The identified threat involves a phishing campaign conducted by TAG-110, a Russia-aligned threat actor, targeting Tajikistan from January to February 2025. This campaign marks a tactical evolution for TAG-110, shifting from previously used methods to the deployment of macro-enabled Microsoft Word template files as the initial attack vector. The malicious documents are crafted with themes related to Tajikistan government affairs, designed to lure recipients within government, educational, and research institutions. Once the user enables macros, the embedded code executes, delivering payloads that facilitate espionage activities such as data exfiltration, system compromise, and persistent access. The campaign aligns with Russia's strategic interest in maintaining influence over Central Asia, particularly Tajikistan, by targeting sensitive sectors critical for governance and regional stability. Indicators of compromise include specific file hashes and IP addresses associated with the campaign infrastructure. Although no known exploits in the wild have been reported, the medium severity rating reflects the potential for significant intelligence gathering and disruption. The campaign's timing suggests an intent to capitalize on politically sensitive periods, such as elections or heightened geopolitical tensions, to maximize impact. The technical approach leverages social engineering combined with macro malware, a well-known but effective technique against organizations with insufficient macro security controls or user awareness. The attack techniques correspond to MITRE ATT&CK tactics and techniques including user execution of malicious content (T1204.002), spearphishing attachment (T1566.001), system information discovery (T1137.001), and command and control over application layer protocols (T1071.001).

For European organizations, the direct impact of this campaign is limited given its primary focus on Tajikistan. However, the tactics employed by TAG-110 demonstrate an evolution in phishing methods that could be adopted against European targets, especially those with geopolitical or strategic ties to Central Asia or Russia. European entities involved in diplomatic relations, international research collaborations, or governmental affairs related to Central Asia may face increased risk of similar espionage attempts. The campaign underscores the persistent threat posed by Russia-aligned actors, who have historically targeted European institutions. The use of macro-enabled documents remains a common vector for initial compromise, and organizations with inadequate macro security policies or user training could be vulnerable. The intelligence gathering focus could lead to exposure of sensitive information, potentially affecting European organizations engaged in regional policy, security cooperation, or economic partnerships with Central Asian states. Additionally, the infrastructure and malware signatures identified could be repurposed or serve as indicators for detecting related campaigns targeting Europe, increasing the risk of lateral or expanded targeting.

To mitigate this threat and similar macro-based phishing campaigns, European organizations should implement targeted controls beyond generic advice: 1) Enforce strict Group Policy settings to disable macros by default in Microsoft Office applications, allowing macros only from trusted, digitally signed sources. 2) Deploy advanced email filtering solutions capable of detecting and quarantining macro-enabled documents, especially those masquerading as government or institutional communications. 3) Conduct focused user awareness training emphasizing the risks of enabling macros in unsolicited or unexpected documents, with simulated phishing exercises tailored to mimic such macro-enabled lures. 4) Utilize endpoint detection and response (EDR) tools configured to monitor and alert on suspicious macro execution and related process behaviors. 5) Maintain and regularly update threat intelligence feeds to incorporate indicators such as the provided file hashes and IP addresses, enabling proactive detection and blocking. 6) Establish incident response playbooks specifically addressing macro malware infections, including rapid isolation and forensic analysis. 7) For organizations collaborating with Central Asian partners, implement additional scrutiny on inbound communications referencing regional government themes. 8) Implement network segmentation and restrict outbound traffic to known safe destinations to limit command and control communications. These measures, combined with continuous monitoring and threat intelligence integration, will enhance resilience against evolving phishing tactics like those employed by TAG-110.