<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><title>China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike</title><meta name="description" content="China-based TAG-112 exploited Tibetan sites to spread Cobalt Strike malware. Recorded Future reveals targeted threats by state-sponsored actors."/><meta name="robots" content="index, follow"/><link rel="icon" href="/favicon.ico"/><meta itemProp="name" content="China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike"/><meta itemProp="description" content="China-based TAG-112 exploited Tibetan sites to spread Cobalt Strike malware. Recorded Future reveals targeted threats by state-sponsored actors."/><meta itemProp="image" content="https://cms.recordedfuture.com/uploads/format_webp/cta_cn_2024_1112_Social_6c644c6f49.jpg" alt="China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike"/><meta property="og:type" content="website"/><meta property="og:title" content="China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike"/><meta property="og:description" content="China-based TAG-112 exploited Tibetan sites to spread Cobalt Strike malware. Recorded Future reveals targeted threats by state-sponsored actors."/><meta property="og:image" content="https://cms.recordedfuture.com/uploads/format_webp/cta_cn_2024_1112_Social_6c644c6f49.jpg"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike"/><meta name="twitter:description" content="China-based TAG-112 exploited Tibetan sites to spread Cobalt Strike malware. Recorded Future reveals targeted threats by state-sponsored actors."/><meta name="twitter:image" content="https://cms.recordedfuture.com/uploads/format_webp/cta_cn_2024_1112_Social_6c644c6f49.jpg"/><meta name="author" content="RecordedFuture"/><link class="sl_norewrite" rel="alternate" hrefLang="x-default" href="https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites"/><link class="sl_norewrite" rel="alternate" hrefLang="fr-fr" href="https://www.recordedfuture.com/fr/research/china-nexus-tag-112-compromises-tibetan-websites"/><link class="sl_norewrite" rel="alternate" hrefLang="de-de" href="https://www.recordedfuture.com/de/research/china-nexus-tag-112-compromises-tibetan-websites"/><link class="sl_norewrite" rel="alternate" hrefLang="ja-jp" href="https://www.recordedfuture.com/jp/research/china-nexus-tag-112-compromises-tibetan-websites"/><link class="sl_norewrite" rel="alternate" hrefLang="ko-kr" href="https://www.recordedfuture.com/ko/research/china-nexus-tag-112-compromises-tibetan-websites"/><link class="hsl" rel="canonical" href="https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites"/><meta class="hsl" property="og:url" content="https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites"/><link rel="preload" as="image" imageSrcSet="https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=256 256w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=384 384w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=640 640w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=750 750w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=828 828w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=1080 1080w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=1200 1200w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=1920 1920w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=2048 2048w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=3840 3840w" imageSizes="(max-width: 768px) 100vw, (max-width: 1200px) 50vw, 33vw" fetchpriority="high"/><link rel="preload" as="image" imageSrcSet="https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=256 256w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=384 384w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=640 640w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=750 750w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=828 828w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=1080 1080w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=1200 1200w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=1920 1920w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=2048 2048w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=3840 3840w" imageSizes="(max-width: 768px) 100vw, (max-width: 1200px) 50vw, 33vw" fetchpriority="high"/><meta name="next-head-count" content="27"/><link rel="preload" href="/fonts/fonts.css" as="style"/><link rel="stylesheet" href="/fonts/fonts.css"/><meta class="sl_norewrite" name="lang-debug-id" content="en"/><meta class="sl_norewrite" name="lang-debug-slug" content="/"/><meta class="sl_norewrite" name="lang-debug-hrefLang" content="en"/><link data-next-font="" rel="preconnect" href="/" crossorigin="anonymous"/><link rel="preload" href="/_next/static/css/253fca5dc580d0ec.css" as="style"/><link rel="stylesheet" href="/_next/static/css/253fca5dc580d0ec.css" data-n-g=""/><link rel="preload" href="/_next/static/css/ed5a9e40e8963ad2.css" as="style"/><link rel="stylesheet" href="/_next/static/css/ed5a9e40e8963ad2.css" data-n-p=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-c67a75d1b6f99dc8.js"></script><script src="/_next/static/chunks/webpack-4f5c83ac324d0e69.js" defer=""></script><script src="/_next/static/chunks/framework-467b11a89995b152.js" defer=""></script><script src="/_next/static/chunks/main-75bdb96a41ba80f4.js" defer=""></script><script src="/_next/static/chunks/pages/_app-7dce919248be9c19.js" defer=""></script><script src="/_next/static/chunks/769-f95d08d81b193fa5.js" defer=""></script><script src="/_next/static/chunks/129-82bd73d6c6af04c1.js" defer=""></script><script src="/_next/static/chunks/911-ff01f8a62625f045.js" defer=""></script><script src="/_next/static/chunks/834-5056ffb50646338d.js" defer=""></script><script src="/_next/static/chunks/295-5f8eb86236394fa9.js" defer=""></script><script src="/_next/static/chunks/267-58d62d3f86e6045f.js" defer=""></script><script src="/_next/static/chunks/624-816ec4c0386d2868.js" defer=""></script><script src="/_next/static/chunks/pages/%5B%5B...slug%5D%5D-beba267fd48fa5f6.js" defer=""></script><script src="/_next/static/j2JvDgGLGrnhH6NPDpk9f/_buildManifest.js" defer=""></script><script src="/_next/static/j2JvDgGLGrnhH6NPDpk9f/_ssgManifest.js" defer=""></script></head><body><noscript><iframe height="0" src="https://www.googletagmanager.com/ns.html?id=GTM-539N74N" style="display:none;visibility:hidden" title="Google Tag Manager" width="0" loading="lazy"></iframe></noscript><div id="__next"><div class=""><section class="flex flex-col" style="background-color:#EDEEF0"><noscript><iframe src="https://9890019.fls.doubleclick.net/activityi;src=9890019;type=sitew0;cat=sitew0;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=&#x27;3072361529047.478&#x27;?" width="1" height="1" style="display:none" title="Floodlight Random"></iframe><iframe src="https://9890019.fls.doubleclick.net/activityi;src=9890019;type=sitew0;cat=sitew0;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=1?" width="1" height="1" style="display:none" title="Floodlight"></iframe></noscript><header class="sticky top-0 z-40 bg-grey-athens xl:top-[-50px]"><nav class="bg-opacity-0 transition-all duration-200 relative z-40 bg-grey-athens"><div class="hidden bg-grey-mercury py-4 lg:block"><div class="mx-auto w-full max-w-layout px-5 md:px-8 lg:px-12 xl:px-20 2xl:px-40"><ul class="flex items-center justify-end space-x-8"><li class="flex items-center"><a class="text-xs" rel="noreferrer" aria-label="Blog" href="/blog">Blog</a></li><li class="flex items-center"><a class="text-xs" rel="noreferrer" aria-label="Careers" href="/careers">Careers</a></li><li class="flex items-center"><a class="text-xs" rel="noreferrer" aria-label="Contact Us" href="/contact">Contact Us</a></li><li class="flex items-center"><a class="text-xs" rel="noreferrer" aria-label="Login" href="https://app.recordedfuture.com/live/login/">Login</a></li><li class="sl_norewrite"></li></ul></div></div><div class="z-20 relative"><div class="mx-auto w-full max-w-layout px-5 md:px-8 lg:px-12 xl:px-20 2xl:px-40"><div class="flex items-center justify-between border-b-4 border-black py-5 md:py-7"><div class="relative h-9 w-32 md:h-12 md:w-44 xl:h-10 xl:w-72"><a target="_self" rel="preload" href="/"><img fetchpriority="high" alt="Recorded Future Logo" decoding="async" data-nimg="fill" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;object-fit:contain;color:transparent" sizes="(max-width: 768px) 100vw, (max-width: 1200px) 50vw, 33vw" srcSet="https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=256 256w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=384 384w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=640 640w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=750 750w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=828 828w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=1080 1080w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=1200 1200w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=1920 1920w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=2048 2048w, https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=3840 3840w" src="https://cms.recordedfuture.com/uploads/brand_logo_long_black_f2ead5b5c6.svg?w=3840"/></a></div><div class="ml-[10px] flex items-center space-x-0"><ul class="hidden space-x-4 lg:flex xlg:space-x-8"><li class="relative flex items-center"><a class="truncate text-sm" rel="noreferrer" aria-label="Platform" href="https://www.recordedfuture.com/platform/intelligence-cloud">Platform</a></li><li class="relative flex items-center"><a class="truncate text-sm" rel="noreferrer" aria-label="Outcomes" href="/outcomes">Outcomes</a></li><li class="relative flex items-center"><a class="truncate text-sm" rel="noreferrer" aria-label="Products" href="https://www.recordedfuture.com/platform/intelligence-cloud">Products</a></li><li class="relative flex items-center"><a class="truncate text-sm" rel="noreferrer" aria-label="Services" href="https://www.recordedfuture.com/services-support/client-success">Services</a></li><li class="relative flex items-center"><a class="truncate text-sm" rel="noreferrer" aria-label="Research" href="/research">Research</a></li><li class="relative flex items-center"><a class="truncate text-sm" rel="noreferrer" aria-label="Resources" href="/resources">Resources</a></li><li class="relative flex items-center"><a class="truncate text-sm" rel="noreferrer" aria-label="Company" href="/company">Company</a></li></ul><div class="flex space-x-2 lg:flex-row-reverse"><div><div class="hidden lg:block"><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><a class="bg-black border border-black text-white px-[15px] py-[12px] h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap flex items-center !px-0 border-none" target="_blank" rel="noreferrer" aria-label="Get a demo" href="https://go.recordedfuture.com/demo?utm_campaign=rf-research-top-demo-floating-nav-bar-2024&amp;utm_source=recordedfuture&amp;utm_medium=website&amp;utm_content=rf-research-top-demo-floating-nav-bar-2024&amp;utm_term=rf-research-top-demo-floating-nav-bar-2024"><div class="nav_navcta__VBCcv flex h-full items-center px-5 hover:saturate-[.80]"><div class="rich-text_rich-text__dRpjl relative z-10 text-sm"><p>Get a <strong>demo</strong></p> </div></div></a><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div></div><div class="lg:hidden"><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><a class="bg-black border border-black text-white px-[15px] py-[12px] h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap flex items-center !p-0 border-none" target="_blank" rel="noreferrer" aria-label="Book a free demo" href="https://go.recordedfuture.com/demo?utm_campaign=rf-research-top-demo-floating-nav-bar-2024&amp;utm_source=recordedfuture&amp;utm_medium=website&amp;utm_content=rf-research-top-demo-floating-nav-bar-2024&amp;utm_term=rf-research-top-demo-floating-nav-bar-2024"><div class="nav_navcta__VBCcv flex h-full items-center px-5 hover:saturate-[.80]"><div class="rich-text_rich-text__dRpjl relative z-10 text-sm"><p>Book a <strong>free</strong> demo</p> </div></div></a><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div></div></div><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><button class="bg-black border border-black text-white w-14 md:w-16 h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap mx-[.5rem] hidden border-0 bg-transparent lg:block" aria-label="Search" type="button"><span class="text-black text-base icon-search"></span></button><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div><div class="block lg:hidden"><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><button class="bg-black border border-black text-white w-14 md:w-16 h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap" aria-label="Menu" type="button"><span class="text-white text-base icon-menu"></span></button><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div></div></div></div></div></div></div></nav></header><main class="flex-auto overflow-x-clip"><div class="mx-auto w-full max-w-layout px-5 md:px-8 lg:px-12 xl:px-20 2xl:px-40"><section class="my-10 lg:my-20"><div class="mb-5 border-grey-silver item-center relative z-20 flex w-min space-x-2 whitespace-nowrap rounded-full border border-black px-3 py-1"><span class="text-sm md:text-base icon-recorded-future"></span><span class="text-black md:text-base text-sm font-semibold">Research (Insikt)</span></div><div class="relative flex flex-col space-y-5 pb-12"><h1 class="page-heading-three">China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike</h1><div class="flex space-x-3"><div class="text-sm xl:text-base"><span class="font-medium text-grey-emperor">Posted:聽</span><span class="font-bold">12th November 2024</span></div><div class="text-sm xl:text-base"><span class="font-medium text-grey-emperor">By:聽</span><span class="font-bold">Insikt Group庐</span></div></div></div><div class="relative hidden w-full pb-[84.8%] md:pb-[37.5%] lg:block"><img fetchpriority="high" alt="China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike" decoding="async" data-nimg="fill" class="z-10" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;object-fit:cover;color:transparent" sizes="(max-width: 768px) 100vw, (max-width: 1200px) 50vw, 33vw" srcSet="https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=256 256w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=384 384w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=640 640w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=750 750w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=828 828w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=1080 1080w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=1200 1200w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=1920 1920w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=2048 2048w, https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=3840 3840w" src="https://cms.recordedfuture.com/uploads/format_webp/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg?w=3840"/></div></section><div class="-mt-10 flex flex-wrap justify-center lg:-mt-20"><aside class="mt-20 hidden w-4/12"><div class="w-3/4 space-y-5"></div></aside><div class="w-full lg:w-8/12"><section class="my-10 lg:my-20"><div class="relative z-10 text-md font-normal text-black lg:max-w-4xl lg:text-lg"><div class="rich-text_rich-text__dRpjl"><p><img src="https://cms.recordedfuture.com/uploads/insikt_group_logo_updated_3_300x48_b5390f4ff2.png" alt="insikt-group-logo-updated-3-300x48.png"></p> <h2 id="summary">Summary</h2> <p>In a recent cyber campaign, the Chinese state-sponsored threat group TAG-112 compromised two Tibetan websites, Tibet Post and Gyudmed Tantric University, to deliver the Cobalt Strike malware. Recorded Future鈥檚 Insikt Group discovered that the attackers embedded malicious JavaScript in these sites, which spoofed a TLS certificate error to trick visitors into downloading a disguised security certificate. This malware, often used by threat actors for remote access and post-exploitation, highlights a continued cyber-espionage focus on Tibetan entities. TAG-112鈥檚 infrastructure, concealed using Cloudflare, links this campaign to other China-sponsored operations, particularly TAG-102 (Evasive Panda).</p> <hr> <h2 id="china-based-tag-112-compromises-tibetan-websites-to-distribute-cobalt-strike">China-Based TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike</h2> <p>Cyberattacks targeting ethnic and religious minority groups in China continue, with new developments pointing to a targeted campaign against Tibetan organizations. In a recent investigation, Recorded Future鈥檚 Insikt Group discovered a Chinese state-sponsored threat actor group, designated TAG-112, responsible for compromising Tibetan community websites and delivering Cobalt Strike, a potent cyber-espionage tool.</p> <h2 id="key-findings">Key Findings</h2> <p>In late May 2024, TAG-112 compromised at least two Tibetan community websites: Tibet Post (tibetpost[.]net) and Gyudmed Tantric University (gyudmedtantricuniversity[.]org). The attackers exploited vulnerabilities in the Joomla content management system (CMS) used by these sites to implant malicious JavaScript. This JavaScript prompted visitors to download a fake security certificate, which, when opened, deployed the Cobalt Strike payload.</p> <p>TAG-112鈥檚 infrastructure shows notable overlap with TAG-102 (<a href="https://therecord.media/china-based-hackers-evasive-isps-malware">Evasive Panda</a>), a more sophisticated Chinese state-sponsored group known for targeting Tibetan entities. However, Insikt Group has identified TAG-112 as a separate entity due to differences in attack maturity and tactics, such as using Cobalt Strike rather than custom malware and foregoing JavaScript obfuscation.</p> <h3 id="malicious-javascript-and-spoofed-tls-error">Malicious JavaScript and Spoofed TLS Error</h3> <p>The attack begins with the malicious JavaScript embedded in the compromised websites. When a user visits one of these sites, the script detects the operating system and browser type, confirming compatibility with Windows. If compatible, the script initiates a connection with TAG-112鈥檚 command-and-control (C2) domain, update[.]maskrisks[.]com, which then returns an HTML page spoofing a legitimate TLS certificate error.</p> <p>This spoofed error page is crafted to mimic Google Chrome鈥檚 TLS certificate warning, deceiving users into clicking a link to &quot;download a security certificate.&quot; Upon clicking, users unknowingly initiate the download of <a href="https://www.recordedfuture.com/blog/detect-cobalt-strike-inside-look">Cobalt Strike</a>, a legitimate tool commonly used by security testers but often exploited by attackers for remote access and command execution.</p> <h3 id="exploiting-website-vulnerabilities">Exploiting Website Vulnerabilities</h3> <p>TAG-112 likely gained access to the compromised Tibetan websites through vulnerabilities in Joomla, a popular CMS. Websites built on Joomla are frequently targeted by attackers if they are not adequately maintained and updated. Likely by exploiting these weaknesses, TAG-112 was able to upload the malicious JavaScript file, which remains active on these sites as of early October 2024.</p> <h3 id="infrastructure-and-obfuscation-tactics">Infrastructure and Obfuscation Tactics</h3> <p>TAG-112鈥檚 infrastructure shows a level of sophistication in concealing its origins. The group used Cloudflare to shield its servers&#39; IP addresses, complicating efforts to trace the infrastructure back to its origin. Insikt Group identified multiple IP addresses linked to TAG-112鈥檚 C2 servers, some active as early as March 2024. The primary domain, maskrisks[.]com, was registered in March 2024 through Namecheap, with subdomains such as mail[.]maskrisks[.]com and checkupdate[.]maskrisks[.]com added for further operational flexibility.</p> <h3 id="tag-112s-use-of-cobalt-strike">TAG-112鈥檚 Use of Cobalt Strike</h3> <p>Cobalt Strike is a commercial penetration testing tool that has become a favorite among threat actors due to its versatility and powerful capabilities for remote access, lateral movement, and command-and-control. Insikt Group identified six distinct Cobalt Strike Beacon samples linked to TAG-112, with their C2 communication directed to mail[.]maskrisks[.]com. This malware enables TAG-112 to monitor and control compromised systems, gathering intelligence and potentially leveraging these infected systems for further espionage activities.</p> <h3 id="connections-to-tag-102-evasive-panda">Connections to TAG-102 (Evasive Panda)</h3> <p>TAG-112 shares several operational characteristics with TAG-102 (Evasive Panda), another <a href="https://www.recordedfuture.com/research/chinese-cyberespionage-operations">Chinese APT known for targeting the Tibetan community</a>. Both groups have used similar methods, including spoofed error pages to deliver malicious files. However, TAG-112鈥檚 operations are less sophisticated than TAG-102, indicating that it may be a subgroup or less experienced branch. For instance, while TAG-102 has deployed customized malware and used obfuscation techniques, TAG-112 relies on the readily available Cobalt Strike tool without obfuscating its JavaScript.</p> <p>Despite the lack of obfuscation, TAG-112鈥檚 tactics and overlaps with TAG-102 highlight the Chinese government鈥檚 ongoing interest in Tibetan and other ethnic and religious minority communities. Such campaigns are part of a broader strategy of surveillance and control, targeting groups perceived as threats to the stability and control of the Chinese Communist Party (CCP).</p> <h3 id="mitigation-recommendations">Mitigation Recommendations</h3> <p>TAG-112鈥檚 campaign underscores the importance of proactive cybersecurity measures, particularly for organizations that may be high-value targets for state-sponsored actors. Recorded Future recommends the following steps:</p> <ol> <li><strong>Intrusion Detection and Prevention</strong>: Configure intrusion detection (IDS) and intrusion prevention systems (IPS) to alert on any indicators of compromise (IoCs) associated with TAG-112. Consider blocking connections to known TAG-112 infrastructure after a thorough review.</li> <li><strong>User Training</strong>: Educate users to exercise caution when handling files downloaded from untrusted sources. Advise users against opening files that download automatically without input, as these could be part of phishing or drive-by download attacks.</li> <li><strong>Cobalt Strike Detection</strong>: Enable real-time monitoring for malicious Cobalt Strike C2 servers using threat intelligence modules such as Recorded Future鈥檚 Intelligence Cloud.</li> <li><strong>Network Monitoring</strong>: Regularly monitor network traffic for signs of compromise, particularly for connections to known threat infrastructure. Malicious Traffic Analysis (MTA) can help detect unusual activity, alerting security teams to potential C2 communications.</li> </ol> <h2 id="outlook">Outlook</h2> <p>TAG-112鈥檚 operations against Tibetan organizations reflect a longstanding objective within <a href="https://www.recordedfuture.com/research/charting-chinas-climb-leading-global-cyber-power">Chinese cyber-espionage</a> campaigns to monitor and control ethnic and religious minorities, especially those seen as potentially destabilizing. Other groups and regions with similar CCP-designated risk profiles are likely targets of similar state-sponsored attacks.</p> <p>To read the entire analysis, <a href="https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-1112.pdf">click here</a> to download the report as a PDF.</p> </div></div></section></div></div><section class="my-8 2xl:my-20"><div class="border-b-2 border-black"></div></section><section class="my-8 2xl:my-20"><p class="page-heading-four relative z-10 mb-10">Related </p><div class="relative z-10"><div class="swiper"><div class="swiper-wrapper"></div></div><div class="md:mt-10 md:space-x-20 lg:mt-8 mt-8 flex w-full items-center justify-center space-x-4"><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><button class="border border-grey-silver w-14 md:w-16 h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap swiper-button-prev-related-resources z-10" type="button"><span class="text-black text-md icon-arrow-left"></span></button><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div><div class="md:w-96 swiper-scrollbar-related-resources z-10 h-0.5 w-48 rounded-sm bg-grey-emperor bg-opacity-40"></div><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><button class="border border-grey-silver w-14 md:w-16 h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap swiper-button-next-related-resources z-10" type="button"><span class="text-black text-md icon-arrow-right"></span></button><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div></div></div></section></div></main><footer class="relative"><nav><div class="bg-black py-14 lg:py-20 xl:py-28"><div class="mx-auto w-full max-w-layout px-5 md:px-8 lg:px-12 xl:px-20 2xl:px-40"><div class="grid grid-cols-2 gap-y-10 lg:grid-cols-3 lg:gap-y-8 xl:grid-cols-4"><div class="col-span-2 lg:col-span-1"><img alt="Recorded Future" loading="lazy" width="143" height="40" decoding="async" data-nimg="1" class="mr-auto" style="color:transparent" srcSet="https://cms.recordedfuture.com/uploads/brand_logo_white_ab2a1e056e.svg?w=256 1x, https://cms.recordedfuture.com/uploads/brand_logo_white_ab2a1e056e.svg?w=384 2x" src="https://cms.recordedfuture.com/uploads/brand_logo_white_ab2a1e056e.svg?w=384"/></div><div class="col-span-2 grid grid-cols-2"><div><p class="page-heading-nine mb-10 text-white">About us</p><ul class="flex flex-col space-y-10"><li><a class="text-sm text-white transition-opacity duration-200 hover:opacity-70 lg:text-base" target="_self" rel="noreferrer" aria-label="Intelligence Cloud" href="/">Intelligence Cloud</a></li><li><a class="text-sm text-white transition-opacity duration-200 hover:opacity-70 lg:text-base" target="_self" rel="noreferrer" aria-label="Services &amp; Support" href="/services-support/client-success">Services &amp; Support</a></li><li><a class="text-sm text-white transition-opacity duration-200 hover:opacity-70 lg:text-base" target="_self" rel="noreferrer" aria-label="Research" href="/research">Research</a></li><li><a class="text-sm text-white transition-opacity duration-200 hover:opacity-70 lg:text-base" target="_self" rel="noreferrer" aria-label="Resources" href="/resources">Resources</a></li><li><a class="text-sm text-white transition-opacity duration-200 hover:opacity-70 lg:text-base" target="_self" rel="noreferrer" aria-label="Company" href="/company">Company</a></li></ul></div><div><p class="page-heading-nine mb-10 text-white">Helpful links</p><ul class="flex flex-col space-y-10"><li><a class="text-sm text-white transition-opacity duration-200 hover:opacity-70 lg:text-base" target="_self" rel="noreferrer" aria-label="Careers" href="/">Careers</a></li><li><a class="text-sm text-white transition-opacity duration-200 hover:opacity-70 lg:text-base" target="_self" rel="noreferrer" aria-label="Contact Us" href="/contact">Contact Us</a></li><li><a class="text-sm text-white transition-opacity duration-200 hover:opacity-70 lg:text-base" target="_blank" rel="noreferrer" aria-label="Get a Demo" href="https://go.recordedfuture.com/demo">Get a Demo</a></li><li><a class="text-sm text-white transition-opacity duration-200 hover:opacity-70 lg:text-base" target="_self" rel="noreferrer" aria-label="The Intelligence Graph" href="/platform/intelligence-graph">The Intelligence Graph</a></li></ul></div></div><hr class="col-span-2 block border-white border-opacity-30 lg:col-span-3 xl:hidden"/><div class="col-span-2 flex flex-col space-y-10 lg:col-span-1"><div><p class="page-heading-nine mb-6 text-white">Join us online</p><ul class="flex flex-row space-x-2"><li><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><a class="bg-white w-14 md:w-16 h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap" target="_blank" rel="noreferrer" aria-label="YouTube" href="https://www.youtube.com/user/RecordedFuture"><span class="text-black text-md icon-youtube"></span></a><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div></li><li><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><a class="bg-white w-14 md:w-16 h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap" target="_blank" rel="noreferrer" aria-label="Facebook" href="https://www.facebook.com/RecordedFuture"><span class="text-black text-md icon-facebook"></span></a><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div></li><li><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><a class="bg-white w-14 md:w-16 h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap" target="_blank" rel="noreferrer" aria-label="Twitter" href="https://twitter.com/RecordedFuture"><span class="text-black text-md icon-twitter"></span></a><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div></li><li><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><a class="bg-white w-14 md:w-16 h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap" target="_blank" rel="noreferrer" aria-label="Instagram" href="https://www.instagram.com/recordedfuture/"><span class="text-black text-md icon-instagram"></span></a><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div></li><li><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><a class="bg-white w-14 md:w-16 h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap" target="_blank" rel="noreferrer" aria-label="RSS" href="https://www.recordedfuture.com/feed"><span class="text-black text-md icon-rss"></span></a><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div></li></ul></div><div><p class="page-heading-nine mb-5 text-white">Want to learn more?</p><div class="react-ripples rounded-md" style="position:relative;display:inline-flex;overflow:hidden"><a class="bg-white px-[15px] py-[12px] h-14 md:h-[50px] text-sm duration-300 flex items-center justify-center rounded-md transition-colors whitespace-nowrap" target="_self" rel="noreferrer" aria-label="Contact us today**" href="/contact"><div class="rich-text_rich-text__dRpjl"><p>Contact us <strong>today</strong></p> </div></a><s style="position:absolute;border-radius:50%;opacity:0;width:35px;height:35px;transform:translate(-50%, -50%);pointer-events:none"></s></div></div></div></div></div></div><div class="bg-grey-dark py-10 lg:py-3"><div class="mx-auto w-full max-w-layout px-5 md:px-8 lg:px-12 xl:px-20 2xl:px-40"><div class="flex flex-col-reverse items-center justify-between lg:flex-row"><div class="mt-10 w-full text-sm text-grey-medium lg:mt-0 lg:w-auto lg:text-xs"><span>Copyright 漏 2024 Recorded Future, Inc.</span></div><ul class="grid w-full grid-cols-2 gap-y-8 lg:flex lg:w-auto lg:space-x-8 lg:space-y-0"><li class="flex items-center"><a class="text-sm text-grey-medium lg:text-xs" target="_self" rel="noreferrer" aria-label="Security FAQ" href="/faq/security">Security FAQ</a></li><li class="flex items-center"><a class="text-sm text-grey-medium lg:text-xs" target="_self" rel="noreferrer" aria-label="Cookies" href="/privacy-policy/3-0/cookies">Cookies</a></li><li class="flex items-center"><a class="text-sm text-grey-medium lg:text-xs" target="_self" rel="noreferrer" aria-label="Privacy Policy" href="/privacy-policy">Privacy Policy</a></li><li class="flex items-center"><a class="text-sm text-grey-medium lg:text-xs" target="_self" rel="noreferrer" aria-label="Terms &amp; Conditions" href="/terms-of-use">Terms &amp; Conditions</a></li></ul></div></div></div></nav></footer></section></div></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"analyticData":{"data":{"id":1,"attributes":{"cookieSrc":"","cookieDataDomainScript":null,"createdAt":"2022-03-31T15:05:37.875Z","updatedAt":"2023-06-01T18:28:45.225Z","publishedAt":"2022-03-31T15:05:39.373Z","sixsiToken":null,"qualifiedToken":"","facebookPixelCodeToken":null,"googleTagManagerToken":"GTM-539N74N","twitterTrackPid":null,"linkedInPartnerId":null}},"meta":{}},"footer":{"data":{"id":1,"attributes":{"socialMediaColumnTitle":"Join us online","ctaColumnTitle":"Want to learn more?","legalText":"Copyright 漏 2024 Recorded Future, Inc.","createdAt":"2022-03-10T10:38:16.135Z","updatedAt":"2024-09-25T17:36:02.276Z","publishedAt":"2022-03-10T10:42:04.903Z","locale":"en","cta":{"id":1870,"label":"Contact us **today**","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4,"attributes":{"title":"Contact Us","slug":"/contact","createdAt":"2022-03-28T18:14:06.614Z","updatedAt":"2024-11-07T13:43:38.502Z","publishedAt":"2022-03-28T18:15:23.878Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},"columns":[{"id":19,"title":"About us","links":[{"id":1822,"label":"Intelligence Cloud","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":1825,"label":"Services \u0026 Support","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":52,"attributes":{"title":"Client Success","slug":"/services-support/client-success","createdAt":"2022-04-05T20:25:33.115Z","updatedAt":"2024-02-02T15:00:56.987Z","publishedAt":"2022-04-05T20:25:35.384Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1831,"label":"Research","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":30,"attributes":{"title":"Research","slug":"/research","createdAt":"2022-04-05T20:10:33.841Z","updatedAt":"2024-11-18T18:23:20.893Z","publishedAt":"2022-04-05T20:10:35.972Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1834,"label":"Resources","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":5,"attributes":{"title":"Resources","slug":"/resources","createdAt":"2022-03-31T15:34:18.514Z","updatedAt":"2024-11-04T14:09:58.009Z","publishedAt":"2022-03-31T15:34:19.628Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1837,"label":"Company","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":136,"attributes":{"title":"Company","slug":"/company","createdAt":"2022-04-08T17:29:33.794Z","updatedAt":"2024-09-17T13:26:11.348Z","publishedAt":"2022-06-24T19:30:37.171Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}]},{"id":22,"title":"Helpful links","links":[{"id":1843,"label":"Careers","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":1840,"label":"Contact Us","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4,"attributes":{"title":"Contact Us","slug":"/contact","createdAt":"2022-03-28T18:14:06.614Z","updatedAt":"2024-11-07T13:43:38.502Z","publishedAt":"2022-03-28T18:15:23.878Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1849,"label":"Get a Demo","target":"_blank","externalUrl":"https://go.recordedfuture.com/demo","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":1852,"label":"The Intelligence Graph","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":10,"attributes":{"title":"Intelligence Graph","slug":"/platform/intelligence-graph","createdAt":"2022-04-05T17:07:47.266Z","updatedAt":"2022-07-11T16:53:38.404Z","publishedAt":"2022-04-05T17:07:49.209Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}]}],"legalLinks":[{"id":1873,"label":"Security FAQ","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":67,"attributes":{"title":"Security FAQ","slug":"/faq/security","createdAt":"2022-04-05T20:32:30.510Z","updatedAt":"2023-12-14T15:38:56.015Z","publishedAt":"2022-04-05T20:32:32.196Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1876,"label":"Cookies","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":66,"attributes":{"title":"Cookies 3.0","slug":"/privacy-policy/3-0/cookies","createdAt":"2022-04-05T20:32:03.425Z","updatedAt":"2022-09-13T21:55:59.491Z","publishedAt":"2022-04-05T20:32:05.450Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1879,"label":"Privacy Policy","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":68,"attributes":{"title":"Privacy","slug":"/privacy-policy","createdAt":"2022-04-05T20:32:45.739Z","updatedAt":"2024-11-22T17:44:41.931Z","publishedAt":"2022-04-05T20:32:47.281Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1882,"label":"Terms \u0026 Conditions","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":69,"attributes":{"title":"Terms","slug":"/terms-of-use","createdAt":"2022-04-05T20:33:05.741Z","updatedAt":"2023-02-09T15:59:16.891Z","publishedAt":"2022-04-05T20:33:07.090Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}],"logo":{"id":3040,"alt":"Recorded Future Logo","tablet":{"data":null},"mobile":{"data":null},"desktop":{"data":{"id":3,"attributes":{"name":"brand-logo-white.svg","alternativeText":"brand-logo-white.svg","caption":"brand-logo-white.svg","width":221,"height":62,"formats":null,"hash":"brand_logo_white_ab2a1e056e","ext":".svg","mime":"image/svg+xml","size":4.99,"url":"/uploads/brand_logo_white_ab2a1e056e.svg","previewUrl":null,"provider":"local","provider_metadata":null,"createdAt":"2022-03-10T10:37:46.343Z","updatedAt":"2022-03-10T10:37:46.343Z"}}}},"socialMediaLinks":{"id":13,"youtubeLink":{"id":1867,"label":null,"target":"_blank","externalUrl":"https://www.youtube.com/user/RecordedFuture","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},"twitterLink":{"id":1864,"label":null,"target":"_blank","externalUrl":"https://twitter.com/RecordedFuture","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},"rssLink":{"id":1861,"label":null,"target":"_blank","externalUrl":"https://www.recordedfuture.com/feed","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},"instagramLink":{"id":1858,"label":null,"target":"_blank","externalUrl":"https://www.instagram.com/recordedfuture/","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},"facebookLink":{"id":1855,"label":null,"target":"_blank","externalUrl":"https://www.facebook.com/RecordedFuture","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}}}}},"meta":{}},"header":{"data":{"id":1,"attributes":{"createdAt":"2022-03-10T10:43:52.952Z","updatedAt":"2024-10-24T19:38:05.217Z","publishedAt":"2022-03-10T10:43:55.874Z","locale":"en","cta":{"id":1819,"label":"Get a **demo**","target":"_blank","externalUrl":"https://go.recordedfuture.com/demo?utm_campaign=demo-button-2023-top-nav-bar\u0026utm_source=recordedfuture\u0026utm_medium=website\u0026utm_content=20231003\u0026utm_term=website","labelMobile":"Book a **free** demo","backgroundColor":"#0071CE","textColor":null,"page":{"data":null}},"links":[{"id":63,"label":"Platform","target":"_self","externalUrl":"https://www.recordedfuture.com/platform/intelligence-cloud","columnOneTitle":"Platform","columnTwoTitle":"Featured Integrations","columnThreeTitle":null,"columnFourTitle":null,"viewParentLabel":"Intelligence Cloud Overview","page":{"data":null},"columnTwoLinks":[{"id":2534,"label":"Splunk","target":"_self","externalUrl":"https://www.recordedfuture.com/integrations/splunk","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":2537,"label":"Palo Alto Networks","target":"_self","externalUrl":"https://www.recordedfuture.com/integrations/palo-alto","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":2540,"label":"Microsoft","target":"_self","externalUrl":"https://www.recordedfuture.com/integrations/microsoft","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":2543,"label":"ServiceNow","target":"_self","externalUrl":"https://www.recordedfuture.com/integrations/servicenow","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}}],"columnThreeLinks":[],"columnOneLinks":[{"id":2406,"label":"Intelligence Cloud Platform","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4353,"attributes":{"title":"The Recorded Future Intelligence Cloud ","slug":"/platform/intelligence-cloud","createdAt":"2023-09-25T19:04:52.188Z","updatedAt":"2024-07-26T18:17:13.151Z","publishedAt":"2023-10-03T20:54:39.165Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2409,"label":"Integrations","target":"_self","externalUrl":"https://www.recordedfuture.com/integrations","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":2833,"label":"Collective Insights","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":5092,"attributes":{"title":"Collective Insights","slug":"/collective-insights","createdAt":"2024-06-03T18:08:36.261Z","updatedAt":"2024-06-11T16:59:06.465Z","publishedAt":"2024-06-11T12:47:20.504Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null}}}},{"id":2412,"label":"Browser Extension ","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":135,"attributes":{"title":"Browser Extension","slug":"/platform/browser-extension","createdAt":"2022-04-08T17:25:46.562Z","updatedAt":"2024-06-17T20:24:34.805Z","publishedAt":"2022-04-11T16:04:53.064Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2415,"label":"Mobile App for iOS + Android ","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":816,"attributes":{"title":"Mobile App","slug":"/platform/mobile-app","createdAt":"2022-05-27T13:48:01.047Z","updatedAt":"2023-06-02T13:58:38.304Z","publishedAt":"2022-05-27T14:30:20.277Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}],"columnFourLinks":[],"cards":[]},{"id":43,"label":"Outcomes","target":"_self","externalUrl":null,"columnOneTitle":"Outcomes","columnTwoTitle":"Industries","columnThreeTitle":null,"columnFourTitle":null,"viewParentLabel":"View Solutions to Reduce Risk","page":{"data":{"id":4622,"attributes":{"title":"Threat Intelligence solves pervasive challenges","slug":"/outcomes","createdAt":"2023-12-11T17:32:38.368Z","updatedAt":"2024-08-16T15:12:45.552Z","publishedAt":"2023-12-12T17:32:36.719Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}},"columnTwoLinks":[{"id":3103,"label":"Public Sector","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":5065,"attributes":{"title":"Public Sector","slug":"/outcomes/public-sector","createdAt":"2024-05-28T18:33:43.903Z","updatedAt":"2024-10-18T17:16:49.432Z","publishedAt":"2024-06-12T19:44:15.716Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null}}}}],"columnThreeLinks":[],"columnOneLinks":[{"id":2039,"label":"Ransomware Mitigation","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":5408,"attributes":{"title":"Proactively mitigate ransomware attacks","slug":"/outcomes/ransomware","createdAt":"2024-10-04T20:37:46.277Z","updatedAt":"2024-10-09T14:50:00.159Z","publishedAt":"2024-10-09T14:50:00.000Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null}}}},{"id":2394,"label":"Exposure Management","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4311,"attributes":{"title":"Reduce Exposures Across Your Attack Surface","slug":"/outcomes/exposure-management","createdAt":"2023-09-23T17:02:23.737Z","updatedAt":"2024-08-16T15:15:03.931Z","publishedAt":"2023-10-03T20:30:13.180Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2397,"label":"Automate Security Workflows","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4314,"attributes":{"title":"Reduce threat detection, investigation, and response time","slug":"/outcomes/automation-security-workflows","createdAt":"2023-09-23T23:35:05.277Z","updatedAt":"2024-08-16T15:13:24.629Z","publishedAt":"2023-10-03T20:35:19.428Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2400,"label":"Mitigate Supply Chain Risk","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4308,"attributes":{"title":"Mitigate supply chain risk","slug":"/outcomes/supply-chain","createdAt":"2023-09-22T20:29:59.887Z","updatedAt":"2024-08-16T15:17:12.407Z","publishedAt":"2023-10-03T20:50:20.435Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2403,"label":"Digital Risk Protection","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4305,"attributes":{"title":"Digital risk protection","slug":"/outcomes/digital-risk","createdAt":"2023-09-22T14:46:20.293Z","updatedAt":"2024-08-16T15:14:04.480Z","publishedAt":"2023-10-03T20:52:52.405Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}],"columnFourLinks":[],"cards":[{"id":3056,"imageAlt":"See Recorded Future鈥檚 Threat Intelligence Solutions in Action","title":"See our Threat Intelligence Solutions in Action","text":"Reduce risk and mitigate cyber attacks, no matter your IT \u0026 security stack, maturity journey, or industry","linkLabel":"Book a **free** demo","linkTarget":"_self","linkExternalUrl":"https://go.recordedfuture.com/demo?utm_campaign=rf-top-menu-solutions-demo-promo\u0026utm_source=recordedfuture\u0026utm_medium=website\u0026utm_content=rf-top-menu-solutions-demo-promo\u0026utm_term=rf-top-menu-solutions-demo-promo","isClickable":true,"customClass":null,"imageDesktop":{"data":{"id":111,"attributes":{"name":"datasheet-security-intelligence-solutions-overview.jpg","alternativeText":"datasheet-security-intelligence-solutions-overview.jpg","caption":"datasheet-security-intelligence-solutions-overview.jpg","width":1920,"height":1080,"formats":{"thumbnail":{"ext":".jpg","url":"/uploads/thumbnail_datasheet_security_intelligence_solutions_overview_5b42c3713d.jpg","hash":"thumbnail_datasheet_security_intelligence_solutions_overview_5b42c3713d","mime":"image/jpeg","name":"thumbnail_datasheet-security-intelligence-solutions-overview.jpg","path":null,"size":11.49,"width":245,"height":138}},"hash":"datasheet_security_intelligence_solutions_overview_5b42c3713d","ext":".jpg","mime":"image/jpeg","size":804.95,"url":"/uploads/datasheet_security_intelligence_solutions_overview_5b42c3713d.jpg","previewUrl":null,"provider":"local","provider_metadata":null,"createdAt":"2022-04-12T15:46:01.323Z","updatedAt":"2024-04-24T19:27:15.316Z"}}},"imageMobile":{"data":null},"imageTablet":{"data":null},"linkPage":{"data":null}}]},{"id":58,"label":"Products","target":"_self","externalUrl":"https://www.recordedfuture.com/platform/intelligence-cloud","columnOneTitle":"Products","columnTwoTitle":null,"columnThreeTitle":"","columnFourTitle":"","viewParentLabel":"Intelligence Cloud Overview","page":{"data":null},"columnTwoLinks":[],"columnThreeLinks":[],"columnOneLinks":[{"id":2418,"label":"Threat Intelligence","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":5411,"attributes":{"title":"Threat Intelligence Product","slug":"/products/threat-intelligence","createdAt":"2024-10-04T20:38:13.861Z","updatedAt":"2024-10-09T14:50:00.129Z","publishedAt":"2024-10-09T14:50:00.000Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null}}}},{"id":2421,"label":"Brand Intelligence","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4323,"attributes":{"title":"Prevent attacks to your brand","slug":"/products/brand-intelligence","createdAt":"2023-09-24T16:22:45.130Z","updatedAt":"2024-05-16T08:15:20.621Z","publishedAt":"2023-10-03T19:35:49.404Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2424,"label":"SecOps Intelligence","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4338,"attributes":{"title":"Improve SOC efficiency with operational threat intelligence ","slug":"/products/secops-intelligence","createdAt":"2023-09-25T00:39:49.302Z","updatedAt":"2024-05-16T08:15:56.385Z","publishedAt":"2023-10-03T19:39:30.547Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2427,"label":"Vulnerability Intelligence","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4350,"attributes":{"title":"Prioritize and mitigate your vulnerabilities based on risk","slug":"/products/vulnerability-intelligence","createdAt":"2023-09-25T18:15:05.674Z","updatedAt":"2024-05-16T08:16:29.328Z","publishedAt":"2023-10-03T19:42:11.695Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2430,"label":"Third-Party Intelligence","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4347,"attributes":{"title":"Identify and respond to third-party threats","slug":"/products/third-party-intelligence","createdAt":"2023-09-25T17:27:40.827Z","updatedAt":"2024-05-16T08:17:12.809Z","publishedAt":"2023-10-03T19:46:42.352Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2436,"label":"Geopolitical Intelligence","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4329,"attributes":{"title":"Identify and monitor geopolitical risk to ensure business continuity","slug":"/products/geopolitical-intelligence","createdAt":"2023-09-24T22:23:09.093Z","updatedAt":"2024-05-16T08:17:48.052Z","publishedAt":"2023-10-03T19:50:24.225Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2439,"label":"Attack Surface Intelligence","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4326,"attributes":{"title":"Discover and protect your expanding attack surface","slug":"/products/attack-surface-intelligence","createdAt":"2023-09-24T21:51:25.693Z","updatedAt":"2024-05-16T08:18:19.123Z","publishedAt":"2023-10-03T19:54:30.044Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2442,"label":"Identity Intelligence","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4332,"attributes":{"title":"Prevent misuse and protect compromised credentials and identities","slug":"/products/identity-intelligence","createdAt":"2023-09-24T22:58:35.696Z","updatedAt":"2024-05-16T08:18:57.017Z","publishedAt":"2023-10-03T19:59:15.043Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2445,"label":"Payment Fraud Intelligence","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4335,"attributes":{"title":"Anticipate and mitigate the effects of payment fraud","slug":"/products/payment-fraud-intelligence","createdAt":"2023-09-24T23:58:24.848Z","updatedAt":"2024-11-26T16:41:50.684Z","publishedAt":"2023-10-03T20:14:00.579Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}],"columnFourLinks":[],"cards":[{"id":1411,"imageAlt":"See Recorded Future鈥檚 Intelligence in Action","title":"See Recorded Future鈥檚 Intelligence in Action","text":"Reduce operational risk through timely, precise, and actionable intelligence.","linkLabel":"Book a **free** demo","linkTarget":"_self","linkExternalUrl":"https://go.recordedfuture.com/demo?utm_campaign=rf-top-menu-solutions-demo-promo\u0026utm_source=recordedfuture\u0026utm_medium=website\u0026utm_content=rf-top-menu-solutions-demo-promo\u0026utm_term=rf-top-menu-solutions-demo-promo","isClickable":true,"customClass":null,"imageDesktop":{"data":{"id":17415,"attributes":{"name":"nmap-commands-main.webp","alternativeText":"Top 16 Nmap Commands","caption":null,"width":1600,"height":600,"formats":{"thumbnail":{"name":"thumbnail_nmap-commands-main.webp","hash":"thumbnail_nmap_commands_main_4f9d9f48ac","ext":".webp","mime":"image/webp","path":null,"width":245,"height":92,"size":3.89,"url":"/uploads/thumbnail_nmap_commands_main_4f9d9f48ac.webp"}},"hash":"nmap_commands_main_4f9d9f48ac","ext":".webp","mime":"image/webp","size":242.64,"url":"/uploads/nmap_commands_main_4f9d9f48ac.webp","previewUrl":null,"provider":"local","provider_metadata":null,"createdAt":"2024-04-11T16:11:03.589Z","updatedAt":"2024-04-11T16:11:03.589Z"}}},"imageMobile":{"data":null},"imageTablet":{"data":null},"linkPage":{"data":null}}]},{"id":60,"label":"Services","target":"_self","externalUrl":"https://www.recordedfuture.com/services-support/client-success","columnOneTitle":"Services","columnTwoTitle":null,"columnThreeTitle":null,"columnFourTitle":null,"viewParentLabel":"View Services \u0026 Support Overview","page":{"data":null},"columnTwoLinks":[],"columnThreeLinks":[],"columnOneLinks":[{"id":2382,"label":"Managed Services","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":51,"attributes":{"title":"Managed Services","slug":"/services-support","createdAt":"2022-04-05T20:24:57.132Z","updatedAt":"2022-08-31T15:28:49.660Z","publishedAt":"2022-04-05T20:24:58.831Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2385,"label":"Professional Services","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":53,"attributes":{"title":"Professional Services","slug":"/services-support/professional-services","createdAt":"2022-04-05T20:25:55.827Z","updatedAt":"2024-05-16T09:25:50.247Z","publishedAt":"2022-04-05T20:25:57.775Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2388,"label":"Analyst On Demand","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":54,"attributes":{"title":"Analyst on Demand","slug":"/services-support/analyst-on-demand","createdAt":"2022-04-05T20:26:20.060Z","updatedAt":"2024-05-16T08:12:07.724Z","publishedAt":"2022-07-20T22:57:53.421Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2391,"label":"Success \u0026 Enablement","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":3763,"attributes":{"title":"Success \u0026 Enablement","slug":"/success-enablement","createdAt":"2022-11-04T13:10:26.292Z","updatedAt":"2024-02-06T16:27:25.444Z","publishedAt":"2022-11-04T13:10:55.672Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2460,"label":"Training","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":47,"attributes":{"title":"Training","slug":"/training","createdAt":"2022-04-05T20:22:02.418Z","updatedAt":"2024-06-27T17:26:13.356Z","publishedAt":"2022-04-05T20:22:05.132Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}],"columnFourLinks":[],"cards":[]},{"id":46,"label":"Research","target":"_self","externalUrl":null,"columnOneTitle":"Research","columnTwoTitle":null,"columnThreeTitle":null,"columnFourTitle":null,"viewParentLabel":"View Research Overview","page":{"data":{"id":30,"attributes":{"title":"Research","slug":"/research","createdAt":"2022-04-05T20:10:33.841Z","updatedAt":"2024-11-18T18:23:20.893Z","publishedAt":"2022-04-05T20:10:35.972Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}},"columnTwoLinks":[],"columnThreeLinks":[],"columnOneLinks":[{"id":1651,"label":"Insikt Group","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":31,"attributes":{"title":"Insikt Group","slug":"/research/insikt-group","createdAt":"2022-04-05T20:11:12.419Z","updatedAt":"2024-07-02T15:23:18.829Z","publishedAt":"2022-04-05T20:11:14.165Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1654,"label":"Intelligence Reports","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":32,"attributes":{"title":"Intelligence Reports","slug":"/research/intelligence-reports","createdAt":"2022-04-05T20:11:37.404Z","updatedAt":"2024-06-10T20:03:31.038Z","publishedAt":"2022-04-05T20:11:40.756Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}],"columnFourLinks":[],"cards":[]},{"id":52,"label":"Resources","target":"_self","externalUrl":null,"columnOneTitle":"Resource Center","columnTwoTitle":"Additional Topics","columnThreeTitle":"Additional Resources","columnFourTitle":null,"viewParentLabel":"View Resources Overview","page":{"data":{"id":5,"attributes":{"title":"Resources","slug":"/resources","createdAt":"2022-03-31T15:34:18.514Z","updatedAt":"2024-11-04T14:09:58.009Z","publishedAt":"2022-03-31T15:34:19.628Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}},"columnTwoLinks":[{"id":2451,"label":"Reports","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":961,"attributes":{"title":"Reports","slug":"/resources/reports","createdAt":"2022-06-08T19:56:29.442Z","updatedAt":"2024-06-17T12:51:56.838Z","publishedAt":"2022-06-08T19:56:30.881Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2612,"label":"Threat Briefings","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4754,"attributes":{"title":"Threat Briefing","slug":"/events/threat-briefings","createdAt":"2024-02-26T16:20:33.370Z","updatedAt":"2024-05-16T09:30:08.243Z","publishedAt":"2024-02-29T19:06:13.667Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2597,"label":"Threat Intelligence 101","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4721,"attributes":{"title":"Threat Intelligence 101","slug":"/threat-intelligence-101","createdAt":"2024-02-07T15:45:04.134Z","updatedAt":"2024-09-09T13:09:34.192Z","publishedAt":"2024-02-07T15:45:40.844Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1708,"label":"Videos","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":43,"attributes":{"title":"Videos","slug":"/resources/videos","createdAt":"2022-04-05T20:20:04.371Z","updatedAt":"2024-06-17T12:52:36.252Z","publishedAt":"2022-04-05T20:20:05.914Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1711,"label":"Webinars","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":44,"attributes":{"title":"Webinars","slug":"/resources/webinars","createdAt":"2022-04-05T20:20:23.109Z","updatedAt":"2024-08-02T19:26:30.830Z","publishedAt":"2022-04-05T20:20:24.697Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1699,"label":"Whitepapers","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":41,"attributes":{"title":"Whitepapers","slug":"/resources/whitepapers","createdAt":"2022-04-05T20:19:18.555Z","updatedAt":"2024-06-17T12:53:11.011Z","publishedAt":"2022-04-05T20:19:20.073Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}],"columnThreeLinks":[{"id":2504,"label":"Free Products","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":46,"attributes":{"title":"Free Products","slug":"/free-products","createdAt":"2022-04-05T20:21:42.223Z","updatedAt":"2024-05-31T20:31:42.364Z","publishedAt":"2022-04-05T20:21:43.992Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2507,"label":"Cyber Daily","target":"_blank","externalUrl":"https://go.recordedfuture.com/cyber-daily","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":2510,"label":"The Record from Recorded Future News","target":"_blank","externalUrl":"https://therecord.media/","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":2513,"label":"Intelligence Fundamentals Certification","target":"_blank","externalUrl":"https://go.recordedfuture.com/unlock-recorded-future-university-free-access","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":2516,"label":"Community","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":56,"attributes":{"title":"Community","slug":"/services-support/community","createdAt":"2022-04-05T20:27:35.470Z","updatedAt":"2022-07-11T18:25:59.585Z","publishedAt":"2022-04-05T20:27:38.890Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2654,"label":"Vulnerability Database","target":"_self","externalUrl":"https://www.recordedfuture.com/vulnerability-database","labelMobile":"Vulnerability Database","backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":2710,"label":"Recorded Future University Training","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":47,"attributes":{"title":"Training","slug":"/training","createdAt":"2022-04-05T20:22:02.418Z","updatedAt":"2024-06-27T17:26:13.356Z","publishedAt":"2022-04-05T20:22:05.132Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}],"columnOneLinks":[{"id":2618,"label":"Blog","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":38,"attributes":{"title":"Blog","slug":"/blog","createdAt":"2022-04-05T20:17:06.753Z","updatedAt":"2024-09-26T13:39:15.699Z","publishedAt":"2022-04-05T20:17:08.252Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":["KO","JP","DE","FR"]}}}},{"id":2621,"label":"Case Studies","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":42,"attributes":{"title":"Case Studies","slug":"/resources/case-studies","createdAt":"2022-04-05T20:19:49.264Z","updatedAt":"2024-06-17T12:51:20.532Z","publishedAt":"2022-04-05T20:19:50.648Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2624,"label":"eBooks","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":40,"attributes":{"title":"eBooks","slug":"/resources/ebooks","createdAt":"2022-04-05T20:19:01.465Z","updatedAt":"2024-04-24T20:49:17.826Z","publishedAt":"2022-04-05T20:19:02.912Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2627,"label":"Events","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":6,"attributes":{"title":"Events","slug":"/events","createdAt":"2022-03-31T15:34:35.106Z","updatedAt":"2024-09-23T13:40:48.866Z","publishedAt":"2022-03-31T15:34:36.218Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":2630,"label":"Podcasts","target":"_blank","externalUrl":"https://therecord.media/podcast","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}}],"columnFourLinks":[],"cards":[{"id":3082,"imageAlt":"See Recorded Future in Action","title":"Join our Weekly Platform Preview","text":"Experience our platform live every week. Minimize risks with timely, actionable threat intelligence that helps you stay ahead of threats.","linkLabel":"**Register Now**","linkTarget":"_blank","linkExternalUrl":"https://go.recordedfuture.com/demo/weekly-platform-preview?utm_campaign=rf-weekly-demo-resources-menu\u0026utm_source=recordedfuture\u0026utm_medium=website\u0026utm_content=rf-weekly-demo-resources-menu\u0026utm_term=rf-weekly-demo-resources-menu","isClickable":true,"customClass":null,"imageDesktop":{"data":{"id":19513,"attributes":{"name":"weekly-demo.png","alternativeText":null,"caption":null,"width":1272,"height":636,"formats":{"thumbnail":{"name":"thumbnail_weekly-demo.png","hash":"thumbnail_weekly_demo_32c6c2d538","ext":".png","mime":"image/png","path":null,"width":245,"height":123,"size":9.39,"sizeInBytes":9390,"url":"/uploads/thumbnail_weekly_demo_32c6c2d538.png"},"medium":{"name":"medium_weekly-demo.png","hash":"medium_weekly_demo_32c6c2d538","ext":".png","mime":"image/png","path":null,"width":750,"height":375,"size":54.36,"sizeInBytes":54363,"url":"/uploads/medium_weekly_demo_32c6c2d538.png"},"large":{"name":"large_weekly-demo.png","hash":"large_weekly_demo_32c6c2d538","ext":".png","mime":"image/png","path":null,"width":1000,"height":500,"size":88.24,"sizeInBytes":88238,"url":"/uploads/large_weekly_demo_32c6c2d538.png"},"small":{"name":"small_weekly-demo.png","hash":"small_weekly_demo_32c6c2d538","ext":".png","mime":"image/png","path":null,"width":500,"height":250,"size":27.83,"sizeInBytes":27829,"url":"/uploads/small_weekly_demo_32c6c2d538.png"}},"hash":"weekly_demo_32c6c2d538","ext":".png","mime":"image/png","size":28.31,"url":"/uploads/weekly_demo_32c6c2d538.png","previewUrl":null,"provider":"local","provider_metadata":null,"createdAt":"2024-09-17T16:04:16.142Z","updatedAt":"2024-09-17T16:04:16.142Z"}}},"imageMobile":{"data":null},"imageTablet":{"data":null},"linkPage":{"data":null}}]},{"id":55,"label":"Company","target":"_self","externalUrl":null,"columnOneTitle":"About Us","columnTwoTitle":"Join Us","columnThreeTitle":"Partner With Us","columnFourTitle":"Why Recorded Future","viewParentLabel":"View Company Overview","page":{"data":{"id":136,"attributes":{"title":"Company","slug":"/company","createdAt":"2022-04-08T17:29:33.794Z","updatedAt":"2024-09-17T13:26:11.348Z","publishedAt":"2022-06-24T19:30:37.171Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}},"columnTwoLinks":[{"id":1720,"label":"Careers","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4971,"attributes":{"title":"Careers","slug":"/careers","createdAt":"2024-04-12T14:53:12.194Z","updatedAt":"2024-10-11T20:28:51.395Z","publishedAt":"2024-10-11T20:00:00.000Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null}}}},{"id":3167,"label":"Find Your Team","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4986,"attributes":{"title":"Find your team","slug":"/careers/find-your-team","createdAt":"2024-04-18T16:37:58.525Z","updatedAt":"2024-10-11T20:11:32.430Z","publishedAt":"2024-10-11T20:00:00.000Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null}}}},{"id":3176,"label":"Working at Recorded Future","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4980,"attributes":{"title":"Working at Recorded Future","slug":"/careers/working-at-recorded-future","createdAt":"2024-04-17T17:45:05.375Z","updatedAt":"2024-10-11T20:50:30.828Z","publishedAt":"2024-10-11T20:00:00.000Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null}}}},{"id":3179,"label":"Learning \u0026 Development","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":5053,"attributes":{"title":"Learning \u0026 Development","slug":"/careers/learning-development","createdAt":"2024-05-23T14:37:38.627Z","updatedAt":"2024-10-11T20:00:00.613Z","publishedAt":"2024-10-11T20:00:00.000Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null}}}},{"id":3182,"label":"Benefits","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":5050,"attributes":{"title":"Benefits","slug":"/careers/benefits","createdAt":"2024-05-23T14:15:14.480Z","updatedAt":"2024-10-11T20:00:00.460Z","publishedAt":"2024-10-11T20:00:00.000Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null}}}}],"columnThreeLinks":[{"id":1756,"label":"Partner Login","target":"_blank","externalUrl":"https://recfut.force.com/partnerportal","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":1759,"label":"Why Partner With Us","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":61,"attributes":{"title":"Why Partner With Us","slug":"/partner","createdAt":"2022-04-05T20:30:09.400Z","updatedAt":"2022-07-11T18:27:12.896Z","publishedAt":"2022-04-05T20:30:10.915Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1762,"label":"Value Added Reseller","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":62,"attributes":{"title":"Value Added Reseller","slug":"/partner/var","createdAt":"2022-04-05T20:30:42.039Z","updatedAt":"2022-07-11T18:27:35.194Z","publishedAt":"2022-04-05T20:30:43.442Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1765,"label":"Global Tech Alliance","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":63,"attributes":{"title":"Global Tech Alliance","slug":"/partner/tech","createdAt":"2022-04-05T20:30:58.145Z","updatedAt":"2022-07-11T18:27:49.188Z","publishedAt":"2022-04-05T20:30:59.732Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1768,"label":"Managed Security Service Providers","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":64,"attributes":{"title":"Managed Security Service Providers","slug":"/partner/mssp","createdAt":"2022-04-05T20:31:12.333Z","updatedAt":"2022-07-11T18:28:04.136Z","publishedAt":"2022-04-05T20:31:14.083Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1771,"label":"Original Equipment Manufacturer","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":65,"attributes":{"title":"Original Equipment Manufacturer (OEM)","slug":"/partner/oem","createdAt":"2022-04-05T20:31:26.860Z","updatedAt":"2022-07-20T16:09:43.587Z","publishedAt":"2022-04-05T20:31:28.708Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}],"columnOneLinks":[{"id":1672,"label":"Our Story","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":57,"attributes":{"title":"Our Story","slug":"/our-story","createdAt":"2022-04-05T20:28:16.485Z","updatedAt":"2024-09-13T13:45:31.306Z","publishedAt":"2022-06-24T19:28:09.492Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1675,"label":"Press","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":58,"attributes":{"title":"Press","slug":"/press","createdAt":"2022-04-05T20:28:44.769Z","updatedAt":"2024-09-26T13:51:07.736Z","publishedAt":"2022-04-05T20:28:56.427Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":["ALL"]}}}},{"id":1678,"label":"Contact Us","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4,"attributes":{"title":"Contact Us","slug":"/contact","createdAt":"2022-03-28T18:14:06.614Z","updatedAt":"2024-11-07T13:43:38.502Z","publishedAt":"2022-03-28T18:15:23.878Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1936,"label":"Recorded Future News","target":"_blank","externalUrl":"","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":3889,"attributes":{"title":"Recorded Future News","slug":"/recorded-future-news","createdAt":"2023-01-13T18:21:11.995Z","updatedAt":"2024-05-31T20:35:28.748Z","publishedAt":"2023-01-13T18:23:41.393Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1684,"label":"Intelligence Fund","target":"_blank","externalUrl":"https://theintelligencefund.com/","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}}],"columnFourLinks":[{"id":1897,"label":"Why Recorded Future","target":"_self","externalUrl":"https://www.recordedfuture.com/platform/intelligence-cloud","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}},{"id":1900,"label":"Clients","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":14,"attributes":{"title":"Clients","slug":"/clients","createdAt":"2022-04-05T18:34:06.173Z","updatedAt":"2024-11-26T18:40:09.946Z","publishedAt":"2022-06-24T19:29:41.149Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1903,"label":"Industry Recognition","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":29,"attributes":{"title":"Industry Recognition","slug":"/industry-recognition","createdAt":"2022-04-05T20:10:14.508Z","updatedAt":"2024-05-16T08:07:36.064Z","publishedAt":"2022-04-05T20:10:16.878Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}}],"cards":[]}],"logo":{"id":3536,"alt":"Recorded Future Logo","tablet":{"data":{"id":2317,"attributes":{"name":"Rectangular Logo - Digital (RGB).svg","alternativeText":"Rectangular Logo - Digital (RGB).svg","caption":"Rectangular Logo - Digital (RGB).svg","width":null,"height":null,"formats":null,"hash":"Rectangular_Logo_Digital_RGB_8f7277c757","ext":".svg","mime":"image/svg+xml","size":4.33,"url":"/uploads/Rectangular_Logo_Digital_RGB_8f7277c757.svg","previewUrl":null,"provider":"local","provider_metadata":null,"createdAt":"2022-07-06T18:05:52.573Z","updatedAt":"2022-07-06T18:05:52.573Z"}}},"mobile":{"data":{"id":2317,"attributes":{"name":"Rectangular Logo - Digital (RGB).svg","alternativeText":"Rectangular Logo - Digital (RGB).svg","caption":"Rectangular Logo - Digital (RGB).svg","width":null,"height":null,"formats":null,"hash":"Rectangular_Logo_Digital_RGB_8f7277c757","ext":".svg","mime":"image/svg+xml","size":4.33,"url":"/uploads/Rectangular_Logo_Digital_RGB_8f7277c757.svg","previewUrl":null,"provider":"local","provider_metadata":null,"createdAt":"2022-07-06T18:05:52.573Z","updatedAt":"2022-07-06T18:05:52.573Z"}}},"desktop":{"data":{"id":2,"attributes":{"name":"brand-logo-long-black.svg","alternativeText":"brand-logo-long-black.svg","caption":"brand-logo-long-black.svg","width":355,"height":43,"formats":null,"hash":"brand_logo_long_black_f2ead5b5c6","ext":".svg","mime":"image/svg+xml","size":3.76,"url":"/uploads/brand_logo_long_black_f2ead5b5c6.svg","previewUrl":null,"provider":"local","provider_metadata":null,"createdAt":"2022-03-10T10:37:46.341Z","updatedAt":"2024-11-20T18:41:43.889Z"}}}},"logoLink":{"data":{"id":5299,"attributes":{"title":"Home","slug":"/","createdAt":"2024-07-24T14:06:22.956Z","updatedAt":"2024-11-12T14:00:07.812Z","publishedAt":"2024-08-16T15:18:24.672Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null}}},"satelliteLinks":[{"id":2707,"label":"Blog","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":38,"attributes":{"title":"Blog","slug":"/blog","createdAt":"2022-04-05T20:17:06.753Z","updatedAt":"2024-09-26T13:39:15.699Z","publishedAt":"2022-04-05T20:17:08.252Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":["KO","JP","DE","FR"]}}}},{"id":1633,"label":"Careers","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4971,"attributes":{"title":"Careers","slug":"/careers","createdAt":"2024-04-12T14:53:12.194Z","updatedAt":"2024-10-11T20:28:51.395Z","publishedAt":"2024-10-11T20:00:00.000Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null}}}},{"id":1639,"label":"Contact Us","target":"_self","externalUrl":null,"labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":{"id":4,"attributes":{"title":"Contact Us","slug":"/contact","createdAt":"2022-03-28T18:14:06.614Z","updatedAt":"2024-11-07T13:43:38.502Z","publishedAt":"2022-03-28T18:15:23.878Z","locale":"en","bgColor":null,"useLineSpacer":null,"excludeSitemap":null}}}},{"id":1642,"label":"Login","target":"_blank","externalUrl":"https://app.recordedfuture.com/live/login/","labelMobile":null,"backgroundColor":null,"textColor":null,"page":{"data":null}}]}},"meta":{}},"locales":[],"page":{"data":[{"id":5471,"attributes":{"title":"China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike","slug":"/research/china-nexus-tag-112-compromises-tibetan-websites","createdAt":"2024-11-06T16:00:55.381Z","updatedAt":"2024-11-13T03:00:00.077Z","publishedAt":"2024-11-13T03:00:00.000Z","locale":"en","bgColor":null,"useLineSpacer":true,"excludeSitemap":null,"blocks":[],"metaData":{"id":5054,"title":"China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike","description":"China-based TAG-112 exploited Tibetan sites to spread Cobalt Strike malware. Recorded Future reveals targeted threats by state-sponsored actors.","hideFromSearchEngines":false,"alt":"China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike","image":{"data":{"id":19877,"attributes":{"name":"cta-cn-2024-1112-Social.jpg","alternativeText":null,"caption":null,"width":1200,"height":628,"formats":{"large":{"name":"large_cta-cn-2024-1112-Social.jpg","hash":"large_cta_cn_2024_1112_Social_6c644c6f49","ext":".jpg","mime":"image/jpeg","path":null,"width":1000,"height":523,"size":61.11,"sizeInBytes":61105,"url":"/uploads/large_cta_cn_2024_1112_Social_6c644c6f49.jpg"},"thumbnail":{"name":"thumbnail_cta-cn-2024-1112-Social.jpg","hash":"thumbnail_cta_cn_2024_1112_Social_6c644c6f49","ext":".jpg","mime":"image/jpeg","path":null,"width":245,"height":128,"size":6.73,"sizeInBytes":6734,"url":"/uploads/thumbnail_cta_cn_2024_1112_Social_6c644c6f49.jpg"},"medium":{"name":"medium_cta-cn-2024-1112-Social.jpg","hash":"medium_cta_cn_2024_1112_Social_6c644c6f49","ext":".jpg","mime":"image/jpeg","path":null,"width":750,"height":393,"size":39.06,"sizeInBytes":39055,"url":"/uploads/medium_cta_cn_2024_1112_Social_6c644c6f49.jpg"},"small":{"name":"small_cta-cn-2024-1112-Social.jpg","hash":"small_cta_cn_2024_1112_Social_6c644c6f49","ext":".jpg","mime":"image/jpeg","path":null,"width":500,"height":262,"size":18.88,"sizeInBytes":18881,"url":"/uploads/small_cta_cn_2024_1112_Social_6c644c6f49.jpg"}},"hash":"cta_cn_2024_1112_Social_6c644c6f49","ext":".jpg","mime":"image/jpeg","size":86.38,"url":"/uploads/cta_cn_2024_1112_Social_6c644c6f49.jpg","previewUrl":null,"provider":"local","provider_metadata":null,"createdAt":"2024-11-12T13:52:22.366Z","updatedAt":"2024-11-12T13:52:22.366Z","folderPath":"/"}}},"favicon":{"data":null}},"resource":{"data":{"id":7652,"attributes":{"title":"China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike","featured":false,"createdAt":"2024-11-06T16:01:38.486Z","updatedAt":"2024-11-13T04:13:07.049Z","publishedAt":"2024-11-13T03:00:00.000Z","locale":"en","externalUrl":null,"showRelated":true,"showHeader":true,"showFrom":null,"author":{"data":null},"language":{"data":{"id":25,"attributes":{"name":"English","createdAt":"2024-04-24T20:37:35.357Z","updatedAt":"2024-04-24T20:39:40.235Z","publishedAt":"2024-04-24T20:39:40.232Z"}}},"sidebar":[],"related":{"data":[]},"topicTags":{"data":[{"id":3,"attributes":{"name":"Global Issues","createdAt":"2022-03-31T15:32:34.466Z","updatedAt":"2022-03-31T15:32:35.372Z","publishedAt":"2022-03-31T15:32:35.368Z","locale":"en"}}]},"threatTags":{"data":[]},"productTags":{"data":[]},"newsAndResearchResource":{"id":6101,"excerpt":"China-based TAG-112 exploited Tibetan sites to spread Cobalt Strike malware. Recorded Future reveals targeted threats by state-sponsored actors.","author":"Insikt Group庐","date":"2024-11-12","researchPreviewImageAlt":"China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike","publication":null,"type":{"data":{"id":5,"attributes":{"value":"Research (Insikt)","key":"research","createdAt":"2022-03-10T11:27:13.514Z","updatedAt":"2022-08-10T13:43:39.004Z","publishedAt":"2022-03-10T11:27:14.349Z","locale":"en"}}}},"integrationResource":null,"industryTags":{"data":[]},"headerImage":{"id":17708,"alt":"China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike","desktop":{"data":{"id":19871,"attributes":{"name":"cta-cn-2024-1112-Main-Feature.jpg","alternativeText":null,"caption":null,"width":1600,"height":600,"formats":{"thumbnail":{"name":"thumbnail_cta-cn-2024-1112-Main-Feature.jpg","hash":"thumbnail_cta_cn_2024_1112_Main_Feature_18ea548089","ext":".jpg","mime":"image/jpeg","path":null,"width":245,"height":92,"size":2.08,"sizeInBytes":2079,"url":"/uploads/thumbnail_cta_cn_2024_1112_Main_Feature_18ea548089.jpg"},"large":{"name":"large_cta-cn-2024-1112-Main-Feature.jpg","hash":"large_cta_cn_2024_1112_Main_Feature_18ea548089","ext":".jpg","mime":"image/jpeg","path":null,"width":1000,"height":375,"size":29.49,"sizeInBytes":29490,"url":"/uploads/large_cta_cn_2024_1112_Main_Feature_18ea548089.jpg"},"medium":{"name":"medium_cta-cn-2024-1112-Main-Feature.jpg","hash":"medium_cta_cn_2024_1112_Main_Feature_18ea548089","ext":".jpg","mime":"image/jpeg","path":null,"width":750,"height":281,"size":14.82,"sizeInBytes":14824,"url":"/uploads/medium_cta_cn_2024_1112_Main_Feature_18ea548089.jpg"},"small":{"name":"small_cta-cn-2024-1112-Main-Feature.jpg","hash":"small_cta_cn_2024_1112_Main_Feature_18ea548089","ext":".jpg","mime":"image/jpeg","path":null,"width":500,"height":188,"size":6.36,"sizeInBytes":6360,"url":"/uploads/small_cta_cn_2024_1112_Main_Feature_18ea548089.jpg"}},"hash":"cta_cn_2024_1112_Main_Feature_18ea548089","ext":".jpg","mime":"image/jpeg","size":85.09,"url":"/uploads/cta_cn_2024_1112_Main_Feature_18ea548089.jpg","previewUrl":null,"provider":"local","provider_metadata":null,"createdAt":"2024-11-12T13:51:46.214Z","updatedAt":"2024-11-12T13:51:46.214Z","folderPath":"/"}}},"mobile":{"data":null},"tablet":{"data":null}},"eventResource":null,"downloadResource":null,"countryTags":{"data":[{"id":2,"attributes":{"name":"China","createdAt":"2022-03-31T15:17:57.154Z","updatedAt":"2022-03-31T15:17:58.103Z","publishedAt":"2022-03-31T15:17:58.098Z","locale":"en"}}]},"blocks":[{"id":5285,"__component":"resource-blocks.resource-text","text":"\n\n## Summary\n\nIn a recent cyber campaign, the Chinese state-sponsored threat group TAG-112 compromised two Tibetan websites, Tibet Post and Gyudmed Tantric University, to deliver the Cobalt Strike malware. Recorded Future鈥檚 Insikt Group discovered that the attackers embedded malicious JavaScript in these sites, which spoofed a TLS certificate error to trick visitors into downloading a disguised security certificate. This malware, often used by threat actors for remote access and post-exploitation, highlights a continued cyber-espionage focus on Tibetan entities. TAG-112鈥檚 infrastructure, concealed using Cloudflare, links this campaign to other China-sponsored operations, particularly TAG-102 (Evasive Panda).\n\n\u003chr\u003e\n\n## China-Based TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike\n\nCyberattacks targeting ethnic and religious minority groups in China continue, with new developments pointing to a targeted campaign against Tibetan organizations. In a recent investigation, Recorded Future鈥檚 Insikt Group discovered a Chinese state-sponsored threat actor group, designated TAG-112, responsible for compromising Tibetan community websites and delivering Cobalt Strike, a potent cyber-espionage tool.\n\n## Key Findings\n\nIn late May 2024, TAG-112 compromised at least two Tibetan community websites: Tibet Post (tibetpost[.]net) and Gyudmed Tantric University (gyudmedtantricuniversity[.]org). The attackers exploited vulnerabilities in the Joomla content management system (CMS) used by these sites to implant malicious JavaScript. This JavaScript prompted visitors to download a fake security certificate, which, when opened, deployed the Cobalt Strike payload.\n\nTAG-112鈥檚 infrastructure shows notable overlap with TAG-102 ([Evasive Panda](https://therecord.media/china-based-hackers-evasive-isps-malware)), a more sophisticated Chinese state-sponsored group known for targeting Tibetan entities. However, Insikt Group has identified TAG-112 as a separate entity due to differences in attack maturity and tactics, such as using Cobalt Strike rather than custom malware and foregoing JavaScript obfuscation.\n\n### Malicious JavaScript and Spoofed TLS Error\n\nThe attack begins with the malicious JavaScript embedded in the compromised websites. When a user visits one of these sites, the script detects the operating system and browser type, confirming compatibility with Windows. If compatible, the script initiates a connection with TAG-112鈥檚 command-and-control (C2) domain, update[.]maskrisks[.]com, which then returns an HTML page spoofing a legitimate TLS certificate error.\n\nThis spoofed error page is crafted to mimic Google Chrome鈥檚 TLS certificate warning, deceiving users into clicking a link to \"download a security certificate.\" Upon clicking, users unknowingly initiate the download of [Cobalt Strike](https://www.recordedfuture.com/blog/detect-cobalt-strike-inside-look), a legitimate tool commonly used by security testers but often exploited by attackers for remote access and command execution.\n\n### Exploiting Website Vulnerabilities\n\nTAG-112 likely gained access to the compromised Tibetan websites through vulnerabilities in Joomla, a popular CMS. Websites built on Joomla are frequently targeted by attackers if they are not adequately maintained and updated. Likely by exploiting these weaknesses, TAG-112 was able to upload the malicious JavaScript file, which remains active on these sites as of early October 2024.\n\n### Infrastructure and Obfuscation Tactics\n\nTAG-112鈥檚 infrastructure shows a level of sophistication in concealing its origins. The group used Cloudflare to shield its servers' IP addresses, complicating efforts to trace the infrastructure back to its origin. Insikt Group identified multiple IP addresses linked to TAG-112鈥檚 C2 servers, some active as early as March 2024. The primary domain, maskrisks[.]com, was registered in March 2024 through Namecheap, with subdomains such as mail[.]maskrisks[.]com and checkupdate[.]maskrisks[.]com added for further operational flexibility.\n\n### TAG-112鈥檚 Use of Cobalt Strike\n\nCobalt Strike is a commercial penetration testing tool that has become a favorite among threat actors due to its versatility and powerful capabilities for remote access, lateral movement, and command-and-control. Insikt Group identified six distinct Cobalt Strike Beacon samples linked to TAG-112, with their C2 communication directed to mail[.]maskrisks[.]com. This malware enables TAG-112 to monitor and control compromised systems, gathering intelligence and potentially leveraging these infected systems for further espionage activities.\n\n### Connections to TAG-102 (Evasive Panda)\n\nTAG-112 shares several operational characteristics with TAG-102 (Evasive Panda), another [Chinese APT known for targeting the Tibetan community](https://www.recordedfuture.com/research/chinese-cyberespionage-operations). Both groups have used similar methods, including spoofed error pages to deliver malicious files. However, TAG-112鈥檚 operations are less sophisticated than TAG-102, indicating that it may be a subgroup or less experienced branch. For instance, while TAG-102 has deployed customized malware and used obfuscation techniques, TAG-112 relies on the readily available Cobalt Strike tool without obfuscating its JavaScript.\n\nDespite the lack of obfuscation, TAG-112鈥檚 tactics and overlaps with TAG-102 highlight the Chinese government鈥檚 ongoing interest in Tibetan and other ethnic and religious minority communities. Such campaigns are part of a broader strategy of surveillance and control, targeting groups perceived as threats to the stability and control of the Chinese Communist Party (CCP).\n\n### Mitigation Recommendations\n\nTAG-112鈥檚 campaign underscores the importance of proactive cybersecurity measures, particularly for organizations that may be high-value targets for state-sponsored actors. Recorded Future recommends the following steps:\n\n1. **Intrusion Detection and Prevention**: Configure intrusion detection (IDS) and intrusion prevention systems (IPS) to alert on any indicators of compromise (IoCs) associated with TAG-112. Consider blocking connections to known TAG-112 infrastructure after a thorough review.\n2. **User Training**: Educate users to exercise caution when handling files downloaded from untrusted sources. Advise users against opening files that download automatically without input, as these could be part of phishing or drive-by download attacks.\n3. **Cobalt Strike Detection**: Enable real-time monitoring for malicious Cobalt Strike C2 servers using threat intelligence modules such as Recorded Future鈥檚 Intelligence Cloud.\n4. **Network Monitoring**: Regularly monitor network traffic for signs of compromise, particularly for connections to known threat infrastructure. Malicious Traffic Analysis (MTA) can help detect unusual activity, alerting security teams to potential C2 communications.\n\n## Outlook\n\nTAG-112鈥檚 operations against Tibetan organizations reflect a longstanding objective within [Chinese cyber-espionage](https://www.recordedfuture.com/research/charting-chinas-climb-leading-global-cyber-power) campaigns to monitor and control ethnic and religious minorities, especially those seen as potentially destabilizing. Other groups and regions with similar CCP-designated risk profiles are likely targets of similar state-sponsored attacks.\n\n\n\nTo read the entire analysis, [click here](https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-1112.pdf) to download the report as a PDF.","link":null}]}}}}}],"meta":{"pagination":{"page":1,"pageSize":25,"pageCount":1,"total":1}}},"search":{"data":{"id":1,"attributes":{"searchText":"Search for...","searchField":"Begin your search!","popularSearchesText":"Popular Searches","noResultsText":"We could not find any results for your search, so why not start with the articles listed below?","filtersTitleText":"Refine your search","filtersClearText":"Clear all","filtersApplyFiltersText":"Apply Filters","createdAt":"2023-01-11T09:34:38.603Z","updatedAt":"2023-01-11T09:34:39.896Z","publishedAt":"2023-01-11T09:34:39.891Z","image":null,"popularSearches":[{"id":1,"text":"Artificial Intelligence"}]}},"meta":{}},"previewMode":false},"__N_SSG":true},"page":"/[[...slug]]","query":{"slug":["research","china-nexus-tag-112-compromises-tibetan-websites"]},"buildId":"j2JvDgGLGrnhH6NPDpk9f","isFallback":false,"isExperimentalCompile":false,"gsp":true,"scriptLoader":[{"id":"vwoCode","strategy":"lazyOnload","children":"window._vwo_code || (function() {\n var account_id=880669,\n version=2.1,\n settings_tolerance=2000,\n hide_element='body',\n hide_element_style = 'opacity:0 !important;filter:alpha(opacity=0) !important;background:none !important',\n /* DO NOT EDIT BELOW THIS LINE */\n f=false,w=window,d=document,v=d.querySelector('#vwoCode'),cK='_vwo_'+account_id+'_settings',cc={};try{var c=JSON.parse(localStorage.getItem('_vwo_'+account_id+'_config'));cc=c\u0026\u0026typeof c==='object'?c:{}}catch(e){}var stT=cc.stT==='session'?w.sessionStorage:w.localStorage;code={use_existing_jquery:function(){return typeof use_existing_jquery!=='undefined'?use_existing_jquery:undefined},library_tolerance:function(){return typeof library_tolerance!=='undefined'?library_tolerance:undefined},settings_tolerance:function(){return cc.sT||settings_tolerance},hide_element_style:function(){return'{'+(cc.hES||hide_element_style)+'}'},hide_element:function(){if(performance.getEntriesByName('first-contentful-paint')[0]){return''}return typeof cc.hE==='string'?cc.hE:hide_element},getVersion:function(){return version},finish:function(e){if(!f){f=true;var t=d.getElementById('_vis_opt_path_hides');if(t)t.parentNode.removeChild(t);if(e)(new Image).src='https://dev.visualwebsiteoptimizer.com/ee.gif?a='+account_id+e}},finished:function(){return f},addScript:function(e){var t=d.createElement('script');t.type='text/javascript';if(e.src){t.src=e.src}else{t.text=e.text}d.getElementsByTagName('head')[0].appendChild(t)},load:function(e,t){var i=this.getSettings(),n=d.createElement('script'),r=this;t=t||{};if(i){n.textContent=i;d.getElementsByTagName('head')[0].appendChild(n);if(!w.VWO||VWO.caE){stT.removeItem(cK);r.load(e)}}else{var o=new XMLHttpRequest;o.open('GET',e,true);o.withCredentials=!t.dSC;o.responseType=t.responseType||'text';o.onload=function(){if(t.onloadCb){return t.onloadCb(o,e)}if(o.status===200){w._vwo_code.addScript({text:o.responseText})}else{w._vwo_code.finish('\u0026e=loading_failure:'+e)}};o.onerror=function(){if(t.onerrorCb){return t.onerrorCb(e)}w._vwo_code.finish('\u0026e=loading_failure:'+e)};o.send()}},getSettings:function(){try{var e=stT.getItem(cK);if(!e){return}e=JSON.parse(e);if(Date.now()\u003ee.e){stT.removeItem(cK);return}return e.s}catch(e){return}},init:function(){if(d.URL.indexOf('__vwo_disable__')\u003e-1)return;var e=this.settings_tolerance();w._vwo_settings_timer=setTimeout(function(){w._vwo_code.finish();stT.removeItem(cK)},e);var t;if(this.hide_element()!=='body'){t=d.createElement('style');var i=this.hide_element(),n=i?i+this.hide_element_style():'',r=d.getElementsByTagName('head')[0];t.setAttribute('id','_vis_opt_path_hides');v\u0026\u0026t.setAttribute('nonce',v.nonce);t.setAttribute('type','text/css');if(t.styleSheet)t.styleSheet.cssText=n;else t.appendChild(d.createTextNode(n));r.appendChild(t)}else{t=d.getElementsByTagName('head')[0];var n=d.createElement('div');n.style.cssText='z-index: 2147483647 !important;position: fixed !important;left: 0 !important;top: 0 !important;width: 100% !important;height: 100% !important;background: white !important;';n.setAttribute('id','_vis_opt_path_hides');n.classList.add('_vis_hide_layer');t.parentNode.insertBefore(n,t.nextSibling)}var o='https://dev.visualwebsiteoptimizer.com/j.php?a='+account_id+'\u0026u='+encodeURIComponent(d.URL)+'\u0026vn='+version;if(w.location.search.indexOf('_vwo_xhr')!==-1){this.addScript({src:o})}else{this.load(o+'\u0026x=true')}}};w._vwo_code=code;code.init();})();(function(){var i=window;function t(){if(i._vwo_code){var e=t.hidingStyle=document.getElementById('_vis_opt_path_hides')||t.hidingStyle;if(!i._vwo_code.finished()\u0026\u0026!_vwo_code.libExecuted\u0026\u0026(!i.VWO||!VWO.dNR)){if(!document.getElementById('_vis_opt_path_hides')){document.getElementsByTagName('head')[0].appendChild(e)}requestAnimationFrame(t)}}}t()})();"}]}</script></body></html>