TAG-100

Description

(Recorded Future) Recorded Future’s Insikt Group identified new suspected cyber-espionage activity targeting high-profile government, intergovernmental, and private sector organizations globally. This activity, which we are tracking under the temporary group designator TAG100, has employed open-source remote access capabilities and exploited a wide range of internet-facing appliances for initial access. Using Recorded Future® Network Intelligence data, Insikt Group identified the likely compromise of the secretariats of two major Asia-Pacific intergovernmental organizations by TAG100 using the open-source, multi-platform Go backdoor Pantegana. Other targeted organizations include multiple diplomatic entities and ministries of foreign affairs, as well as industry trade associations and semiconductor supply-chain, non-profit, and religious organizations globally. At this time, Insikt Group is continuing to explore potential attribution for this activity; however, the specific targeting and victimology identified align with a suspected espionage motive.

Names

Name	Name-Giver
TAG-100	Recorded Future
Storm-2077	Microsoft

Country

• China

Sponsor

State-sponsored

Motivation

• Information theft and espionage

First Seen

2024

Observed Sectors

• Embassies
• Financial
• Government
• High-Tech

Observed Countries

• Bolivia
• Cambodia
• Cuba
• Djibouti
• Dominican Republic
• Fiji
• France
• Indonesia
• Italy
• Japan
• Malaysia
• Netherlands
• Taiwan
• UK
• USA
• Vietnam

Tools

• Cobalt Strike
• CrossC2
• LESLIELOADER
• Pantegana
• SparkRAT

Information

• https://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf
• https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/

Other Information

Uuid

b01702b6-b1dc-4292-8a10-dfb87acfcd59

Last Card Change

2024-12-26