The Tibetan community was targeted by Chinese and Nexus cyberspy groups as part of two campaigns run last month ahead of the Dalai Lama’s 90th birthday on July 6, 2025.
Multi-stage attacks are codenamed Operation Ghostchat and Phantom Operation By Zscaler Threatlabz.
“The attackers breached a legal website, redirected users via malicious links, and eventually installed a GH0st rat or PhantomNet (aka Smanager) backdoor on the victim system,” security researchers Sudeep Singh and Roy Tay said in a report Wednesday.
This is not the first time a Chinese threat actor has resorted to a hole attack (aka strategic web compromise). This is a technology in which enemies enter websites where certain groups frequently visit and infect malware.
For the past two years, hacking groups such as Evilbamboo, Evasive Panda and Tag-112 have all relied on an approach to targeting the Tibetan diaspora, with the ultimate goal of gathering sensitive information.
 |
| Operation Ghostchat |
The latest set of attacks observed by Zscaler involves compromise on the web page and replaces the link pointing to “TibetFund (.) org/90thbirthday” with an incorrect version (“thedalailama90.niccenter (.)net”).
The original webpage is designed to send messages to Dalai Lama, but the replica page adds the option to send encrypted messages to a spiritual reader by downloading them from “tbelement.niccenter(.)net”.
Hosted on the website is a background version of open source encrypted chat software that contains malicious DLLs sideloaded to launch Gh0st Rat, a remote access trojan widely used by various Chinese hacking groups. The web page also contains JavaScript code designed to collect visitor IP addresses and user agent information and portray details to threat actors via HTTP POST requests.
 |
| Phantom Operation |
Gh0st Rat is a fully-dished malware that supports file manipulation, screen capture, clipboard content extraction, webcam video recording, keylogs, audio recording and playback, process manipulation, and remote shells.
It has been found that the second campaign, Operation Phantomrayers, will utilize another domain, “hhthedalalama90.niccenter(.)Net.” Their location on the map.
However, malicious features use a backdoor that establishes contact with a command and control (C2) server via TCP using DLL sideload technology, and launches a backdoor that establishes additional plug-in (C2) servers for running on complex machines.
“PhantomNet can be configured to work only within a certain time or a few days, but this feature is not enabled in the current sample,” the researchers said. “PHANTOMNET used modular plug-in DLLs, AES encrypted C2 traffic, and configurable timing operations to stealthly manage compromised systems.”
