Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

TAG-100 (Cybercriminals) – Threat Actor

January 30, 2025
Reading Time: 4 mins read
in Threat Actors
TAG-100 (Cybercriminals) – Threat Actor

TAG-100

Date of Initial Activity

2024

Location

Unknown

Suspected Attribution 

Cybercriminals

Motivation

Financial Gain
Espionage


Software

Servers

Overview

In the realm of cybersecurity, the emergence of threat actor groups presents a significant challenge to organizations worldwide. Among these groups, TAG-100 has surfaced as a formidable player in global cyber-espionage campaigns, targeting high-profile government and private sector organizations across multiple continents. Recent reports from Recorded Future’s Insikt Group have detailed TAG-100’s sophisticated tactics, highlighting its reliance on open-source remote access tools and the exploitation of vulnerable internet-facing appliances to gain unauthorized access to sensitive networks. TAG-100’s operations have not only focused on well-known enterprises but also on intergovernmental organizations in the Asia-Pacific region, revealing a breadth of ambition and capability. The group’s targeting strategy encompasses a wide array of sectors, including diplomatic entities, government ministries, semiconductor supply chains, and religious organizations. This extensive reach underscores the critical need for heightened vigilance among organizations that may be potential targets of espionage activities, particularly those involved in strategic sectors or international cooperation.

Common Targets 

  • Information
  • Public Administration
  • Manufacturing
  • Retail Trade
  • Cambodia
  • Djibouti
  • The Dominican Republic
  • Fiji
  • Indonesia
  • Netherlands
  • Taiwan
  • The United Kingdom
  • The United States
  • Vietnam

Attack vectors

Software Vulnerabilities

How they work

At the core of TAG-100’s operations lies their exploitation of vulnerabilities in commonly used internet-facing appliances, such as Citrix NetScaler, Microsoft Exchange, and F5 BIG-IP. These appliances often operate with limited visibility and logging capabilities, making them attractive targets for cybercriminals. By deploying proof-of-concept (PoC) exploits, such as those for the Palo Alto Networks GlobalProtect firewall vulnerability (CVE-2024-3400), TAG-100 has been able to compromise numerous organizations with relative ease. Their tactics reveal a meticulous approach, as they conduct reconnaissance to identify potential vulnerabilities in these devices before launching their attacks. This preliminary research allows them to maximize the effectiveness of their exploitation efforts, often leading to successful infiltrations. Once inside a target network, TAG-100 employs a range of tools and techniques to maintain access and exfiltrate sensitive data. The use of the open-source Go backdoors, such as Pantegana and SparkRAT, exemplifies their preference for readily available, customizable solutions that facilitate persistent access without the need for proprietary software. These backdoors not only allow for command execution but also support lateral movement across the network, enabling TAG-100 to escalate privileges and further compromise additional systems. Their ability to utilize remote services and scripting interpreters underscores their technical prowess, as they execute scripts and commands to gather intelligence and facilitate their espionage objectives. Moreover, TAG-100’s operational model indicates a propensity for defense evasion and obfuscation. By employing techniques such as credential dumping and the deployment of web shells, they enhance their ability to remain undetected within compromised environments. Their actions are often masked by legitimate network activities, making it challenging for organizations to identify their presence. This capability is further reinforced by the group’s focus on low-risk operations that prioritize deniability, allowing them to exploit various entry points without raising immediate alarms. As TAG-100 continues to expand its reach, the implications for organizations worldwide are profound. Their tactics highlight the necessity for heightened cybersecurity measures, especially concerning the security of internet-facing devices. Organizations must prioritize intelligence-led patching and regular audits of their perimeter appliances to mitigate the risks posed by such threat actors. Additionally, improving defense-in-depth strategies that focus on detecting post-exploitation activities is crucial to thwarting TAG-100’s operations. Unless significant steps are taken to bolster the security of vulnerable devices, the cyber-espionage landscape will likely remain rife with threats from groups like TAG-100. In summary, TAG-100’s technical operations reflect a well-orchestrated strategy that capitalizes on the weaknesses of internet-facing appliances while employing sophisticated tools and techniques to achieve their espionage objectives. The group’s ability to exploit these vulnerabilities and maintain persistent access positions them as a significant threat to organizations across various sectors. As the cyber landscape evolves, so too must the strategies to defend against such adaptable and resourceful threat actors.

MITRE Tactics and Techniques

Initial Access (TA0001):
Exploitation of Public-Facing Applications (T1190): TAG-100 targets vulnerabilities in internet-facing appliances like Citrix NetScaler, Microsoft Exchange, and Palo Alto Networks GlobalProtect to gain initial access.
Execution (TA0002):
Command and Scripting Interpreter (T1059): The group utilizes remote access tools such as the Pantegana backdoor, allowing them to execute commands and scripts on compromised systems.
Persistence (TA0003):
Web Shell (T1100): TAG-100 may deploy web shells on compromised servers to maintain access over time.
Privilege Escalation (TA0004):
Exploitation of Vulnerabilities (T1068): The group exploits known vulnerabilities to gain higher privileges within the network.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): By using open-source tools and custom scripts, TAG-100 can obfuscate their activities, making detection more challenging.
Credential Access (TA0006):
Credential Dumping (T1003): TAG-100 might attempt to gather credentials from compromised systems to facilitate lateral movement within the network.
Discovery (TA0007):
Network Service Scanning (T1046): The group conducts reconnaissance to identify network services and devices, which can lead to further exploitation opportunities.
Lateral Movement (TA0008):
Remote Services (T1021): TAG-100 can use legitimate remote access protocols to move laterally across the network after initial compromise.
Collection (TA0009):
Data from Information Repositories (T1005): Once inside a target network, TAG-100 collects sensitive data from various repositories, such as databases and file shares.
Exfiltration (TA0010):
Exfiltration Over Command and Control Channel (T1041): The group is likely to exfiltrate data over established command and control channels.  
References:
  • TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
Tags: AsiaBackdoorsCambodiaCybersecurityDjiboutiDominican RepublicFijiGovernmentIndonesiaMicrosoftNetherlandsPanteganaSparkRATTAG-100TaiwanThreat ActorsUnited KingdomUnited StatesVietnam
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

Google Removes 352 ‘IconAds’ Fraud Apps

Malicious Firefox Add Ons Steal Crypto Keys

Browser Cache Attack Bypasses Web Security

PDFs Deliver QR Codes in Callback Scams

Critical Sudo Flaws Expose Linux Systems

Unkillable Mac Malware From North Korea

Subscribe to our newsletter

    Latest Incidents

    Tech Incubator IdeaLab Discloses Data Breach

    Brazil’s CIEE One Exposes 248,000 Records

    McLaughlin & Stern Discloses Data Breach

    Cyberattack Hits Medtech Firm Surmodics

    Rhysida Ransomware Hits German Charity WHH

    Hacker Accesses Max Financial’s User Data

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial