Ddos 
Diamond Model of Intrusion Analysis | Image: Recorded Future
Recorded Future’s Insikt Group has uncovered a new cyber-espionage campaign by Russia-aligned threat actor TAG-110 targeting public sector organizations in Tajikistan. The group, linked to APT28 (BlueDelta), is leveraging macro-enabled Word templates to establish persistent access and exfiltrate intelligence.
Between January and February 2025, TAG-110 deployed phishing lures disguised as official Tajik government documents. These malicious Word templates, saved as .dotm files, initiate a complex infection chain designed for stealth, persistence, and long-term data collection.
“TAG-110’s shift in tooling represents an evolution in its tradecraft, signaling continued adaptation in support of long-term operational goals and alignment with regional strategic interests,” the report notes.
TAG-110, which overlaps with UAC-0063 and has been linked to APT28 with medium confidence, has a long history of targeting Central Asian governments. In this campaign, Recorded Future assesses that the actor is attempting to collect intelligence on Tajikistan’s government, educational, and research institutions—particularly those involved in military affairs or electoral processes.
“TAG-110 continues to focus on Tajikistan’s public sector entities, aligning with Russia’s broader strategic interest in Central Asia through intelligence-gathering operations.”
The campaign uses .dotm (macro-enabled Word template) files, which are saved in the Microsoft Word STARTUP folder. This ensures automatic execution every time Word is launched—an evolution from TAG-110’s previous use of HATVIBE, an HTA-based payload.
Once executed, the embedded VBA macros:
- Collect system metadata (username, computer name, language, resolution, etc.)
- Establish persistence by copying themselves to %APPDATA%\Microsoft\Word\STARTUP\
- Communicate with a hardcoded C2 server (http://38.180.206[.]61/engine.php)
- Download and execute second-stage code based on C2 response logic
“TAG‑110’s recent use of macro-enabled Word templates (.dotm)… highlights a tactical evolution prioritizing persistence,” the researchers stated.
While the initial documents are seemingly benign notices—one referencing radiation safety for Tajik armed forces and another outlining election schedules in Dushanbe—the underlying payloads turn the host into a surveillance node.
TAG-110’s macros leverage common persistence tactics like:
- Registry edits to AccessVBOM for enabling VBA project manipulation
- Auto-executing payloads via AutoExec macros
- Modular code injection via encoded responses from C2 infrastructure
“Insikt Group expects TAG‑110 will sustain regional operations against government ministries, academic and research bodies, and diplomatic missions.”
Recorded Future urges organizations to adopt the following measures:
- Monitor Microsoft Word STARTUP folders for unauthorized
.dotmfiles - Disable macros by default and enforce group policy restrictions
- Harden registry permissions to block
AccessVBOMmanipulation - Integrate real-time threat intelligence feeds into SIEM and SOAR systems to detect TAG-110 IOCs
TAG-110 remains a prominent player in Russia’s cyber-intelligence playbook. Its evolving tactics, regional alignment, and toolset flexibility suggest the group will continue operations across Central Asia, especially during politically sensitive periods such as elections or regional conflicts.
“TAG‑110’s persistent targeting… supports Russia’s strategy to maintain influence in Central Asia,” the report concludes.
Related Posts:
- Russia-Linked TAG-110 Launches Cyberespionage Campaign Across Asia and Europe
- United States: Hancock Regional Hospital were attacked & demand ransom
- Microsoft reveals some details of the Russian hacking group’s attack on Ukraine
- LockBit Ransomware: The Hidden Threat in Resume Word Files
- LockBit Ransomware: The Hidden Threat in Resume Word Files
Donate