Full Report
2025-05-22 • Recorded Future • Insikt Group • py.cherryspy, vbs.hatvibe Open article on Malpedia
Analysis Summary
# Threat Actor: TAG-110
## Attribution & Identity
Attributed to be Russia-aligned.
## Activity Summary
The actor, identified as TAG-110, was observed targeting Tajikistan using macro-enabled Word templates for initial compromise.
## Tactics, Techniques & Procedures
- Initial access via **macro-enabled Word templates**.
- Use of specific malware families: `py.cherryspy` and `vbs.hatvibe`.
## Targeting
- Sectors: Not explicitly detailed, likely governmental or sensitive entities within the targeted country.
- Geography: **Tajikistan**.
- Victims: Specific organizations are not named in the provided context snippet.
## Tools & Infrastructure
- Malware families used: `py.cherryspy`, `vbs.hatvibe`.
- Infrastructure: Not specified in the provided context.
## Implications
TAG-110 is actively engaged in cyber espionage or influence operations targeting Central Asian nations perceived as allied with Russia, using standard but effective social engineering techniques (macro delivery).
## Mitigations
- Disable or restrict the execution of VBA macros from untrusted sources.
- Ensure robust endpoint detection and response (EDR) capabilities capable of spotting script execution following document opening.