Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents

May 27, 2025Ravie LakshmananMalware / Threat Intelligence

The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload.

The attack chain is a departure from the threat actor’s previously documented use of an HTML Application (.HTA) loader dubbed HATVIBE, Recorded Future’s Insikt Group said in an analysis.

“Given TAG-110’s historical targeting of public sector entities in Central Asia, this campaign is likely targeting government, educational, and research institutions within Tajikistan,” the cybersecurity company noted.

“These cyber espionage operations likely aim to gather intelligence for influencing regional politics or security, particularly during sensitive events like elections or geopolitical tensions.”

TAG-110, also called UAC-0063, is the name assigned to a threat activity group that’s known for its targeting of European embassies, as well as other organizations in Central Asia, East Asia, and Europe. It’s believed to be active at least since 2021.

Assessed to share overlaps with the Russian nation-state hacking crew APT28, activities associated with the threat actor were first documented by Romanian cybersecurity company Bitdefender in May 2023 in connection with a campaign that delivered a malware codenamed DownEx (aka STILLARCH) targeting government entities in Kazakhstan and Afghanistan.

However, it was the Computer Emergency Response Team of Ukraine (CERT-UA) that formally assigned the moniker UAC-0063 that same month after it uncovered cyber attacks targeting state bodies in the country using malware strains like LOGPIE, CHERRYSPY (aka DownExPyer), DownEx, and PyPlunderPlug.

The latest campaign aimed at Tajikistan organizations, observed starting January 2025, demonstrates a shift away from HATVIBE, distributed via HTA-embedded spear-phishing attachments, in favor of macro-enabled Word template (.DOTM) files, underscoring an evolution of their tactics.

“Previously, TAG-110 leveraged macro-enabled Word documents to deliver HATVIBE, an HTA-based malware, for initial access,” Recorded Future said. “The newly detected documents do not contain the embedded HTA HATVIBE payload for creating a scheduled task and instead leverage a global template file placed in the Word startup folder for persistence.”

The phishing emails have been found to use Tajikistan government-themed documents as lure material, which aligns with its historical use of trojanized legitimate government documents as a malware delivery vector. However, the cybersecurity company said it could not independently verify the authenticity of these documents.

Present with the files is a VBA macro that’s responsible for placing the document template in the Microsoft Word startup folder for automatic execution and subsequently initiating communications with a command-and-control (C2) server and potentially executing additional VBA code supplied with C2 responses. The exact nature of the second-stage payloads is not known.

“However, based on TAG-110’s historical activity and tool set, it is likely that successful initial access via the macro-enabled templates would result in the deployment of additional malware, such as HATVIBE, CHERRYSPY, LOGPIE, or potentially a new, custom-developed payload designed for espionage operations,” the company said.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!