In a politically charged cyber-espionage campaign, IBM X-Force has identified the resurgence of the China-aligned threat group Hive0154, targeting individuals and organizations linked to the Tibetan community. The campaign—detected ahead of the Dalai Lama’s 90th birthday—uses phishing lures themed around cultural, political, and educational issues in Tibet to deliver the Pubload backdoor.
“China-aligned threat actor Hive0154 has spread numerous phishing lures in targeted campaigns throughout 2025 to deploy the Pubload backdoor,” IBM X-Force reported.
The campaign weaponizes documents themed around events like the 9th World Parliamentarians’ Convention on Tibet (WPCT) held in Tokyo in June 2025, and sensitive topics such as China’s education policy in the Tibet Autonomous Region (TAR) and the Dalai Lama’s book Voice for the Voiceless.
“Hive0154 devises filenames referencing various geopolitical topics tailored to elicit increased interest from the targeted recipients.”
Malicious executables masquerade as legitimate files—such as .docx documents or .jpg images—packaged into ZIP archives. Once opened, they silently initiate the infection chain via a malicious DLL named Claimloader, which decrypts and injects Pubload into memory.
The lures are cleverly constructed. For instance, one archive contained authentic photos and documents from the WPCT, alongside executables with near-identical filenames, tricking users into launching the malware by mistake.
“The presence of legitimate articles and photos among the weaponized executables… is likely to trick victims into accidentally opening one of the EXE files.”
Lures also included references to educational reforms and human rights topics—issues that resonate strongly within the Tibetan diaspora. These phishing kits were observed primarily submitted from India, home to the Tibetan government-in-exile.
Hive0154’s campaigns extended beyond Tibet. A separate lure targeting U.S. military interests, specifically the United States Pacific Fleet (USPACFLT), was identified in June 2025. Another lure referenced a strategic mining deal involving the Democratic Republic of Congo (DRC) and U.S. interests—suggesting a global operational scope.
“X-Force uncovered a file likely targeting the U.S. Navy… and one referencing the DRC’s mineral development deal with the U.S.”
Claimloader is a customized loader that uses DLL sideloading, registry-based persistence, and TripleDES encryption. Upon second execution, it decrypts the embedded payload using dynamic API resolution and executes the payload by abusing Windows APIs such as EnumFontsW().
“Claimloader uses XOR-encrypted API names and native APIs… to resolve imports dynamically.”
Once deployed, the Pubload backdoor downloads additional payloads, including Pubshell, which establishes a reverse shell for immediate attacker access.
“Pubload is a simple backdoor capable of downloading encrypted shellcode payloads… Pubshell implements a reverse shell.”
With overlapping activity reported under aliases such as Mustang Panda, Stately Taurus, and Camaro Dragon, Hive0154 continues to be an adaptable, and state-aligned APT. Its tactics—deceptively simple yet technically refined—underscore the evolving threat landscape in Asia and beyond.
“X-Force assesses with high confidence that China-aligned groups like Hive0154 will continue to refine their large malware arsenal and target public and private organizations worldwide.”
Organizations working with the Tibetan community, international NGOs, and government agencies are urged to monitor for spear-phishing activity, enforce file-type restrictions, and invest in threat detection capabilities tailored to DLL sideloading and reverse shell backdoors.
