Chinese Hackers Leverage Tibetan Community Lures and Filenames to Deploy Pubload Malware

Recent cybersecurity findings by IBM X-Force reveal a surge in targeted cyberattacks by a China-aligned threat actor known as Hive0154.

The group is exploiting the Tibetan community’s geopolitical concerns, using tailored lure documents and filenames to spread highly sophisticated malware, most notably the Pubload backdoor.

These campaigns coincide with significant events for the Tibetan diaspora, including the Dalai Lama’s 90th birthday and the 9th World Parliamentarians’ Convention on Tibet (WPCT).

Campaign Tactics and Lures

Hive0154’s 2025 campaigns have showcased a marked escalation in both sophistication and cunning.

The group crafts phishing emails and weaponized archives featuring topics specifically designed to entice Tibetan community members and their supporters. Lure themes include:

• The 9th World Parliamentarians’ Convention on Tibet (WPCT), held in Tokyo, Japan, from June 2 to 4, 2025, drew notable attention from the Tibetan diaspora and international lawmakers. Hive0154’s campaign referenced the convention directly, using filenames such as “(WPCT)-ICT&CTA_Conference/World_Parliamentarians’_Convention_on_Tibet(WPTC)_in_Japan_tokyo).June 2025.exe.”
• China’s education policy in the Tibet Autonomous Region (TAR): Issues around cultural assimilation and bilingual education are highly sensitive for the Tibetan community. Lures included executable files with names like “Bilingual Education Reform Report.exe” (in Tibetan script).
• Dalai Lama’s latest book: The campaign also leveraged the March 2025 publication “Voice for the Voiceless,” by the Dalai Lama, with filenames such as “Voice for the Voiceless photos.exe.”

These lures often contain authentic-looking documents and images from Tibetan websites and conferences, packaged alongside malicious executables with similar names a tactic designed to trick recipients into running malware laden files.

Technical Details: Infection Chain and Malware Evolution

The infection process begins with a spear-phishing email containing a link to a Google Drive-hosted weaponized archive.

Once downloaded and opened, the archive contains a benign executable that is vulnerable to DLL sideloading and a malicious DLL named Claimloader.

The executable, often renamed to appear legitimate, triggers the infection chain when launched.

Claimloader is a sophisticated malware loader, now updated to use TripleDES encryption for its embedded payload, a feature observed in variants from late April 2025 onward.

It establishes persistence by creating a registry entry under “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,” ensuring the malware launches at every user login.

Claimloader then decrypts its payload in memory and injects it using native Windows APIs, such as LdrLoadDll() and LdrGetProcedureAddress(), while also employing XOR-encrypted API names to evade detection.

The primary payload, Pubload, is a backdoor capable of downloading and executing further shellcode. One of its first actions is to deploy Pubshell, a lightweight reverse shell that grants attackers immediate access to the infected system.

Pubload’s routines remain essentially unchanged from previous reports, but its integration with Claimloader’s advanced evasion and persistence techniques makes it a formidable threat.

Heightened Security Needed

Hive0154’s campaign demonstrates a clear trend: cyber threat actors are increasingly leveraging geopolitical tensions and community-specific interests to maximize their chances of successful infiltration.

Organizations, particularly those affiliated with the Tibetan community or involved in related advocacy, are advised to remain vigilant. Key recommendations include:

• Exercise caution when opening emails and downloading files from Google Drive.
• Train staff to recognize suspicious file extensions and unexpected content in archives.
• Monitor for unusual persistence techniques, registry changes, and suspicious directories (e.g., under C:\ProgramData$$.
• Watch for TLS 1.2 Application Data packets without a prior handshake a possible sign of a Pubload beacon.

As Hive0154 and similar groups continue to refine their tactics, robust cybersecurity practices and real-time threat intelligence remain essential for defense.

Indicators of compromise