Between January and February 2025, TAG-110, a Russia-aligned cyber-espionage group linked to APT28, launched a targeted phishing campaign against Tajikistan using macro-enabled Word template files. This shift in tactics raises alarms for regional stability as the group intensifies intelligence-gathering efforts amid upcoming political and military events in Central Asia.
According to a report published by Insikt Group on 22 May 2025, the phishing campaign began in January 2025 and continued through February, targeting Tajikistani government, academic, and research institutions. The attackers leveraged macro-enabled Word .dotm files disguised as government-themed documents — a method echoing previous TAG-110 playbooks but replacing the usual HTA-based HATVIBE payload with a stealthier alternative.
Weaponized Documents and TTP Evolution
Two macro-enabled .dotm files were identified as initial access vectors:
- SHA256:
d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7- Theme: Radiation safety notice to the Tajik armed forces
- First Seen: 27 January 2025
- C2 Host:
http://38.180.206[.]61:80/engine.php
- SHA256:
8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7- Theme: Election schedule in Dushanbe
- First Seen: 1 February 2025
- C2 Host: Same as above
Both documents contained Visual Basic for Applications (VBA) macros executing upon file open, storing malicious templates in the Microsoft Word STARTUP folder to ensure persistence.
Central Asia in the Crosshairs: Why Tajikistan?
Russia has consistently sought to maintain influence in Central Asia. Tajikistan, a key strategic partner in the region, has become a focal point of Russia’s hybrid warfare, combining diplomatic, economic, and now cybersecurity tactics to preserve its dominance.
“This campaign by TAG-110 appears strategically timed, aligning with upcoming regional elections and heightened military sensitivity,” said John Hultquist, Chief Analyst at Mandiant (comment from previous APT28 attribution analysis, cited in The Record).
This ongoing intrusion reflects Moscow’s intent to undermine independent political evolution in the region by extracting sensitive information from the Tajikistani government, defense, and research sectors.
Middle East and Africa: Echoes and Exposure
Though the current campaign centers on Tajikistan, similar TTPs have previously emerged across MEA nations where Russian influence intersects with fragile governance or strategic corridors (e.g., Syria, Libya, Sudan).
Governments in Africa and the Middle East should note:
- Macro-based attack vectors remain a preferred choice in regions with low digital hygiene.
- The use of government-themed lures could easily be localized for ministries, election bodies, or military bureaus in MEA.
Dr. Khalid Al-Maadeed, a cybersecurity consultant in Doha, warned:
“This shift to stealthy persistence mechanisms signals a need for Middle Eastern agencies to revisit their endpoint monitoring and macro security policies, particularly with upcoming election seasons.”
Global Comparisons: APT28 and Evolving Russian Tactics
TAG-110, attributed by CERT-UA with medium confidence as part of the APT28 (BlueDelta) umbrella, is not acting in isolation. The group’s overlapping infrastructure and codebase align with broader Russian cyber-espionage objectives, including:
- APT28’s 2024 phishing campaigns against European defense ministries (CERT-EU, December 2024)
- UAC-0063’s 2023 use of CHERRYSPY against Kazakh diplomatic entities (BitDefender report)
By dropping HATVIBE in favor of macro templates, TAG-110 is pursuing quieter persistence, evading traditional signature-based defenses and sandboxing mechanisms.
Technical Indicators & MITRE Mapping
MITRE ATT&CK Techniques Used
- T1566.001: Phishing – Spearphishing Attachment
- T1059.005: Command and Scripting Interpreter – Visual Basic
- T1137.001: Office Application Startup – Word STARTUP folder
- T1071.001: Application Layer Protocol – Web Traffic
- T1027: Obfuscated Files or Information
- T1564.001: Hide Artifacts – Hidden Files and Directories
Indicators of Compromise (IOCs)
| Indicator | Description |
|---|---|
38.180.206[.]61:80/engine.php | C2 server |
d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7 | Document Hash |
8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7 | Document Hash |
.dotm in Word STARTUP path | Persistence mechanism |
| VBA Macros | Delivery of remote template |
Actionable Takeaways for Security Teams
- Block macros in Office files from the internet using Group Policy or Intune.
- Audit Microsoft Word STARTUP folders for unexpected
.dotmfiles. - Implement EDR tools to detect
Document_Open()VBA execution. - Update detection signatures for macro template-based persistence.
- Educate users to avoid opening unsolicited or unexpected Word documents.
- Segment government networks, especially in ministries or defense departments.
- Conduct regular phishing simulations and awareness training.
- Apply IOC watchlists across SIEMs and firewalls.
- Harden email gateways to flag
.dotmand macro-enabled attachments. - Stay informed with real-time cybersecurity alerts.
Conclusion
TAG-110’s latest offensive against Tajikistan reflects a maturing playbook among Russian cyber-espionage groups. The use of stealthy .dotm macros represents both tactical innovation and a reminder that phishing remains a potent threat vector. As geopolitical tensions simmer, governments and institutions across Central Asia and by extension, the MEA region must reinforce cyber vigilance and operational readiness. Expect continued activity from TAG-110 aligned with Russian geopolitical interests.
Sources
- Recorded Future – TAG-110 Analysis (22 May 2025)
- CERT-UA Attribution of TAG-110 to APT28 (2024)
- BitDefender – Central Asia Campaigns (2023)
- Sekoia – TAG-110 Toolset Overview (2024)
- Microsoft – Macro Policies in Office
- CERT-EU – Russian APT Activity (December 2024)
- Mandiant – Russian APT Trends
- The Record – APT28 Activities
- CyberCory – Central Asia Threats
- SaintyNet – Security Awareness & Services
