From 8aeb150619d35bba39f66d03c9266959ca0280fd Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Fri, 15 Nov 2024 03:42:18 -0800
Subject: [PATCH] [threat-actors] Add TAG-112

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ee382e99..082a628e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -17400,6 +17400,17 @@
       },
       "uuid": "714f76b2-a8fd-49b0-8605-0eb1c9703140",
       "value": "UAC-0194"
+    },
+    {
+      "description": "TAG-112 is a Chinese state-sponsored APT that compromised Tibetan websites, including Tibet Post and Gyudmed Tantric University, to deliver Cobalt Strike malware. The group exploited vulnerabilities in the Joomla CMS to embed malicious JavaScript that spoofed a TLS certificate error, tricking users into downloading a compromised security certificate. TAG-112's infrastructure, concealed using Cloudflare, shows notable overlap with TAG-102, but it employs less sophisticated tactics, relying on Cobalt Strike rather than custom malware. The campaign reflects ongoing cyber-espionage efforts targeting Tibetan entities, likely for information collection and surveillance.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites"
+        ]
+      },
+      "uuid": "9eeb11a0-3fcf-4036-844a-2500c72f8b69",
+      "value": "TAG-112"
     }
   ],
   "version": 320