Illusory Wishes: China-nexus APT Targets the Tibetan Community
IntroductionIn June 2025, Zscaler ThreatLabz collaborated with TibCERT to investigate two cyberattack campaigns targeting the Tibetan community. Our analysis linked these attacks, dubbed Operation GhostChat and Operation PhantomPrayers, to a China-nexus APT group, which capitalized on increased online activity around the Dalai Lama’s 90th birthday to distribute malware in multi-stage attacks. In this blog post, we outline how the attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Ghost RAT or PhantomNet (SManager) backdoor onto victim systems.Zscaler ThreatLabz would like to thank the TibCERT team for their collaboration throughout this investigation.Key TakeawaysThreatLabz observed targeted malware intrusions that employed social engineering tactics, leveraging the Dalai Lama’s 90th birthday through strategic web compromises to lure Tibetan community members and redirect them to attacker-controlled sites.Operation GhostChat and Operation PhantomPrayers, respectively, relied on multi-stage infection chains to deploy Ghost RAT and PhantomNet backdoors. These chains included DLL sideloading, shellcode injections, and encrypted payloads to execute their attacks.The campaigns employed evasion techniques like code injection, using low-level APIs, and overwriting user mode API hooks to evade endpoint security solutions.Based on the victimology targeting the Tibetan community, the use of Ghost RAT and PhantomNet, and the deployment of tailored TTPs, we attribute these campaigns with high confidence to a China-nexus APT group.OverviewCyberattacks intensified in the weeks leading up to the Dalai Lama’s 90th birthday on July 6th, a culturally significant event for the Tibetan community that spurred heightened online activity. During this period, threat actors launched Operation GhostChat and Operation PhantomPrayers, leveraging multiple subdomains under niccenter[.]net to impersonate legitimate platforms. These subdomains were used to lure victims into downloading malicious software with Tibet-related themes, initiating a multi-stage infection chain that ultimately deployed Ghost RAT or PhantomNet (SManager) backdoors (malware tools commonly linked to China-nexus threat groups).Operation GhostChatIn June 2025, threat actors carried out a strategic web compromise by replacing the legitimate link, tibetfund.org/90thbirthday, on a compromised webpage with a malicious link. The original link directed users to a page inviting members of the Tibetan community to send greetings to the Dalai Lama, but the malicious link redirected them to a fraudulent page hosted at thedalailama90.niccenter[.]net. This fake page was designed to closely mimic the original tibetfund.org site.The figure below compares the legitimate webpage and the malicious replica created by the threat actor.Figure 1: A side-by-side comparison of the legitimate Tibetan webpage and the malicious replica created by the threat actor.The malicious webpage includes an option to download an encrypted chat application, designed to lure the targeted user to connect with other members of the Tibetan community under the pretense of secure communication. Clicking on this “chat” option redirects users to tbelement.niccenter[.]net, where they are prompted to download a backdoored version of Element, a popular open-source encrypted chat application.The figure below shows the webpage created by the threat actor which impersonates the Element messaging application to lure users.Figure 2: Webpage crafted by threat actor to distribute a backdoored version of the Element messaging application.The webpage also contains JavaScript code designed to collect the visitor’s IP address and user-agent information. Using WebRTC, the malicious webpage retrieves the user’s IP address and then sends the information collected via an HTTP POST request to save_ip.php, a PHP script hosted on the same server.The figure below shows the JavaScript code responsible for this action.Figure 3: The JavaScript code on the webpage used to collect the user’s IP address and user-agent information.When the user clicks the “Download” button on the webpage shown in Figure 2, a ZIP archive is downloaded from the following URL: https://tbelement.niccenter[.]net/Download/TBElement.zip.TBElement.zip contains multiple components related to the legitimate messaging application, Element. However, the legitimate DLL, ffmpeg.dll, has been replaced with a malicious DLL. Since the legitimate, digitally signed file Element.exe is vulnerable to DLL sideloading, it automatically loads the malicious ffmpeg.dll when it runs.The figure below shows the multiple stages involved in the attack chain.Figure 4: Multi-stage attack chain for Operation GhostChat.The technical analysis below describes each stage of the attack chain and how GhostChat orchestrates command-and-control (C2) communication.Stage 1: Shellcode loaderThe ffmpeg.dll file is a stage 1 loader that loads embedded shellcode, injects it into a target process, and executes it. In addition, ffmpeg.dll creates persistence on the compromised machine by adding a Windows registry value.The table below describes the key functionalities of the ffmpeg.dll file.CapabilityDescriptionAPI resolutionAPI names are stored as plain text in the binary, with no hashing algorithms used. To resolve API addresses, the export directory of the loaded module is scanned and compared against the API names. The threat actors use less common Windows native APIs like Nt* and Rtl*, likely to evade detection by EDR solutions that focus on monitoring user-mode APIs for suspicious activity.Map ntdll from diskThe stage 1 shellcode loader uses a technique to bypass potential user-mode API hooks or memory breakpoints in ntdll.dll. It achieves this by loading a fresh copy of ntdll.dll from disk and mapping it into memory. Here’s how the process works: Locates the base address of ntdll.dll in the process’s memory using K32GetModuleInformation.Maps a fresh copy of ntdll.dll into memory from its default path, C:\Windows\System32\ntdll.dll. This path is hardcoded in the binary.Locates the .text section of the currently loaded ntdll.dll by walking through its PE header in memory.Resolves the address of the VirtualProtect API and uses it to change the memory protection of the .text section to PAGE_EXECUTE_READWRITE.Overwrites the .text section of the loaded ntdll.dll with the .text section of the fresh copy mapped from disk.Restores the original memory protection settings of the .text section using VirtualProtect. This process ensures that any API hooks or modifications added by endpoint security solutions in the user-mode ntdll.dll are overwritten.Code injectionThe stage 1 shellcode loader uses shared memory section-based code injection to inject 32-bit shellcode into a legitimate Windows process, ImagingDevices.exe. The technique relies on low-level APIs to minimize detection by security solutions. The steps are as follows: Creates a memory section in the current process using NtCreateSection with PAGE_EXECUTE_READWRITE protection.Maps the section into the current process using NtMapViewOfSection.Creates the target process (ImagingDevices.exe) using RtlCreateUserProcess.Maps the earlier created memory section into the target process using NtMapViewOfSection.Writes shellcode to the shared memory section within the current process using NtWriteVirtualMemory, making the shellcode appear in the target process’s memory.Creates a thread in the target process with its function pointing to the mapped section containing the shellcode using RtlCreateUserThread. This method stealthily injects the shellcode into the target process.Registry persistenceTo achieve persistence, the malware adds a registry value under the path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key Name: ElementValue: Path to the malicious Element.exe binaryTable 1: Key capabilities of the ffmpeg.dll file.Stage 2: Reflective loaderThe stage 2 shellcode contains an executable compressed with NRV2D, which is one of the compression algorithms supported by the popular UPX packer. To evade detection, the executable’s PE headers have their MZ and PE magic bytes replaced with 0xd and 0xa.The shellcode allocates memory with PAGE_EXECUTE_READWRITE permissions via VirtualAlloc, reflectively loads the stage 3 executable into this memory region, and then executes it starting at its entry point.Stage 3: Ghost RATThe stage 3 executable is a variant of Ghost RAT. Its embedded configuration is encrypted with a custom algorithm resembling RC4 but modified significantly. This implementation adds bitwise operations, and its Key Scheduling Algorithm (KSA) is altered so the provided key does not affect encryption or decryption. Python code to decrypt the configuration is available in our GitHub repository.C2 communicationGhost RAT communicates with its C2 server at 104.234.15[.]90:19999 using a TCP binary protocol. This variant features a custom packet header that uses “KuGou” instead of the usual “Gh0st” and encrypts its traffic using the same RC4-like algorithm used for the configuration encryption.Malicious functionality is largely implemented in the exported functions of a plugin DLL named config.dll. This DLL is downloaded from the C2 server and stored on disk at C:\Users\Public\Documents\config.dll. To evade static AV scans, the DLL is XOR-encoded with a one-byte key (0x15) and decoded only upon being loaded by the malware.As the exact DLL couldn’t be retrieved from the C2 server, its functionality was derived by analyzing a KuGou variant DLL (MD5: 7b9a808987d135e381f93084796fd7c1) and comparing it with the Ghost RAT’s source code.A table outlining the C2 commands supported by this variant is shown below.Command IDFunctionalitySource code class0x0Sets a flag to indicate a successful connection to the C2.CKernelManager0x1Executes the DllFile export in the plugin DLL. Supports file manipulation sub-commands.CFileManager0x2Executes the DllScreen export in the plugin DLL. Supports screen capture and clipboard manipulation sub-commands.CScreenManager0x3Executes the DllVideo export in the plugin DLL. Supports webcam video capture sub-commands.CVideoManager0x4Executes the DllKeybo export in the plugin DLL. Supports keylogging-related sub-commands.CKeyboardManager0x5Executes the DllAudio export in the plugin DLL. Supports audio recording and playback.CAudioManager0x6Executes the DllSyste export in the plugin DLL. Supports process and window manipulation sub-commands. CSystemManager0x7Executes the DllShell export in the plugin DLL. Supports remote shell via command prompt.CShellManager0x8Retrieves SeShutdownPrivilege to shut down the victim’s system with ExitWindowsEx.N/A0x9Terminates itself.N/A0xDSets the HKLM\SYSTEM\CurrentControlSet\Services\Apache\Host value. This value likely serves as a nickname for the threat actor to identify this system.N/A0xFSets the HKLM\SYSTEM\CurrentControlSet\Services\Apache\ConnectGroup value. This value is likely used by the threat actor for organizing infected machines.N/A0x13Executes the DllMsgBox export in the plugin DLL. Displays a message box with an attacker-specified message and title.N/A0x14Sends the plugin DLL path hardcoded in the sample C:\Users\Public\Documents\config.dll path to the C2. Supports plugin DLL management sub-commands.N/A0x15Executes DllSerSt export in the plugin DLL. Supports system administration sub-commands including user account manipulation.CSysInfo0x16Executes the DllSerMa export in the plugin DLL. Supports Windows service manipulation sub-commands.CSerManager0x17Executes the DllReg export in the plugin DLL. Supports Windows registry manipulation sub-commands.CRegistryTable 2: List of commands supported by the KuGou variant of Ghost RAT.Operation PhantomPrayersIn June 2025, a new subdomain, hhthedalailama90.niccenter[.]net was used by the threat actor to distribute a malicious application masquerading as a “special prayer check-in” software.The malicious binary hosted at the URL http://hhthedalailama90.niccenter[.]net/DalaiLamaCheckin.exe is an application built with the PyQT5 framework and the Python data visualization library, Folium, and packaged as an executable using PyInstaller.The binary displays a graphical user interface (GUI) to the targeted user, prompting them to check in by entering their username and email address. In addition, the GUI also displays an interactive map showing other users who have checked in, thereby adding legitimacy to the social engineering process. In the background, malicious activities are carried out.The figure below shows the graphical user interface (GUI) displayed to the victim upon execution of DalaiLamaCheckin.exe.Figure 5: Graphical user interface (GUI) displayed upon execution of DalaiLamaCheckin.exe.The table below describes the key capabilities of this binary.CapabilityDescriptionDirectory creationCreates a directory in the path: %appdata%\Birthday.DLL sideloading infection chainCopies the following components to the specified directory for the next stage of the infection chain: Legitimate, digitally signed VLC.exe, which is vulnerable to DLL sideloading.Malicious libvlc.dll, designed to be sideloaded by VLC.exe..tmp file containing shellcode, which is loaded and executed by libvlc.dll. PersistenceEstablishes persistence by creating a Windows shortcut file, Birthday Reminder.lnk, in the STARTUP directory. The shortcut’s target path points to VLC.exe in the %appdata%\Birthday directory, ensuring the malicious application launches automatically at system startup.PyQT5 check-in dialog and API integrationDisplays a GUI created with PyQT5, prompting the target to check in. The dialog prompts the user to enter their username and email address. Upon check-in, an HTTP GET request is sent to 104.234.15[.]90:59999/api/checkins with the custom HTTP header X-API-KEY: m1baby007.Folium-based data visualizationUtilizes the Python visualization library, Folium, to download check-in data from 104.234.15[.]90:59999/api/checkins. The data is parsed to extract usernames and locations, then used to generate a map file named map.html, which is loaded and presented to the victim. This map is designed to convince the user that others worldwide are using the prayer check-in software.Table 3: The key capabilities of the PhantomPrayers binary.This information is captured at the server’s end in the following JSON format.{
“username”: “”,
“lat”: “”,
“lon”: “”,
“location”: “”,
“timestamp”: “”,
“ip”: “”,
“email”: “”
}The check-in data downloaded from the server is available in our GitHub repository. It appears that most of these entries were fabricated by the threat actor as the IP addresses captured for most of the usernames belong to hosting providers instead of ISPs.Below is the configuration present inside the PyInstaller decompiled code.BACKEND_URL = ‘http://104.234.15.90:59999/api’
CHECKIN_URL = f'{BACKEND_URL}/checkin’
CHECKINS_URL = f'{BACKEND_URL}/checkins’
API_KEY = ‘m1baby007..’
API_HEADERS = {‘X-API-KEY’: API_KEY}
BIRTHDAY_VENUE_COORDS = [32.232513887581284, 76.32422089040426]
MAP_HTML_FILE = os.path.join(tempfile.gettempdir(), ‘map.html’)
APP_NAME_IN_APPDATA = ‘DalaiLamaBirthdayCheckin’The PhantomPrayers attack chain closely resembles the Operation GhostChat attack, with the notable exception that the stage 2 loader shellcode is encrypted and stored in an external file .tmp instead of being embedded within stage 1. The PhantomPrayers attack chain is shown in the figure below.Figure 6: Multi-stage attack chain for Operation PhantomPrayers.Stage 1: Shellcode loaderWhen VLC.exe is executed, it sideloads the malicious libvlc.dll from the same directory. The stage 1 loader code resides in the libvlc_new exported function, which decrypts and executes the next-stage shellcode stored in the .tmp file within the directory.The shellcode in the .tmp file is encrypted with two layers:Layer 1: RC4 encryption using a hardcoded 16-byte key and initialization vector (IV).Layer 2: AES-128 (CBC mode) encryption, with the same 16-byte key and IV.The decryption code is provided below.from Crypto.Cipher import ARC4
from Crypto.Cipher import AES
with open(“.tmp”, “rb”) as f:
encrypted_shellcode = f.read()
rc4_key = b’\x0F\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F’
rc4_cipher = ARC4.new(rc4_key)
rc4_decrypted = rc4_cipher.decrypt(encrypted_shellcode)
aes_key = b’\x01\x02\x03\x09\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F’
aes_iv = b’\x01\x02\x03\x09\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F’
aes_cipher = AES.new(aes_key, AES.MODE_CBC, aes_iv)
rc4_decrypted = rc4_decrypted + b”\x00″
decrypted_shellcode = aes_cipher.decrypt(rc4_decrypted)
with open(“decrypted_shellcode.bin”, “wb”) as f:
f.write(decrypted_shellcode)Stage 2: Reflective loaderThis shellcode, similar to the one used in the Operation GhostChat infection chain, is designed solely to decompress an embedded executable, load it into memory, and execute it.Stage 3: PhantomNetThe final payload is a 32-bit executable and a variant of the PhantomNet backdoor. The final payload’s embedded configuration is XOR-encoded with a hardcoded 10-byte key (6B B2 95 27 66 66 74 6B A1 86) and includes the C2 server 45.154.12[.]93 and port 2233 as strings. While this sample uses TCP for C2 communication, it can also be configured for HTTPS communication. C2 traffic is secured using AES encryption with a key derived from a string in the configuration.PhantomNet can be set to operate only during specific hours or days, but this capability is not enabled in the current sample. The backdoor relies on plugin DLLs delivered from the C2 server to carry out actions on the infected system.Since this sample’s commands and functionality match those reported by ESET researchers in the 2020 Operation SignSight campaign, we will not provide further details on the malware.Threat AttributionBased on the victimology and malware used in both campaigns, ThreatLabz attributes Operation GhostChat and Operation PhantomPrayers to China state-sponsored cyber espionage groups.Variants of Ghost RAT are widely used by various Chinese-speaking threat actors, including state-sponsored groups. While PhantomNet has been attributed by other researchers to TA428, a China-nexus APT group, it remains uncertain whether this malware is exclusively associated with that group or is being utilized by other China-nexus actors as well.The diamond model below outlines the key attributes of this campaign.Figure 7: Diamond model highlighting key attributes of this campaign that delivers Ghost RAT and PhantomNet and targets the Tibetan community.ConclusionZscaler ThreatLabz’s collaboration with TibCERT revealed shared tactics across both operations targeting the Tibetan community, such as strategic web compromises, DLL sideloading vulnerabilities, and the deployment of Ghost RAT and PhantomNet backdoors. Both campaigns utilized a shellcode loader that employs low-level APIs and native Windows function calls to bypass user-mode detection mechanisms. PhantomNet used modular plugin DLLs, AES-encrypted C2 traffic, and configurable timed operations, to stealthily manage compromised systems.Zscaler ThreatLabz continues to monitor and analyze the TTPs of these advanced persistent threat (APT) groups to develop better detection and mitigation strategies against similar threats. Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to the targeted attacks mentioned in this blog at various levels with the following threat names:Win64.Trojan.PhantomNetWin32.Backdoor.GhostRATMITRE ATT&CK FrameworkIDTacticDescriptionT1106Native APILow level APIs are used during code injection and execution in the stage 1 loader.T1204.002User Execution: Malicious FileThe victim is tricked into running the trojanized software to initiate the attack chain.T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderRegistry persistence is set up by the stage 1 loader.T1574.001Hijack Execution Flow: DLLDLL sideloading is used to execute the stage 1 loader.T1055.002Process Injection: Portable Executable InjectionThe stage 1 loader injects stage 2 shellcode into C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe.T1036MasqueradingThe software downloaded by users masquerade as software useful to the Tibetan community.T1027.007Obfuscated Files or Information: Dynamic API ResolutionAPIs are dynamically resolved in the stage 1 and 2 loaders.T1027.009Obfuscated Files or Information: Embedded PayloadsThe stage 1 and 2 loaders embed their next stages within themselves.T1027.015Obfuscated Files or Information: CompressionThe stage 3 executables are compressed and embedded in the stage 2 shellcode.T1620Reflective Code LoadingThe stage 2 loaders use reflective code loading to load the stage 3 executables.T1070.001Indicator Removal: Clear Windows Event LogsGhost RAT supports a command to clear the Windows Event Logs.T1056.001Input Capture: KeyloggingGhost RAT supports keylogging.T1083File and Directory DiscoveryGhost RAT supports file and directory enumeration.T1057Process DiscoveryGhost RAT supports process enumeration.T1012Query RegistryGhost RAT supports querying and modifying registry keys.T1518.001Software Discovery: Security Software DiscoveryPhantomNet enumerates AV products via WMI.T1082System Information DiscoveryGhost RAT and PhantomNet can collect system information such as OS version and machine name.T1033System Owner/User DiscoveryGhost RAT supports user enumeration.T1123Audio CaptureGhost RAT supports audio capture.T1115Clipboard DataGhost RAT supports the collection of clipboard data.T1005Data from Local SystemGhost RAT can read local files.T1113Screen CaptureGhost RAT supports screen capture.T1125Video CaptureGhost RAT supports webcam video capture.T1573.001Encrypted Channel: Symmetric CryptographyGhost RAT uses a symmetric cryptography algorithm to encrypt C2 traffic.T1095Non-Application Layer ProtocolGhost RAT and PhantomNet use a custom binary protocol for C2 communication over TCP.T1071.001Application Layer Protocol: Web ProtocolsPhantomNet supports C2 communication over HTTP and HTTPS.T1529System Shutdown/RebootGhost RAT supports a command to shutdown the infected machine.Indicators of Compromise (IOCs)File indicatorsMD5 hashSHA1 hashSHA256 hashFilenameDescription42d83a46250f788eef80ff090d9d6c87ff9fddb016ec8062180c77297d478b26d65a7a400ad4835662b485f3a1d0702f945f1a3cf17e0a5d75579bea165c19afd1f8ea00TBElement.zipMalicious ZIP archive5b63a01a0b3f6e06dd67b42ad4f1826671f09721792d3a4f1ea61d1f3664e5a503c447b2d896953447088e5dc9e4b7b5e9fb82bcb8eb7d4f6f0315b5874b6d4b0484bd69Element.exeLegitimate executables vulnerable to DLL sideloading. 998dd032b0bb522036706468eca6244125cb602e89b5d735776e2e855a93915714f77f01037d95510c4aa747332aa5a2e33c58828de4ad0af8a1e659a20393f2448e48d7ffmpeg.dllMalicious DLL a17092e3f8200996bdcaa4793981db1fca6845e4ac8c0e45afc699557ad415339419bfe098d30b44560a0dde11927b477b197daf75fb318c40bdeed4f9e27235954f9e71N/AStage 2 shellcode loader1244b7d19c37baab18348fc2bdb30383365888661b41cbe827c630fd5eea05c5ddc2480d1e5c37df2ace720e79e396bbb4816d7f7e226d8bd3ffc3cf8846c4cf49ab1740N/AStage 3 executable, Ghost RAT, after fixing PE headers. a139e01de40d4a65f4180f565de04135e089daa04cceb8306bc42e34a5da178e89934f45a0b5d6ea1f8be6dbdbf3c5bb469b111bd0228bc8928ed23f3ecc3dc4a2c1f480DalaiLamaCheckin.exeMalicious prayer check-in software.81896b186e0e66f762e1cb1c2e5b25fc10a440357e010c9b6105fa4cbb37b7311ad574ea9ffb61f1360595fc707053620f3751cb76c83e67835a915ccd3cbff13cf97bedVLC.exeLegitimate and digitally signed executable.5ad61fe6a92d59100dc6f928ef780adb11be5085f6ddc862cabae37c7dbd6400fb8b1498f6b42e4d0e810ddbd0c1649abe74497dad7f0e9ada91e8e0e4375255925dd4d2libvlc.dllMalicious DLL32308236fa0e3795df75a31bc259cf6240ef100472209e55877b63bf817982e74933b3f845fd64a2e3114008f400bb2d9fa775001de652595ffe61c01521eb227a0ba320.tmpEncrypted stage 1 shellcode. 26240c8cfbb911009a29e0597aa82e6ca03527b2a2f924d3bc41636aa18187df72e9fe038809b874da9a23e5558cc386dddf02ea2b9ae64f84c9c26aca23a1c7d2661880N/AStage 2 shellcode loadera74c5c49b6f1c27231160387371889d3fb32d8461ddb6ca2f03200d85c09f82fb6c5bde3c9dac9ced16e43648e19a239a0be9a9836b80ca592b9b36b70d0b2bdd85b5157N/AStage 3, PhantomNet, after fixing PE headers. Network indicatorsTypeIndicatorMalicious domainthedalailama90.niccenter[.]netMalicious domaintbelement.niccenter[.]netMalicious domainbeijingspring.niccenter[.]netMalicious domainpenmuseum.niccenter[.]netMalicious hosting URLtbelement.niccenter[.]net/Download/TBElement.zipGhost RAT C2 server104.234.15[.]90:19999Payload hosting URLhttp://hhthedalailama90.niccenter[.]net/DalaiLamaCheckin.exeCheck-in serverhttp://104.234.15[.]90:59999/apiPhantomNet C2 server45.154.12[.]93:2233Host indicatorsTypeIndicatorFiles installed by DalaiLamaCheckin.exe to execute PhantomNet%appdata%\Birthday\VLC.exe%appdata%\Birthday\libvlc.dll%appdata%\Birthday\.tmp%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Birthday Reminder.lnkProcess with injected code to execute Ghost RAT or PhantomNetImagingDevices.exe
*** This is a Security Bloggers Network syndicated blog from Security Research | Blog authored by Security Research | Blog. Read the original post at: https://www.zscaler.com/blogs/security-research/illusory-wishes-china-nexus-apt-targets-tibetan-community
