Chinese state hackers employ malicious Firefox extension to target exile Tibetans


(, Feb27’21) – Chinese Communist Party-backed hackers have been carrying out low-level phishing campaigns against the Tibetan diaspora since Mar 2020, reported Feb 26, citing security vendor Proofpoint. It has said the campaign was being carried out via a malicious new Firefox extension.

These low-level phishing campaigns took another turn in the first two months of 2021 with the use of a customized malicious extension dubbed “FriarFox”, the report said.

“We attribute this activity to TA413, who in addition to the FriarFox browser extension, was also observed delivering both Scanbox and Sepulcher malware to Tibetan organizations in early 2021,” the vendor was quoted as saying.

“Proofpoint has previously reported on Sepulcher malware and its links to the Lucky Cat and Exile Rat malware campaigns that targeted Tibetan organizations.”

The report said TA413 itself was believed to be an APT group aligned with the Chinese state.

The malware was stated to be delivered via spear-phishing emails spoofing senders such as the Bureau of His Holiness the Dalai Lama in India and the Tibetan Women’s Association. They were stated to typically feature a malicious link leading to a fake ‘Adobe Flash Player Update’ which will execute JavaScript to scan the target’s machine.

These scripts will then decide whether to deliver the FriarFox payload, which provides access to the victim’s Gmail account.

It was stated to be designed to search for, archive, read, delete, forward and mark emails as spam, as well as access browser tabs on Firefox, modify privacy settings and access user data for all websites.

The attackers were also reported to try to download ScanBox malware, a “JavaScript-based reconnaissance framework” dating back to 2014 which can track visitors to certain websites, perform keylogging and collect user data for use in future intrusion attempts.


Please enter your comment!
Please enter your name here