As Ukraine Remains a Primary Target, TAG-110 Seeks to Expand Russia’s Cyber Influence in Central Asia

A state-sponsored threat group, tracked as TAG-110, has been conducting espionage against government, educational, and research-related entities in Tajikistan, according to a recent report by Recorded Future’s Insikt Group. The group, which has been active for a few years, has been linked to APT28, a high-profile Russian nation-state group also known as Fancy Bear.

TAG-110’s latest campaign involves sending spear-phishing emails to target institutions, attaching legitimate-looking government documents that are actually poisoned macro-enabled Word documents. These files leverage a global template file placed in the Word startup folder for persistence, establishing command-and-control and ultimately leading to the delivery of malware families such as CHERRYSPY, LOGPIE, and PyPlunderPlug.

The report highlights a sophisticated phishing scheme from a nation-state actor, as well as an illustration of Russia’s far-reaching and international cyber capabilities, despite its substantial focus on targeting Ukraine with destructive cyberattacks. Recorded Future recommends organizations monitor for global template files created or modified in the Microsoft Word startup folder, which may indicate persistent macro abuse, and to disable macros by default in Microsoft Office applications.

TAG-110’s activities are part of a broader strategy to preserve a post-Soviet sphere of influence by embedding itself in other countries’ infrastructures. According to a threat intelligence analyst from Recorded Future’s Insikt Group, Russian threat actor groups never truly stopped targeting entities outside of Ukraine, with numerous groups targeting entities in Europe, the United States, and Central Asia for both disruptive and espionage purposes.

Russia’s Central Asian policy centers on preserving a post-Soviet sphere of influence by embedding itself at the core of the region’s security, economic, and political architecture. TAG-110’s activities support this policy, and researchers anticipate sustained operations against relevant government ministries, academic and research bodies, and diplomatic missions, particularly those involved in upcoming elections, military operations, or other events the Kremlin wishes to influence.

The phishing campaign, which took place between January and February 2025, used government-themed documents as lure material, consistent with TAG-110’s historical use of trojanized legitimate government documents. However, the authenticity of the current samples could not be independently verified.

TAG-110 has been observed deploying an HTML application (HTA) file-based malware payload, known as HATVIBE, since 2023. However, in the latest campaign, the group skipped the malware entirely at the initial step, instead leveraging a global template file placed in the Word startup folder for persistence.

The report includes indicators of compromise and additional technical details, which can be used by organizations to detect and prevent similar attacks. Recorded Future recommends organizations to:

Monitor for global template files created or modified in the Microsoft Word startup folder

Disable macros by default in Microsoft Office applications

Implement Group Policy Objects (GPOs) to prevent users from enabling macros unless explicitly approved

Conduct regular security audits and penetration testing to identify vulnerabilities

By understanding the tactics, techniques, and procedures (TTPs) used by TAG-110, organizations can better prepare themselves for future attacks and protect their networks from cyber threats.

In related news, Ukrainian cyber agency CERT-UA has said with medium confidence that TAG-110’s activities overlap with UAC-0063, a cyber espionage group that targets Central Asian nations. This suggests that TAG-110 may be part of a larger network of Russian threat groups operating in the region.

The report highlights the need for organizations to remain vigilant and proactive in their cybersecurity efforts, particularly in the face of nation-state sponsored attacks. By staying informed and adapting to the ever-evolving threat landscape, organizations can better protect themselves and their networks from cyber threats.