In a calculated cyber espionage campaign conducted last month, a China-nexus threat actor targeted the global Tibetan community ahead of the Dalai Lama’s 90th birthday on July 6, 2025. The dual campaigns, identified by Zscaler ThreatLabz as “Operation GhostChat” and “Operation PhantomPrayers,” leveraged the significant cultural event to deceive individuals into compromising their own systems. This activity highlights a continued pattern of digital surveillance aimed at the Tibetan diaspora, exploiting community-focused events to deploy malware and gather intelligence.
The first campaign, Operation GhostChat, involved a sophisticated watering hole attack. The attackers compromised a legitimate web page on tibetfund[.]org and altered a link intended for well-wishers. The malicious link redirected users to a fraudulent replica website, thedalailama90.niccenter[.]net, which prompted them to download a supposed secure chat application named “TElement” to send encrypted messages. This application was a backdoored version of the legitimate Element client, engineered to use DLL sideloading to install Gh0st RAT, a potent remote access trojan. The malicious site also used JavaScript to collect visitor IP addresses and user-agent details.
The second prong of the attack, Operation PhantomPrayers, used a similar lure on a different fraudulent domain, hhthedalailama90.niccenter[.]net. This site distributed a phony “90th Birthday Global Check-in” application. The app, named DalaiLamaCheckin.exe, displayed an interactive map and encouraged victims to “send your blessings” by tapping their location. This deceptive engagement was designed to trick users into running the malicious software. The primary payload in these operations, Gh0st RAT, is a full-featured trojan widely used by Chinese hacking groups, capable of keylogging, screen capture, file manipulation, and activating webcams and microphones.
This methodology is a classic example of a strategic web compromise, or watering hole attack, where adversaries target websites frequently visited by a specific group. Instead of pursuing individuals directly, they poison a trusted digital gathering place, knowing their targets will eventually visit and become infected. This tactic is not new in campaigns against this community; over the past two years, hacking groups like EvilBamboo, Evasive Panda, and TAG-112 have repeatedly used this approach to deploy malware and gather sensitive information from the Tibetan diaspora.
Ultimately, these espionage campaigns underscore a persistent effort to monitor and infiltrate the Tibetan community by exploiting their trust and cultural events. By weaponizing the Dalai Lama’s 90th birthday celebrations, the threat actors created a highly effective lure to ensure their malware reached its intended targets. The ultimate goal remains unchanged: to gather sensitive information, monitor activists, and maintain surveillance over a community that continues to be of high political interest to the Chinese state.
Reference:
