Threat researchers are warning of twin Chinese-nexus espionage operations—“Operation Chat” and “Operation PhantomPrayers”—that erupted in the weeks preceding the Dalai Lama’s 90th birthday, exploiting heightened traffic to Tibetan-themed websites to seed Windows hosts with sophisticated backdoors. By compromising a legitimate greeting page and quietly swapping its hyperlink, attackers funneled visitors to look-alike domains under niccenter[.]net, where doctored installers masked as Tibetan-language chat tools awaited unsuspecting users. Once resident, Ghost RAT’s DllSerSt plugin can enumerate users, while DllAudio records ambient sound; PhantomNet mirrors much of this arsenal but can also limit C2 chatter to preset hours, reducing network noise. Once executed, these packages unleashed either Ghost RAT or the newer PhantomNet implant, giving operators extensive surveillance reach across files, webcams, microphones, and even system shutdown controls. The operation chain in the original Zscaler report graphically summarizes the full chain, underscoring how a single misplaced click translates into covert, persistent surveillance on Windows endpoints. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Taken together, the intrusions illustrate how supply-chain-style sideloading and living-off-the-land APIs remain potent tools for espionage crews seeking long-term footholds in diaspora communities. A similar choreography powers PhantomPrayers: DalaiLamaCheckin.exe drops libvlc.dll plus an encrypted .tmp file into %APPDATA%\Birthday, then plants a Birthday Reminder.lnk shortcut in the Startup folder, ensuring VLC.exe sideloads the malicious DLL on logon. From there, shellcode slips into the benign ImagingDevices.exe process, mapping a fresh copy of ntdll.dll to overwrite user-mode hooks before reflectively loading the core trojan. Zscaler analysts noted that both campaigns rely on low-level Nt* and Rtl* calls rather than higher Win32 APIs, a choice meant to sidestep many endpoint visibility hooks. Each implant extends itself via on-demand plugin DLLs—XOR- or AES-encoded until loaded—granting remote shells, keylogging, clipboard theft, and full registry manipulation. Victims lured to thedalailama90.niccenter[.]net press “Download” and receive TBElement.zip, whose legitimate Element.exe silently loads a rogue ffmpeg.dll (Stage-1 loader). Stage-2 shellcode is compressed with NRV2D; Stage-3 payloads are full PE executables whose headers are scrubbed (0x0d 0x0a) to foil static scanners. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The schemes hinge on multi-stage loaders that abuse DLL sideloading in signed binaries—Element.exe for GhostChat and VLC.exe for PhantomPrayers—thereby piggy-backing on trusted certificates to evade signature checks.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 24 Jul 2025 11:25:13 +0000