ta413

TA413 is a China-aligned advanced persistent threat group associated with espionage and surveillance activity, particularly against the Tibetan community and Tibetan diaspora. Reported aliases include White Dev 9 and LuckyCat. The actor has conducted sustained phishing and malware campaigns targeting Tibetan organizations, Tibetan dissidents, individuals associated with the Tibetan leadership in exile, and the broader Tibetan community. Reporting also describes TA413 exploiting Follina (CVE-2022-30190) in phishing campaigns targeting the Tibetan diaspora, with some campaigns also affecting officials in Europe and the United States. TA413 has been linked to delivery and use of multiple malware families and tools including ExileRAT, Sepulcher, FriarFox, ScanBox, and BADBAZAAR-related infrastructure overlaps. Proofpoint attributed 2020 Sepulcher campaigns to TA413, including a WHO COVID-19-themed campaign targeting European diplomatic, legislative, policy, and economic organizations, and a later Tibetan-themed campaign targeting Tibetan dissidents. Sepulcher is described as a basic RAT with host reconnaissance, reverse shell, file read/write capability, scheduled-task persistence, and encrypted configuration stored in the Windows registry. In early 2021, TA413 delivered the malicious Firefox extension FriarFox via phishing emails impersonating Tibetan organizations including the Tibetan Women’s Association and the Bureau of His Holiness the Dalai Lama. FriarFox, a modified version of the open-source Gmail Notifier extension, enabled access to Gmail accounts and browser data and could forward, delete, and send emails from compromised accounts. The campaign used fake Adobe Flash update pages and served payloads selectively to Firefox users, in some cases when logged into Gmail. FriarFox was also observed retrieving the ScanBox reconnaissance framework. TA413 tradecraft described in the reporting includes phishing, watering hole activity, use of fake update pages, impersonation of legitimate organizations, Royal Road RTF weaponization, exploitation of a Microsoft Equation Editor vulnerability, and use of ScanBox for reconnaissance and keylogging. The reporting also notes overlap between keyboard-walk WHOIS values in BADBAZAAR-linked domains and historically reported TA413 targeting of Tibetan organizations. Across the cited reporting, TA413 is consistently described as focused on espionage and civil dissident surveillance aligned with Chinese state interests.