Cybersecurity researchers today unwrapped a new campaign aimed at spying on vulnerable Tibetan communities globally by deploying a malicious Firefox extension on target systems.
“Threat actors aligned with the Chinese Communist Party’s state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users’ Gmail accounts,” Proofpoint said in an analysis.
The Sunnyvale-based enterprise security company pinned the phishing operation on a Chinese advanced persistent threat (APT) it tracks as TA413, which has been previously attributed to attacks against the Tibetan diaspora by leveraging COVID-themed lures to deliver the Sepulcher malware with the strategic goal of espionage and civil dissident surveillance.
The researchers said the attacks were detected in January and February 2021, a pattern that has continued since March 2020.
The infection chain begins with a phishing email impersonating the “Tibetan Women’s Association” using a TA413-linked Gmail account that’s known to masquerade as the Bureau of His Holiness the Dalai Lama in India.
The emails contain a malicious URL, supposedly a link to YouTube, when in fact, it…