A China-linked state hacker group has compromised Tibetan media and university websites in a new espionage campaign, researchers have found — part of a series of attacks targeting the Tibetan community in order to collect intelligence for Beijing.

The websites of the digital news outlet Tibet Post and Gyudmed Tantric University were hacked in late May and remain compromised as of the time of writing. Researchers at Recorded Future’s Insikt Group track the group behind the activity as TAG-112. 

The Record is an editorially independent unit of Recorded Future.

According to a new Insikt Group report, TAG-112 has several overlaps with another Chinese state-sponsored group, Evasive Panda, which has been described as “highly skilled and aggressive.”

Evasive Panda is also interested in targeting the Tibetan community and previously compromised the Tibet Post. Both threat actors have also manipulated hacked websites to prompt visitors to download a malicious file disguised as a “security certificate.”

Despite these similarities, Insikt Group analysts believe TAG-112 is a separate hacker group, as it lacks Evasive Panda’s sophistication and hasn’t deployed custom malware. Instead, the group used Cobalt Strike, a legitimate cybersecurity tool designed to help security professionals simulate cyberattacks. The Cobalt Strike Beacon payload has been widely adopted by hackers to carry out real attacks. 

TAG-112 is likely a subgroup of Evasive Panda, working toward the same or similar intelligence requirements, researchers said.

Both websites compromised by the group were “almost certainly” built with the Joomla content management system (CMS), which “if not maintained and updated… become[s] an easy target for cyber threat actors,” the researchers said. The group likely exploited a vulnerability in the websites to upload the malicious code.

The Tibetan community in exile, along with other ethnic minority groups in China, has long been a target for various Chinese cyber-espionage groups. Beijing perceives these groups as subversive or separatist elements challenging the Chinese Communist Party.

It is highly likely that both TAG-112 and Evasive Panda will continue their targeting of ethnic, religious, and human rights-linked organizations that operate in or have a nexus to China, researchers said.

Earlier in March, Tibetans were targeted with corrupted language translation software in a cyber-espionage campaign linked to Evasive Panda. The attack affected Tibetans living in India, Taiwan, Hong Kong, Australia, and the U.S.