Date: 07/24/2025
Severity: High
Summary
In June 2025, two cyberattack campaigns—Operation GhostChat and Operation PhantomPrayers—targeted the Tibetan community, exploiting increased online activity surrounding the Dalai Lama's 90th birthday. Threat actors linked to a China-nexus APT group compromised a legitimate website to redirect users via malicious links. Victims were tricked into downloading malware with Tibet-related themes, leading to multi-stage infections that deployed either the Ghost RAT or PhantomNet (SManager) backdoors. The campaigns used deceptive subdomains under niccenter.net to impersonate trusted platforms and intensify attacks during this culturally significant time.
Indicators of Compromise (IOC) List
URL/Domain | thedalailama90.niccenter.net tbelement.niccenter.net beijingspring.niccenter.net penmuseum.niccenter.net tbelement.niccenter.net/Download/TBElement.zip http://hhthedalailama90.niccenter.net/DalaiLamaCheckin.exe http://104.234.15.90:59999/api |
IP Address | 45.154.12.93 104.234.15.90 |
Hash |
42d83a46250f788eef80ff090d9d6c87
5b63a01a0b3f6e06dd67b42ad4f18266
998dd032b0bb522036706468eca62441
a17092e3f8200996bdcaa4793981db1f
1244b7d19c37baab18348fc2bdb30383
a139e01de40d4a65f4180f565de04135
81896b186e0e66f762e1cb1c2e5b25fc
5ad61fe6a92d59100dc6f928ef780adb
32308236fa0e3795df75a31bc259cf62
26240c8cfbb911009a29e0597aa82e6c
a74c5c49b6f1c27231160387371889d3
ff9fddb016ec8062180c77297d478b26d65a7a40
71f09721792d3a4f1ea61d1f3664e5a503c447b2
25cb602e89b5d735776e2e855a93915714f77f01
ca6845e4ac8c0e45afc699557ad415339419bfe0
365888661b41cbe827c630fd5eea05c5ddc2480d
e089daa04cceb8306bc42e34a5da178e89934f45
10a440357e010c9b6105fa4cbb37b7311ad574ea
11be5085f6ddc862cabae37c7dbd6400fb8b1498
40ef100472209e55877b63bf817982e74933b3f8
a03527b2a2f924d3bc41636aa18187df72e9fe03
fb32d8461ddb6ca2f03200d85c09f82fb6c5bde3
0ad4835662b485f3a1d0702f945f1a3cf17e0a5d75579bea165c19afd1f8ea00
d896953447088e5dc9e4b7b5e9fb82bcb8eb7d4f6f0315b5874b6d4b0484bd69
037d95510c4aa747332aa5a2e33c58828de4ad0af8a1e659a20393f2448e48d7
98d30b44560a0dde11927b477b197daf75fb318c40bdeed4f9e27235954f9e71
1e5c37df2ace720e79e396bbb4816d7f7e226d8bd3ffc3cf8846c4cf49ab1740
a0b5d6ea1f8be6dbdbf3c5bb469b111bd0228bc8928ed23f3ecc3dc4a2c1f480
9ffb61f1360595fc707053620f3751cb76c83e67835a915ccd3cbff13cf97bed
f6b42e4d0e810ddbd0c1649abe74497dad7f0e9ada91e8e0e4375255925dd4d2
45fd64a2e3114008f400bb2d9fa775001de652595ffe61c01521eb227a0ba320
8809b874da9a23e5558cc386dddf02ea2b9ae64f84c9c26aca23a1c7d2661880
c9dac9ced16e43648e19a239a0be9a9836b80ca592b9b36b70d0b2bdd85b5157 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "tbelement.niccenter.net" or siteurl like "tbelement.niccenter.net" or url like "tbelement.niccenter.net" or domainname like "penmuseum.niccenter.net" or siteurl like "penmuseum.niccenter.net" or url like "penmuseum.niccenter.net" or domainname like "thedalailama90.niccenter.net" or siteurl like "thedalailama90.niccenter.net" or url like "thedalailama90.niccenter.net" or domainname like "beijingspring.niccenter.net" or siteurl like "beijingspring.niccenter.net" or url like "beijingspring.niccenter.net" or domainname like "tbelement.niccenter.net/Download/TBElement.zip" or siteurl like "tbelement.niccenter.net/Download/TBElement.zip" or url like "tbelement.niccenter.net/Download/TBElement.zip" or domainname like "http://hhthedalailama90.niccenter.net/DalaiLamaCheckin.exe" or siteurl like "http://hhthedalailama90.niccenter.net/DalaiLamaCheckin.exe" or url like "http://hhthedalailama90.niccenter.net/DalaiLamaCheckin.exe" or domainname like "http://104.234.15.90:59999/api" or siteurl like "http://104.234.15.90:59999/api" or url like "http://104.234.15.90:59999/api" |
Detection Query 2 : | dstipaddress IN ("45.154.12.93","104.234.15.90") or srcipaddress IN ("45.154.12.93","104.234.15.90") |
Detection Query 3 : |
md5hash IN ("998dd032b0bb522036706468eca62441","42d83a46250f788eef80ff090d9d6c87","a139e01de40d4a65f4180f565de04135","5b63a01a0b3f6e06dd67b42ad4f18266","a17092e3f8200996bdcaa4793981db1f","1244b7d19c37baab18348fc2bdb30383","81896b186e0e66f762e1cb1c2e5b25fc","5ad61fe6a92d59100dc6f928ef780adb","32308236fa0e3795df75a31bc259cf62","26240c8cfbb911009a29e0597aa82e6c","a74c5c49b6f1c27231160387371889d3") |
Detection Query 4 : |
sha1hash IN ("ff9fddb016ec8062180c77297d478b26d65a7a40","e089daa04cceb8306bc42e34a5da178e89934f45","71f09721792d3a4f1ea61d1f3664e5a503c447b2","25cb602e89b5d735776e2e855a93915714f77f01","ca6845e4ac8c0e45afc699557ad415339419bfe0","365888661b41cbe827c630fd5eea05c5ddc2480d","10a440357e010c9b6105fa4cbb37b7311ad574ea","11be5085f6ddc862cabae37c7dbd6400fb8b1498","40ef100472209e55877b63bf817982e74933b3f8","a03527b2a2f924d3bc41636aa18187df72e9fe03","fb32d8461ddb6ca2f03200d85c09f82fb6c5bde3") |
Detection Query 5 : |
sha256hash IN ("a0b5d6ea1f8be6dbdbf3c5bb469b111bd0228bc8928ed23f3ecc3dc4a2c1f480","0ad4835662b485f3a1d0702f945f1a3cf17e0a5d75579bea165c19afd1f8ea00","d896953447088e5dc9e4b7b5e9fb82bcb8eb7d4f6f0315b5874b6d4b0484bd69","037d95510c4aa747332aa5a2e33c58828de4ad0af8a1e659a20393f2448e48d7","98d30b44560a0dde11927b477b197daf75fb318c40bdeed4f9e27235954f9e71","1e5c37df2ace720e79e396bbb4816d7f7e226d8bd3ffc3cf8846c4cf49ab1740","9ffb61f1360595fc707053620f3751cb76c83e67835a915ccd3cbff13cf97bed","f6b42e4d0e810ddbd0c1649abe74497dad7f0e9ada91e8e0e4375255925dd4d2","45fd64a2e3114008f400bb2d9fa775001de652595ffe61c01521eb227a0ba320","8809b874da9a23e5558cc386dddf02ea2b9ae64f84c9c26aca23a1c7d2661880","c9dac9ced16e43648e19a239a0be9a9836b80ca592b9b36b70d0b2bdd85b5157") |
Reference:
https://www.zscaler.com/blogs/security-research/illusory-wishes-china-nexus-apt-targets-tibetan-community#indicators-of-compromise--iocs-