The Reveal Platform
Intel Name: Illusory wishes: china-nexus apt targets the tibetan community
Date of Scan: July 24, 2025
Impact: High
Summary: In June 2025, two cyberattack campaigns—Operation GhostChat and Operation PhantomPrayers—targeted the Tibetan community, exploiting increased online activity surrounding the Dalai Lama’s 90th birthday. Threat actors linked to a China-nexus APT group compromised a legitimate website to redirect users via malicious links. Victims were tricked into downloading malware with Tibet-related themes, leading to multi-stage infections that deployed either the Ghost RAT or PhantomNet (SManager) backdoors. The campaigns used deceptive subdomains under niccenter.net to impersonate trusted platforms and intensify attacks during this culturally significant time.
