A hacker group believed to be tied to Russia, known as TAG-110, has recently launched a new wave of phishing attacks in Tajikistan. They are using Word documents that contain embedded macros to distribute malicious code.
The cybersecurity firm recorded future, especially their Insikt Group, flagged this change in tactics. TAG-110 has historically focused its efforts on Central Asian Government entities, so this new campaign is likely to target similar institutions such as government offices, educational institutions, and research centers in Tajikistan.
These cyber operations are thought to be aimed at extracting confidential information that could later be used to swaypolitical decisions or impact regional stability times like elections or political unrest.
TAG-110, also known as UAC-0063, has a known history of targeting European embassies and various organizations in Central Asia, East Asia, and Europe. The group activity can be traced back to at least 2021.
Cyber experts suspected a link between TAG-110 and Russian threat group APT28. In May 2023, cybersecurity company Bitdefender reported that one of the malware called DownEx, also known as STILLARCH, was being used against government networks in Kazakhstan and Afghanistan.
That same month, Ukraine’s Computer Emergency Response Team (CERT-UA) officially identified the group as UAC-0063. They found that the group had been targetting Ukrainian government systems using a range of malware tools, including LOGPIE, CHERRYSPY, also called DownExPyer, DownEx, and PyPlunderPlug.
In their most recent campaign, which started in January 2025, the attackers shifted strategies. Rather than attaching malware-laden files like HATVIBE, they now deliver Word templates in the .DOTM format-files that include embedded macros.
Previously, TAG-110 used to send out word files with macros that directly installed HATVIBE to get into systems. In contrast, their current approach involves placing a specially crafted template in Microsoft Word’s startup folder, ensuring that the application is opened.
The phishing emails used to spread these infected files appear to mimic the official Tajik government documents-a tactic TAG-110 has used before. However, analysts have yet to determine whether these documents are authentic or fabricated.
The infected process relies heavily on a VBA macro within the Word file. This macro installs a template file in Word’s configuration folder, allowing the malware to persist and execute automatically. It also contacts a remote command-and-control (C2) server, which may issue further commands or provide additional code for the macro to run.
While researchers haven’t confirmed what comes next in the infection chain, they suspect it could include familiar tools like HATVIBE, CHERRYSPY, LOGPIE, or possibly something entirely new and customized for espionage activities.
