The Russian state-sponsored cyber-espionage group TAG110 (UAC0063) is actively targeting organizations in Central Asia, East Asia, and Europe by deploying custom malware such as HATVIBE and CHERRYSPY to gain unauthorized access to victim networks.
Initial access is achieved through phishing emails or exploiting vulnerabilities in web-facing services like Rejetto HTTP File Server, where the primary targets include human rights groups, private security companies, and educational institutions.
The group’s activities align with Russian geopolitical interests, likely aimed at gathering intelligence to support military operations in Ukraine and monitor regional developments.
TAG-110, a cyber threat actor, has been using HATVIBE, a custom HTML Application (HTA) loader, and CHERRYSPY, a Python backdoor, to target organizations in Central Asia and Eastern Europe since at least April 2023.
The HATVIBE malware is distributed by means of malicious documents or by exploiting vulnerabilities, and it employs scheduled tasks in order to maintain its presence.
Encoded VBScript within HATVIBE communicates with C2 servers using HTTP PUT requests, sending information like usernames and computer names, while TAG-110 registers domains through Namecheap and utilizes VPS infrastructure for C2 servers.
CHERRYSPY is a custom Python backdoor used by TAG110 for espionage that communicates with a hard-coded C2 server using secure channels, where the communication leverages a combination of asymmetric RSA and symmetric AES for encryption.
After a successful key exchange, CHERRYSPY uses the new 32-character USR_KAF as the path in all subsequent HTTP POST requests.
The backdoor then enters a loop, polling the C2 server for tasks, decrypting them, and executing them using worker threads by using VPS infrastructure and Namecheap for domain registration.
Insikt Group recommends a multi-layered approach to defend against HATVIBE and CHERRYSPY attacks, as users should configure IDS/IPS to alert on indicators associated with these threats using the provided Snort, Suricata, and YARA rules.
It is important to keep an eye out for any suspicious activities, such as the execution of HTA files and scheduled tasks that are created by mshta.exe. Patch Rejetto HTTP File Server to address the CVE-202423692 vulnerability.
Recent TAG110 campaigns, likely orchestrated by BlueDelta, have targeted post-Soviet Central Asian states and Ukraine, which align with BlueDelta’s strategic interests in national security, military operations, and geopolitical influence.
Central Asia is a key focus for Moscow, especially as relations with other post-Soviet states have worsened due to the Ukraine invasion. While definitive attribution to BlueDelta remains uncertain, the overlap in activities suggests a strong connection.