Dharamshala (Himachal Pradesh) [India], August 5 : Individuals associated with China conducted two cyber espionage initiatives aimed at the Tibetan community in the weeks approaching His Holiness the Dalai Lama's 90th birthday on July 6, 2025, as revealed by recent research from the U.S.-based security firm Zscaler ThreatLabz and the Tibetan Computer Emergency Readiness Team (TibCERT), according to a report by Phayul.
The campaigns, named Operation GhostChat and Operation PhantomPrayers, employed counterfeit Tibet-related applications and websites to covertly install spyware on the devices of victims, facilitating the theft of confidential information, enabling remote monitoring, and allowing control over devices.
Researchers have indicated that these campaigns utilised various subdomains under niccenter[.]net to imitate trusted websites. Victims were enticed into downloading harmful software themed around Tibetan cultural activities, which triggered multi-stage infection processes that deployed Gh0st RAT or PhantomNet (SManager), spyware tools frequently associated with groups backed by the Chinese state.
In Operation GhostChat, attackers infiltrated a legitimate Tibetan charity's website, substituting a link about the Dalai Lama's upcoming birthday with one that directed users to a deceptive lookalike site. This fraudulent site presented a so-called "Tibetan version" of a secure messaging application, which disguised the installation of Gh0st RAT. This malware was capable of logging keystrokes, taking screenshots, activating webcams, recording audio, and extracting files, as reported by Phayul.
Operation Phantom Prayers featured a counterfeit "Global Birthday Check-in" application that displayed an interactive map for sending good wishes to the Dalai Lama. Despite its innocent appearance, the app secretly deployed PhantomNet spyware, permitting attackers to download further malicious tools and steal sensitive data.
Security analysts describe this as the most recent occurrence in a series of "watering hole" attacks, which strategically compromise websites frequented by a specific target community, executed against the Tibetan diaspora. Similar tactics have previously been employed by Chinese-affiliated groups such as EvilBamboo, Evasive Panda, and TAG-112, according to the Phayul report.
"Considering the victimology and malware utilised in both operations, ThreatLabz attributes Operation GhostChat and Operation PhantomPrayers to cyber espionage teams supported by the Chinese state," the report affirmed, as referenced by the Phayul report.
Cybersecurity professionals caution that such initiatives are likely to persist, especially around significant Tibetan cultural or political occasions, when online activity is at its highest.