TAG-110 Hackers Deploy Malicious Word Templates in Targeted Attacks

The Russia-aligned threat actor TAG-110, also linked to UAC-0063 and APT28 (BlueDelta) with medium confidence by CERT-UA, has shifted tactics to target government, educational, and research entities in Tajikistan.

According to analysis by Insikt Group from Recorded Future Report, TAG-110 has moved away from its traditional use of HTA-based payloads like HATVIBE, which it has employed since at least 2023, to leveraging macro-enabled Microsoft Word template files (.dotm) for initial access and persistence.

These malicious templates, designed to blend in with legitimate Tajikistan government-themed documents, represent a tactical evolution aimed at bolstering Russia’s influence in Central Asia through intelligence gathering during sensitive regional events like elections or military operations.

New Phishing Tactics Target Tajikistan Institutions

The campaign involves two specific documents identified by their SHA256 hashes: d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7, themed around radiation safety for Tajikistan’s armed forces, and 8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7, related to election schedules in Dushanbe.

Both files, created in late 2024 and first seen in early 2025, utilize VBA macros to establish persistence by copying themselves into the Microsoft Word STARTUP folder (%APPDATA%\Microsoft\Word\STARTUP) as global templates.

Upon execution, triggered by the Document_Open() and AutoExec() sub-procedures, the macros collect system information such as computer name, username, and monitor resolution, transmitting it to a command-and-control (C2) server at 38.180.206[.]61:80/engine.php via HTTP POST requests with Base64-encoded identifiers.

Technical Breakdown of Malicious Payloads

The getInfo() and start() sub-procedures further enable communication with the C2 server and likely facilitate the execution of additional malicious code, potentially deploying known TAG-110 malware like CHERRYSPY or LOGPIE.

This shift to .dotm files prioritizes stealth and persistence over the previously used HATVIBE payload, exploiting registry modifications like AccessVBOM to manipulate VBA macro behavior undetected.

Insikt Group notes that while the authenticity of the lure documents remains unverified, TAG-110’s historical pattern of using legitimate government materials suggests a high likelihood of tailored spearphishing to deceive targets in Tajikistan’s public sector.

This campaign underscores TAG-110’s ongoing alignment with Russia’s geopolitical objectives in Central Asia, focusing on intelligence collection to influence regional politics and security.

Organizations are urged to monitor the Word STARTUP directory for unauthorized template files, disable macros by default, and detect registry changes to mitigate risks.

Insikt Group anticipates TAG-110 will continue targeting Central Asian entities, particularly around significant events, using evolving tactics and custom malware to maintain its espionage foothold.

Indicators of Compromise (IoC)