Hackers linked to Russia’s GRU have launched a new cyber-espionage campaign targeting government and scientific institutions in Tajikistan, reports Insikt Group, part of the cyber intelligence company Recorded Future, as reported by The Record.
The attacks took place in January and February 2025. Researchers attribute them to the group TAG-110, which is associated with the Russian hacker group APT28, also known as BlueDelta. According to experts, this group operates under the cover and support of Russian military intelligence.
During the campaign, the hackers sent phishing emails containing infected documents that appeared to be official messages from Tajikistan’s government agencies. Among them were, for example, a purported notification from the country’s armed forces on radiation safety, as well as an election schedule for Dushanbe. Researchers emphasize that they were unable to independently verify the authenticity of these documents.
Experts have noted that TAG-110 has changed its tactics. Instead of using the previously employed Hatvibe malware, they now use Word documents with macros to infect systems. After gaining access, hackers are believed to deploy additional espionage tools—Cherryspie, Logpie, or new malware developed specifically for this campaign.
According to Insikt Group, TAG-110 has been actively conducting espionage operations in Central Asia since at least 2021. In the past, the group has also targeted entities in India, Israel, Mongolia, and Ukraine. Analysts believe these activities are part of a broader Moscow strategy aimed at maintaining its influence in the region amid increasing geopolitical instability.
