- ITDM 2025 전망 | “비전을 품은 기술 투자, 모두가 주춤한 시기에 진가 발휘할 것” 컬리 박성철 본부장
- 최형광 칼럼 | 2025 CES @혁신기술 리터러시
- The Model Context Protocol: Simplifying Building AI apps with Anthropic Claude Desktop and Docker | Docker
- This robot vacuum and mop performs as well as some flagship models - but at half the price
- Finally, a ThinkPad model that checks all the boxes for me as a working professional
Chinese Hackers Target Tibetans with Malicious Firefox Extension
Chinese Communist Party-backed hackers have been spying on Tibetan activists via a malicious new Firefox extension, according to Proofpoint.
The security vendor explained that it had seen low-level phishing campaigns against the Tibetan diaspora since March 2020, but that these took another turn in the first two months of 2021 with the use of a customized malicious extension dubbed “FriarFox.
“We attribute this activity to TA413, who in addition to the FriarFox browser extension, was also observed delivering both Scanbox and Sepulcher malware to Tibetan organizations in early 2021,” it added.
“Proofpoint has previously reported on Sepulcher malware and its links to the Lucky Cat and Exile Rat malware campaigns that targeted Tibetan organizations.”
TA413 itself is believed to be an APT group aligned with the Chinese state.
The malware is delivered via spear-phishing emails spoofing senders such as the Bureau of His Holiness the Dalai Lama in India and the Tibetan Women’s Association. They typically feature a malicious link leading to a fake ‘Adobe Flash Player Update’ which will execute JavaScript to scan the target’s machine.
These scripts will then decide whether to deliver the FriarFox payload, which provides access to the victim’s Gmail account.
It has been designed to search for, archive, read, delete, forward and mark emails as spam, as well as access browser tabs on Firefox, modify privacy settings and access user data for all websites.
The attackers also try to download ScanBox malware, a “JavaScript-based reconnaissance framework” dating back to 2014 which can track visitors to certain websites, perform keylogging and collect user data for use in future intrusion attempts.
“Unlike many APT groups, the public disclosure of campaigns, tools and infrastructure has not led to significant TA413 operational changes,” Proofpoint concluded. “Accordingly, we anticipate continued use of a similar modus operandi targeting members of the Tibetan diaspora in the future.”