Illusory Wishes: China-nexus APT Targets the Tibetan Community

Introduction

In June 2025, Zscaler ThreatLabz collaborated with TibCERT to investigate two cyberattack campaigns targeting the Tibetan community. Our analysis linked these attacks, dubbed Operation GhostChat and Operation PhantomPrayers, to a China-nexus APT group, which capitalized on increased online activity around the Dalai Lama's 90th birthday to distribute malware in multi-stage attacks. In this blog post, we outline how the attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Ghost RAT or PhantomNet (SManager) backdoor onto victim systems.

Zscaler ThreatLabz would like to thank the TibCERT team for their collaboration throughout this investigation.

Key Takeaways

• ThreatLabz observed targeted malware intrusions that employed social engineering tactics, leveraging the Dalai Lama’s 90th birthday through strategic web compromises to lure Tibetan community members and redirect them to attacker-controlled sites.
• Operation GhostChat and Operation PhantomPrayers, respectively, relied on multi-stage infection chains to deploy Ghost RAT and PhantomNet backdoors. These chains included DLL sideloading, shellcode injections, and encrypted payloads to execute their attacks.
• The campaigns employed evasion techniques like code injection, using low-level APIs, and overwriting user mode API hooks to evade endpoint security solutions.
• Based on the victimology targeting the Tibetan community, the use of Ghost RAT and PhantomNet, and the deployment of tailored TTPs, we attribute these campaigns with high confidence to a China-nexus APT group.

Overview

Cyberattacks intensified in the weeks leading up to the Dalai Lama’s 90th birthday on July 6th, a culturally significant event for the Tibetan community that spurred heightened online activity. During this period, threat actors launched Operation GhostChat and Operation PhantomPrayers, leveraging multiple subdomains under niccenter[.]net to impersonate legitimate platforms. These subdomains were used to lure victims into downloading malicious software with Tibet-related themes, initiating a multi-stage infection chain that ultimately deployed Ghost RAT or PhantomNet (SManager) backdoors (malware tools commonly linked to China-nexus threat groups).

Operation GhostChat

In June 2025, threat actors carried out a strategic web compromise by replacing the legitimate link, tibetfund.org/90thbirthday, on a compromised webpage with a malicious link. The original link directed users to a page inviting members of the Tibetan community to send greetings to the Dalai Lama, but the malicious link redirected them to a fraudulent page hosted at thedalailama90.niccenter[.]net. This fake page was designed to closely mimic the original tibetfund.org site.

The figure below compares the legitimate webpage and the malicious replica created by the threat actor.

Figure 1: A side-by-side comparison of the legitimate Tibetan webpage and the malicious replica created by the threat actor.

The malicious webpage includes an option to download an encrypted chat application, designed to lure the targeted user to connect with other members of the Tibetan community under the pretense of secure communication. Clicking on this “chat” option redirects users to tbelement.niccenter[.]net, where they are prompted to download a backdoored version of Element, a popular open-source encrypted chat application.

The figure below shows the webpage created by the threat actor which impersonates the Element messaging application to lure users.

Figure 2: Webpage crafted by threat actor to distribute a backdoored version of the Element messaging application.

The webpage also contains JavaScript code designed to collect the visitor’s IP address and user-agent information. Using WebRTC, the malicious webpage retrieves the user’s IP address and then sends the information collected via an HTTP POST request to save_ip.php, a PHP script hosted on the same server.

The figure below shows the JavaScript code responsible for this action.

Figure 3: The JavaScript code on the webpage used to collect the user's IP address and user-agent information.

When the user clicks the “Download” button on the webpage shown in Figure 2, a ZIP archive is downloaded from the following URL: https://tbelement.niccenter[.]net/Download/TBElement.zip.

TBElement.zip contains multiple components related to the legitimate messaging application, Element. However, the legitimate DLL, ffmpeg.dll, has been replaced with a malicious DLL. Since the legitimate, digitally signed file Element.exe is vulnerable to DLL sideloading, it automatically loads the malicious ffmpeg.dll when it runs.

The figure below shows the multiple stages involved in the attack chain.

Figure 4: Multi-stage attack chain for Operation GhostChat.

The technical analysis below describes each stage of the attack chain and how GhostChat orchestrates command-and-control (C2) communication.

Stage 1: Shellcode loader

The ffmpeg.dll file is a stage 1 loader that loads embedded shellcode, injects it into a target process, and executes it. In addition, ffmpeg.dll creates persistence on the compromised machine by adding a Windows registry value.

The table below describes the key functionalities of the ffmpeg.dll file.

Table 1: Key capabilities of the ffmpeg.dll file.

Stage 2: Reflective loader

The stage 2 shellcode contains an executable compressed with NRV2D, which is one of the compression algorithms supported by the popular UPX packer. To evade detection, the executable’s PE headers have their MZ and PE magic bytes replaced with 0xd and 0xa.

The shellcode allocates memory with PAGE_EXECUTE_READWRITE permissions via VirtualAlloc, reflectively loads the stage 3 executable into this memory region, and then executes it starting at its entry point.

Stage 3: Ghost RAT

The stage 3 executable is a variant of Ghost RAT. Its embedded configuration is encrypted with a custom algorithm resembling RC4 but modified significantly. This implementation adds bitwise operations, and its Key Scheduling Algorithm (KSA) is altered so the provided key does not affect encryption or decryption. Python code to decrypt the configuration is available in our GitHub repository.

C2 communication

Ghost RAT communicates with its C2 server at 104.234.15[.]90:19999 using a TCP binary protocol. This variant features a custom packet header that uses "KuGou" instead of the usual "Gh0st" and encrypts its traffic using the same RC4-like algorithm used for the configuration encryption.

Malicious functionality is largely implemented in the exported functions of a plugin DLL named config.dll. This DLL is downloaded from the C2 server and stored on disk at C:\Users\Public\Documents\config.dll. To evade static AV scans, the DLL is XOR-encoded with a one-byte key (0x15) and decoded only upon being loaded by the malware.

As the exact DLL couldn’t be retrieved from the C2 server, its functionality was derived by analyzing a KuGou variant DLL (MD5: 7b9a808987d135e381f93084796fd7c1) and comparing it with the Ghost RAT’s source code.

A table outlining the C2 commands supported by this variant is shown below.

Table 2: List of commands supported by the KuGou variant of Ghost RAT.

Operation PhantomPrayers

In June 2025, a new subdomain, hhthedalailama90.niccenter[.]net was used by the threat actor to distribute a malicious application masquerading as a "special prayer check-in" software.

The malicious binary hosted at the URL http://hhthedalailama90.niccenter[.]net/DalaiLamaCheckin.exe is an application built with the PyQT5 framework and the Python data visualization library, Folium, and packaged as an executable using PyInstaller.

The binary displays a graphical user interface (GUI) to the targeted user, prompting them to check in by entering their username and email address. In addition, the GUI also displays an interactive map showing other users who have checked in, thereby adding legitimacy to the social engineering process. In the background, malicious activities are carried out.

The figure below shows the graphical user interface (GUI) displayed to the victim upon execution of DalaiLamaCheckin.exe.

Figure 5: Graphical user interface (GUI) displayed upon execution of DalaiLamaCheckin.exe.

The table below describes the key capabilities of this binary.

Table 3: The key capabilities of the PhantomPrayers binary.

This information is captured at the server's end in the following JSON format.

{
   "username": "",
   "lat": "",
   "lon": "",
   "location": "",
   "timestamp": "",
   "ip": "",
   "email": ""
 }

The check-in data downloaded from the server is available in our GitHub repository. It appears that most of these entries were fabricated by the threat actor as the IP addresses captured for most of the usernames belong to hosting providers instead of ISPs.

Below is the configuration present inside the PyInstaller decompiled code.

BACKEND_URL = 'http://104.234.15.90:59999/api'
CHECKIN_URL = f'{BACKEND_URL}/checkin'
CHECKINS_URL = f'{BACKEND_URL}/checkins'
API_KEY = 'm1baby007..'
API_HEADERS = {'X-API-KEY': API_KEY}
BIRTHDAY_VENUE_COORDS = [32.232513887581284, 76.32422089040426]
MAP_HTML_FILE = os.path.join(tempfile.gettempdir(), 'map.html')
APP_NAME_IN_APPDATA = 'DalaiLamaBirthdayCheckin'

The PhantomPrayers attack chain closely resembles the Operation GhostChat attack, with the notable exception that the stage 2 loader shellcode is encrypted and stored in an external file .tmp instead of being embedded within stage 1. The PhantomPrayers attack chain is shown in the figure below.

Figure 6: Multi-stage attack chain for Operation PhantomPrayers.

Stage 1: Shellcode loader

When VLC.exe is executed, it sideloads the malicious libvlc.dll from the same directory. The stage 1 loader code resides in the libvlc_new exported function, which decrypts and executes the next-stage shellcode stored in the .tmp file within the directory.

The shellcode in the .tmp file is encrypted with two layers:

• Layer 1: RC4 encryption using a hardcoded 16-byte key and initialization vector (IV).
• Layer 2: AES-128 (CBC mode) encryption, with the same 16-byte key and IV.

The decryption code is provided below.

from Crypto.Cipher import ARC4
from Crypto.Cipher import AES
with open(".tmp", "rb") as f:
   encrypted_shellcode = f.read()
rc4_key = b'\x0F\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
rc4_cipher = ARC4.new(rc4_key)
rc4_decrypted = rc4_cipher.decrypt(encrypted_shellcode)
aes_key = b'\x01\x02\x03\x09\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
aes_iv = b'\x01\x02\x03\x09\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F'
aes_cipher = AES.new(aes_key, AES.MODE_CBC, aes_iv)
rc4_decrypted = rc4_decrypted + b"\x00"
decrypted_shellcode = aes_cipher.decrypt(rc4_decrypted)
with open("decrypted_shellcode.bin", "wb") as f:
   f.write(decrypted_shellcode)

Stage 2: Reflective loader

This shellcode, similar to the one used in the Operation GhostChat infection chain, is designed solely to decompress an embedded executable, load it into memory, and execute it.

Stage 3: PhantomNet

The final payload is a 32-bit executable and a variant of the PhantomNet backdoor. The final payload’s embedded configuration is XOR-encoded with a hardcoded 10-byte key (6B B2 95 27 66 66 74 6B A1 86) and includes the C2 server 45.154.12[.]93 and port 2233 as strings. While this sample uses TCP for C2 communication, it can also be configured for HTTPS communication. C2 traffic is secured using AES encryption with a key derived from a string in the configuration.

PhantomNet can be set to operate only during specific hours or days, but this capability is not enabled in the current sample. The backdoor relies on plugin DLLs delivered from the C2 server to carry out actions on the infected system.

Since this sample's commands and functionality match those reported by ESET researchers in the 2020 Operation SignSight campaign, we will not provide further details on the malware.

Threat Attribution

Based on the victimology and malware used in both campaigns, ThreatLabz attributes Operation GhostChat and Operation PhantomPrayers to China state-sponsored cyber espionage groups.

Variants of Ghost RAT are widely used by various Chinese-speaking threat actors, including state-sponsored groups. While PhantomNet has been attributed by other researchers to TA428, a China-nexus APT group, it remains uncertain whether this malware is exclusively associated with that group or is being utilized by other China-nexus actors as well.

The diamond model below outlines the key attributes of this campaign.

Figure 7: Diamond model highlighting key attributes of this campaign that delivers Ghost RAT and PhantomNet and targets the Tibetan community.

Conclusion

Zscaler ThreatLabz’s collaboration with TibCERT revealed shared tactics across both operations targeting the Tibetan community, such as strategic web compromises, DLL sideloading vulnerabilities, and the deployment of Ghost RAT and PhantomNet backdoors. Both campaigns utilized a shellcode loader that employs low-level APIs and native Windows function calls to bypass user-mode detection mechanisms. PhantomNet used modular plugin DLLs, AES-encrypted C2 traffic, and configurable timed operations, to stealthily manage compromised systems.

Zscaler ThreatLabz continues to monitor and analyze the TTPs of these advanced persistent threat (APT) groups to develop better detection and mitigation strategies against similar threats. 

Zscaler Coverage

Zscaler’s multilayered cloud security platform detects indicators related to the targeted attacks mentioned in this blog at various levels with the following threat names:

• Win64.Trojan.PhantomNet
• Win32.Backdoor.GhostRAT

MITRE ATT&CK Framework

Indicators of Compromise (IOCs)

File indicators

Network indicators

Host indicators