1 malware family

TAG-28

Also known asTAG-28

TAG-28 is a temporary designation for a China-linked, suspected state-sponsored activity cluster. The provided content attributes suspected intrusions against Indian organizations to TAG-28, including Bennett Coleman and Co. Ltd. (BCCL, "The Times Group"), the Unique Identification Authority of India (UIDAI), and the Madhya Pradesh Police department. The cluster is specifically described as using Winnti malware in a campaign targeting BCCL. Based on the content, TAG-28’s activity is assessed as primarily intelligence-driven: targeting UIDAI likely for access to the Aadhaar national identification database and associated bulk personally identifiable and biometric data, and targeting The Times Group likely to gain access to journalists, their sources, and potentially sensitive pre-publication reporting related to China or its leadership. The content states it is less likely that TAG-28 sought access to media entities in order to manipulate or disrupt publishing platforms. The reporting places TAG-28 within a broader pattern of suspected Chinese state-sponsored cyber operations targeting India. No additional aliases or sub-groups beyond the temporary designation TAG-28 are provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

media
government
law_enforcement

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Winnti"China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware"1Mar 18, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

recorded future blogNews

Sep 21, 2021

China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware

Suspected China-linked, state-sponsored intrusion activity targeting Indian media and government entities (The Times Group/BCCL, UIDAI/Aadhaar, and Madhya Pradesh Police), assessed as intelligence collection—particularly access to journalists/sources and potential bulk PII/biometrics from Aadhaar—using Winnti malware.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.