ExileRAT shares C2 with LuckyCat, targets Tibet
Cisco Talos recently observed a malware campaign delivering malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile. The document used in the attack was a PPSX file, a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document. In our case, we received an email message from the CTA mailing list containing an attachment, “Tibet-was-never-a-part-of-China.ppsx,” meant to attack subscribers of this Tibetan news mailing list. Given the nature of this malware and the targets involved, it is likely designed for espionage purposes rather than financial gain. Unfortunately, this just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons.