Tsering Dhundup
DHARAMSHALA, Aug 4: Hackers tied to China carried out two cyber espionage campaigns targeting the Tibetan community in the weeks leading up to His Holiness the Dalai Lama’s 90th birthday on July 6, 2025, according to new findings by U.S.-based security firm Zscaler ThreatLabz and the Tibetan Computer Emergency Readiness Team (TibCERT).
The attacks, dubbed Operation GhostChat and Operation PhantomPrayers, used fake Tibet-related apps and websites to secretly install spyware on victims’ devices, enabling the theft of sensitive information, remote surveillance, and device control.
Investigators say the campaigns leveraged multiple subdomains under niccenter[.]net to mimic trusted platforms. Victims were lured into downloading malicious software themed around Tibetan cultural events, triggering multi-stage infection chains that deployed Gh0st RAT or PhantomNet (SManager), spyware tools commonly linked to Chinese state-backed groups.
In Operation GhostChat, attackers compromised a legitimate Tibetan charity website, replacing a link about the Dalai Lama’s 90th birthday with one leading to a lookalike fake site. This bogus site offered a so-called “Tibetan version” of a secure messaging app, which actually installed Gh0st RAT. The malware was capable of logging keystrokes, taking screenshots, activating webcams, recording audio, and stealing files.
Operation Phantom Prayers involved a fake “Global Birthday Check-in” app that displayed an interactive map for sending blessings to the Dalai Lama. While appearing harmless, the app secretly deployed PhantomNet spyware, allowing attackers to download additional malicious tools and exfiltrate stolen data.
Security researchers say this is the latest in a series of “watering hole” attacks, strategic compromises of websites popular with a target community—deployed against the Tibetan diaspora. Similar methods have previously been used by Chinese-linked groups such as EvilBamboo, Evasive Panda, and TAG-112.
“Based on the victimology and malware used in both campaigns, ThreatLabz attributes Operation GhostChat and Operation PhantomPrayers to Chinese state-sponsored cyber espionage groups,” the report stated.
Cybersecurity experts warn that such operations are likely to continue, particularly around major Tibetan cultural or political events, when online engagement is at its peak.
