Full Report
2025-05-22 • Recorded Future • Insikt Group • py.cherryspy, vbs.hatvibe Open article on Malpedia
Analysis Summary
# Threat Actor: TAG-110
## Attribution & Identity
The threat actor is identified as **TAG-110**, which is further described as **Russia-Aligned**. No specific aliases other than TAG-110 are explicitly provided in the summary context, nor are known associated state actors.
## Activity Summary
The primary reported activity involves targeting Tajikistan using techniques centered around macro-enabled Word documents for initial access.
## Tactics, Techniques & Procedures
- Delivery via **Macro-Enabled Word Documents**.
- Use of custom malware, specifically **cherryspy** (Python-based) and **hatvibe** (VBScript-based).
## Targeting
- Sectors: Not explicitly detailed, but the nature of political targeting suggests government or entities with political relevance.
- Geography: **Tajikistan** is the explicitly targeted region.
- Victims: Specific organizations are not mentioned in the provided context snippet.
## Tools & Infrastructure
- Malware families used:
- `cherryspy` (py.cherryspy)
- `hatvibe` (vbs.hatvibe)
- Infrastructure: Not detailed in the provided context.
## Implications
The activity suggests ongoing, targeted espionage or influence operations conducted by a Russia-aligned entity specifically focusing on Tajikistan.
## Mitigations
- Focus defense efforts on rigorously inspecting and blocking incoming documents utilizing **macros**.
- Implement strict endpoint controls for executing Python and VBScript files originating from untrusted sources (e.g., email attachments).