China-linked hackers deploy fake Dalai Lama apps to spy on Tibetan community

Published: 6 August 2025
Last updated: 7 August 2025
old bold man in black and white, birthday cake, 90 red candles, five hooded man behind
By Cybernews.

As the Dalai Lama celebrates his 90th birthday, China-linked hackers have carried out two cyberattacks targeting the Tibetan community.

Chinese-linked hackers have targeted the Tibetan community by organizing two “operations”. Attackers have taken various subdomains under niccenter[.]net to their advantage and created legit-looking platforms.

Once on them, soon-to-be victims were convinced to download culturally themed apps that secretly carried malware. This initiated multi-stage infection chains that deployed Gh0st RAT or PhantomNet, spyware often linked to Chinese state-sponsored hacker groups.

ADVERTISEMENT

“Given the malware types and selected targets, ThreatLabz attributes both operations to Chinese state-sponsored cyber espionage actors,” states a report by the cybersecurity firm Zscaler ThreatLabz and the Tibetan Computer Emergency Readiness Team (TibCERT).

TibCERT is a part of the Tibet Action Institute (TAI), a US-based NGO that appears to receive funding and support – directly or indirectly – from USAID and the US State Department.

Gh0st RAT or PhantomNet would later enable the attackers to steal people’s personal data, monitor them remotely, and even fully control their devices.

brown rat, tibet map, tibet flag
By Cybernews.

The attacks were called “Operation GhostChat” and “Operation PhantomPrayers.”

“GhostChat” compromised a real Tibetan charity website. The attack started with users clicking on a link about the Dalai Lama’s birthday, which directed them to a nearly identical fake site. The real website’s copy offered a “Tibetan version” of a secure messaging app. People who decided to try it out instead installed Gh0st RAT.

two online pages in tibetan language
Source: Zscaler Blog
ADVERTISEMENT

This malware had capabilities including keylogging, screen capture, webcam and microphone access, and file extraction, according to the report.

“PhantomPrayers” featured a fake “Global Birthday Check-in” application with an interactive map. Once on it, people could send greetings to the Dalai Lama. Although people were sending their heartfelt birthday wishes, the only ones that came true were those of the attackers themselves. The map deployed PhantomNet spyware, which allowed the hackers to get away with sensitive data and install further malware.

Konstancija Gasaityte profile James Caunt Ernestas Naprys jurgita
Stay informed and get our latest stories on Google News
Google News Follow us

The report's authors describe these “operations” as part of a broader trend of “watering hole” attacks, which target websites commonly visited by specific communities. Similar tactics have previously been used by Chinese-linked groups such as EvilBamboo, Evasive Panda, and TAG-112.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT