TAG-67

TAG-67 is identified in the provided content as a Chinese state-sponsored threat group and is explicitly associated with the aliases Iron Tiger, LuckyMouse, UNC215, and Budworm. The content notes abuse of a benign vfhost.exe file by TAG-67. The supporting reporting in the content describes a Chinese state-sponsored cluster active since at least 2019, targeting at least 17 countries across Asia, Europe, and North America from 2021 to 2023. Targeting is focused primarily on government organizations, particularly in Southeast Asia, with additional activity against academia, aerospace, media, telecommunications, and R&D, including COVID-19 research, consistent with intelligence collection and economic espionage objectives. Reported victim geographies include Afghanistan, Bangladesh, Bhutan, Cambodia, Czechia, Hong Kong, India, Laos, Malaysia, Nepal, Pakistan, Palestine, the Philippines, Thailand, Taiwan, the United States, and Vietnam. The group is described as using a multi-tier infrastructure model with separate reconnaissance/initial-access and long-term C2 clusters, VPS reverse proxies on common HTTP(S) ports, and likely upstream administration via SoftEther VPN. Reported tooling includes Cobalt Strike, Brute Ratel C4, ShadowPad, Winnti including Linux variants, PlugX, and bespoke malware Spyder and FunnySwitch. The content specifically highlights DLL search order hijacking chains, including loading a Cobalt Strike Beacon via a legitimate CyberArk Viewfinity executable, vfhost.exe. Initial access methods mentioned include exploitation of public-facing applications such as Zimbra Collaboration Suite, Microsoft Exchange ProxyShell, and Apache Log4j Log4Shell. The content also references exploitation of Zimbra vulnerabilities CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, and CVE-2022-30333. Additional tradecraft described includes use of stolen code-signing certificates and compromised third-party infrastructure for command and control.