ta413
TA413 is a China-aligned advanced persistent threat group focused on espionage and surveillance, particularly against the Tibetan community and Tibetan diaspora. Reporting in the provided content describes TA413 as aligned with the Chinese state and repeatedly targeting Tibetan organizations, Tibetan exile communities, and civil dissidents; Proofpoint also reported campaigns affecting officials in Europe and the United States in the context of Tibetan-themed phishing. The actor has been associated with ongoing hacking campaigns against Tibetans and Tibetan organizations, including delivery of FriarFox, ScanBox, and Sepulcher malware. In early 2021, TA413 delivered the malicious Firefox extension FriarFox via phishing emails impersonating Tibetan organizations such as the Tibetan Women's Association and the Bureau of His Holiness the Dalai Lama. FriarFox is described as a modified version of the open-source Gmail Notifier extension that enabled access to Gmail accounts and browser data, could forward/delete/send emails, and retrieved the ScanBox reconnaissance framework from C2. Related TA413 activity also used Royal Road RTF exploits to deliver Sepulcher, with lures themed around COVID-19 and Tibetan self-immolation. The content states TA413 has used phishing, watering hole attacks, and modified open-source tools. It also notes use of fake Adobe Flash update pages, Firefox-specific delivery logic, and infrastructure including domains such as you-tube[.]tv, vaccine-icmr[.]org, vaccine-icmr[.]net, indiatrustdalailama[.]com, and nangsihistory[.]vip. TA413 has also been reported exploiting the Follina vulnerability (CVE-2022-30190) in phishing campaigns targeting the Tibetan diaspora and Tibetan community. The provided content further notes historical overlap between TA413 and ScanBox usage, and references TA413 / White Dev 9 (a.k.a. LuckyCat). It also states that keyboard-walk WHOIS values seen in BADBAZAAR infrastructure overlap with historically reported targeting of Tibetan organizations by TA413. Known aliases directly mentioned in the content are White Dev 9 and LuckyCat.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Non-Governmental Organizations
Tradecraft
5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Associated vulnerabilities
1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Historically reported targeting of Tibetan organisations; referenced here due to overlaps in domain registration patterns and spoofing of Tibetan-themed infrastructure.
Named as one of several China-based threat actors observed using the ScanBox framework.
Exploited the Follina (CVE-2022-30190) MSDT RCE zero-day in phishing/lure-based attacks targeting the Tibetan diaspora.
Actively exploiting the Follina vulnerability in phishing campaigns, with ongoing hacking operations against the Tibetan community and victims including officials in Europe and the United States.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.