Operation GhostChat & PhantomPrayers: China-Linked APTs Target Tibetan Community with Stealthy Spyware
Do Son 
Multi-stage attack chain for Operation GhostChat | Image: ThreatLabz
In a coordinated investigation with TibCERT, Zscaler ThreatLabz has uncovered two state-sponsored cyber-espionage campaignsβOperation GhostChat and Operation PhantomPrayersβthat targeted the Tibetan community during a time of cultural significance: the lead-up to His Holiness the Dalai Lamaβs 90th birthday.
These attacks, attributed with high confidence to a China-nexus APT group, employed sophisticated multi-stage malware deployment techniques, including DLL sideloading, shellcode injections, code injection via low-level Windows APIs, and encrypted command-and-control communication.
Threat actors took advantage of the surge in online activity around the Dalai Lama’s birthday by compromising legitimate websites and inserting malicious links impersonating Tibetan platforms. Victims who thought they were downloading commemorative content or checking in to prayer events were instead infected with Ghost RAT or PhantomNet (SManager) backdoors.
βThe original link directed users to a page inviting members of the Tibetan community to send greetings to the Dalai Lama, but the malicious link redirected them to a fraudulent page… designed to closely mimic the original tibetfund.org site,β the report explains.
In Operation GhostChat, attackers created a fake website imitating the Element encrypted messaging app, urging victims to download an app supposedly meant for secure communication within the Tibetan community.
Upon clicking the βDownloadβ button, victims received a ZIP file containing:
- A legitimate Element.exe (digitally signed but vulnerable to DLL sideloading)
- A malicious ffmpeg.dll, which acts as the first-stage shellcode loader
βThe ffmpeg.dll file is a stage 1 loader that loads embedded shellcode, injects it into a target process, and executes it. In addition, it creates persistence by adding a Windows registry value,β the report disclosures.
The injected shellcode leverages low-level Windows APIs like NtCreateSection, RtlCreateUserProcess, and NtMapViewOfSection to stealthily execute payloads in ImagingDevices.exe, a legitimate system process.
The chain culminates in Ghost RAT, a widely known surveillance tool with C2 instructions for:
- Keylogging (DllKeybo)
- Webcam capture (DllVideo)
- Shell access (DllShell)
- System manipulation (DllSyste)
- Message box popups (DllMsgBox)
- Plugin DLL download and execution from 104.234.15[.]90:19999
βThis variant features a custom packet header that uses βKuGouβ instead of the usual βGh0stβ and encrypts its traffic using the same RC4-like algorithm used for the configuration encryption,β the report notes.
In parallel, Operation PhantomPrayers deployed a malware-laced βspecial prayer check-inβ app under a fraudulent domain hhthedalailama90.niccenter[.]net. The app, built with PyQT5 and Folium, presented a map visualization and a form prompting victims to enter personal details.
βUpon check-in, an HTTP GET request is sent to 104.234.15[.]90:59999/api/checkins with the custom HTTP header X-API-KEY: m1baby007.β
Beneath this interactive GUI, the malicious payload mirrored GhostChatβs structure:
- Sideloading via vulnerable VLC.exe and malicious libvlc.dll
- Shellcode stored in a .tmp file, encrypted with RC4 and AES
- Stage 2: reflective loader for in-memory execution
- Stage 3: PhantomNet, a modular RAT configured for TCP or HTTPS C2 communication
βThe final payloadβs embedded configuration is XOR-encoded and includes the C2 server 45.154.12[.]93 and port 2233 as strings.β
PhantomNet supports plugin-based modular spying and was previously linked to TA428, a China-nexus APT group. Notably, the βcheck-inβ map was populated with fake entries, based on fabricated geolocation and IP dataβpart of the attackerβs elaborate deception strategy.
Zscaler and TibCERT attribute both campaigns to China-aligned state-sponsored actors based on technical overlaps, shared infrastructure, malware variants, and culturally contextual lures.
βVariants of Ghost RAT are widely used by various Chinese-speaking threat actorsβ¦ While PhantomNet has been attributed by other researchers to TA428, it remains uncertain whether this malware is exclusively associated with that group.β
Related Posts:
- China-Aligned Hive0154 APT Strikes Tibetan Community: Pubload Backdoor Delivered via Phishing Lures
- TAG-112 Targets Tibetan Community via Waterholing Attack
- Spyware Alert: BADBAZAAR and MOONSHINE Target Civil Society and Ethnic Groups
- Zscaler found 150 Android apps infected with Windows malware
- Sophisticated Attacks Employ Cobalt Strike, DLL Sideloading, and Evolving Tactics
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
