaler ThreatLabz has uncovered two state-sponsored cyber-espionage campaigns—Operation GhostChat and Operation PhantomPrayers—that targeted the Tibetan community during a time of cultural significance: the lead-up to His Holiness the Dalai Lama’s 90th birthday.

These attacks, attributed with high confidence to a China-nexus APT group, employed sophisticated multi-stage malware deployment techniques, including DLL sideloading, shellcode injections, code injection via low-level Windows APIs, and encrypted command-and-control communication.

Threat actors took advantage of the surge in online activity around the Dalai Lama’s birthday by compromising legitimate websites and inserting malicious links impersonating Tibetan platforms. Victims who thought they were downloading commemorative content or checking in to prayer events were instead infected with Ghost RAT or PhantomNet (SManager) backdoors.

“The original link directed users to a page inviting members of the Tibetan community to send greetings to the Dalai Lama, but the malicious link redirected them to a fraudulent page… designed to closely mimic the original tibetfund.org site,” the report explains.

In Operation GhostChat, attackers created a fake website imitating the Element encrypted messaging app, urging victims to download an app supposedly meant for secure communication within the Tibetan community.

Upon clicking the “Download” button, victims received a ZIP file containing:

• A legitimate Element.exe (digitally signed but vulnerable to DLL sideloading)
• A malicious ffmpeg.dll, which acts as the first-stage shellcode loader

“The ffmpeg.dll file is a stage 1 loader that loads embedded shellcode, injects it into a target process, and executes it. In addition, it creates persistence by adding a Windows registry value,” the report disclosures.

The injected shellcode leverages low-level Windows APIs like NtCreateSection, RtlCreateUserProcess, and NtMapViewOfSection to stealthily execute payloads in ImagingDevices.exe, a legitimate system process.

The chain culminates in Ghost RAT, a widely known surveillance tool with C2 instructions for:

• Keylogging (DllKeybo)
• Webcam capture (DllVideo)
• Shell access (DllShell)
• System manipulation (DllSyste)
• Message box popups (DllMsgBox)
• Plugin DLL download and execution from 104.234.15[.]90:19999

“This variant features a custom packet header that uses ‘KuGou’ instead of the usual ‘Gh0st’ and encrypts its traffic using the same RC4-like algorithm used for the configuration encryption,” the report notes.

In parallel, Operation PhantomPrayers deployed a malware-laced “special prayer check-in” app under a fraudulent domain hhthedalailama90.niccenter[.]net. The app, built with PyQT5 and Folium, presented a map visualization and a form prompting victims to enter personal details.

“Upon check-in, an HTTP GET request is sent to 104.234.15[.]90:59999/api/checkins with the custom HTTP header X-API-KEY: m1baby007.”

Beneath this interactive GUI, the malicious payload mirrored GhostChat’s structure:

• Sideloading via vulnerable VLC.exe and malicious libvlc.dll
• Shellcode stored in a .tmp file, encrypted with RC4 and AES
• Stage 2: reflective loader for in-memory execution
• Stage 3: PhantomNet, a modular RAT configured for TCP or HTTPS C2 communication

“The final payload’s embedded configuration is XOR-encoded and includes the C2 server 45.154.12[.]93 and port 2233 as strings.”

PhantomNet supports plugin-based modular spying and was previously linked to TA428, a China-nexus APT group. Notably, the “check-in” map was populated with fake entries, based on fabricated geolocation and IP data—part of the attacker’s elaborate deception strategy.

Zscaler and TibCERT attribute both campaigns to China-aligned state-sponsored actors based on technical overlaps, shared infrastructure, malware variants, and culturally contextual lures.

“Variants of Ghost RAT are widely used by various Chinese-speaking threat actors… While PhantomNet has been attributed by other researchers to TA428, it remains uncertain whether this malware is exclusively associated with that group.”

Related Posts:

• China-Aligned Hive0154 APT Strikes Tibetan Community: Pubload Backdoor Delivered via Phishing Lures
• TAG-112 Targets Tibetan Community via Waterholing Attack
• Spyware Alert: BADBAZAAR and MOONSHINE Target Civil Society and Ethnic Groups
• Zscaler found 150 Android apps infected with Windows malware
• Sophisticated Attacks Employ Cobalt Strike, DLL Sideloading, and Evolving Tactics