Cyber Threat Actor: TAG-38
| Actor Type | Location | Known Incidents |
Undetermined
|
—
|
0 incidents |
|---|
Profile
TAG-38 is a Chinese state-sponsored threat actor group implicated in cyber espionage operations targeting critical infrastructure sectors. Public reporting links this group to activity against telecommunications providers in Afghanistan, specifically Roshan, one of the country’s largest firms. The group operates alongside other Chinese APT clusters, including RedFoxtrot and Calypso APT, with distinct tooling and infrastructure. TAG-38’s operations align with strategic intelligence-gathering objectives consistent with Chinese state interests, focusing on entities in geopolitically sensitive regions.
The group employs malware families such as Winnti and PlugX for persistent access to victim networks, indicating a reliance on established backdoors favored by Chinese APT groups. Targeting centers on telecommunications infrastructure in Central Asia, with Roshan’s mail servers serving as a confirmed intrusion point. This sectoral focus suggests intent to monitor communications or disrupt services, though exfiltrated data types remain unspecified in available reporting. Attribution to Chinese state sponsorship is explicitly asserted by researchers based on technical indicators and victimology patterns. The Roshan campaign demonstrates TAG-38’s operational coordination with other Chinese threat groups, though specific division of roles within joint operations is not detailed. Telecommunications firms represent high-value targets for intelligence collection, particularly in regions where China has expanding economic and security interests.
