Chinese Hackers Target Tibetans With Malware Masquerade

A China-linked cyber campaign has targeted the Tibetan community using malware-laced files disguised as political documents. Researchers from IBM identified the use of Pubload, a sophisticated backdoor, distributed via spear phishing emails with ZIP/RAR archives. These files exploit Tibetan political themes, such as the Dalai Lama’s latest book and the June 2025 World Parliamentarians’ Convention on Tibet. The malware uses DLL sideloading to evade detection. The attacks are attributed to Hive0154, also known as Mustang Panda, a group with a history of targeting Tibetan entities.