TAG-110, a Russia-aligned threat group, targets organizations across Asia and Europe using HATVIBE and CHERRYSPY malware for espionage. Learn how Recorded Future's analysis uncovers the group’s tactics, techniques, and indicators of compromise.

Summary

Insikt Group has identified an ongoing cyber-espionage campaign conducted by TAG-110, a Russia-aligned threat group targeting organizations in Central Asia, East Asia, and Europe. Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily attacks government entities, human rights groups, and educational institutions. The campaign’s tactics align with the historical activities of UAC-0063, attributed to Russian APT group BlueDelta (APT28). HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage. Initial access is often achieved through phishing emails or exploiting vulnerable web-facing services like Rejetto HTTP File Server.

TAG-110’s efforts are likely part of a broader Russian strategy to gather intelligence on geopolitical developments and maintain influence in post-Soviet states. Insikt Group provides actionable insights, including indicators of compromise and Snort and YARA rules, to help organizations.