Russia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word Documents www.recordedfuture.com/research/…

From January to February 2025, Insikt Group detected a phishing campaign targeting Tajikistan that Insikt Group attributes to TAG-110, a Russia-aligned threat actor that overlaps with UAC-0063 and has been linked to APT28 (BlueDelta) with medium confidence by CERT-UA. In this campaign, TAG-110 leveraged Tajikistan government-themed documents as lure material, consistent with its historical use of trojanized legitimate government documents, though the authenticity of the current samples could not be independently verified. These documents were distinct from those used in previous campaigns, notably lacking an embedded HTA-based payload HATVIBE within them, which TAG-110 has deployed since at least 2023. In this campaign, TAG-110 has shifted to using macro-enabled Word template files (.dotm files) rather than HATVIBE for the initial payload. Given TAG-110’s historical targeting of public sector entities in Central Asia, this campaign is likely targeting government, educational, and research institutions within Tajikistan.

Russia’s Central Asian policy centers on preserving a post‑Soviet sphere of influence by embedding itself at the core of the region’s security, economic, and political architecture. TAG-110’s activities continue to bolster this policy through intelligence-gathering operations. Insikt Group anticipates TAG‑110 will sustain regional operations against government ministries, academic and research bodies, and diplomatic missions, particularly those involved in upcoming elections, military operations, or other events the Kremlin wishes to influence.