🇨🇳

TAG-28

APT Group Information theft and espionage 16 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 1

Countries highlighted in red

India

Sectors Targeted

Government Computer Systems Design Services 541512 Media

Details

Origin 🇨🇳 CN

Last Updated 27 Jan 2024

MITRE ATT&CK 147

T1001 T1001.001 T1003 T1003.001 T1003.002 T1003.003 T1005 - Data from Local System T1006 T1014 T1016 T1016.002 T1021 T1021.001 T1021.002 T1025 T1027 - Obfuscated Files or Information T1027.013 T1030 T1036 - Masquerading T1036.005 T1037 T1037.001 T1039 T1040 T1048 T1048.002 T1053.005 - Scheduled Task T1055 - Process Injection T1055.002 T1056 - Input Capture T1056.001 T1056.002 - GUI Input Capture T1056.003 - Web Portal Capture T1057 T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 T1068 T1070 T1070.001 T1070.004 T1070.006 T1071 T1071.001 - Web Protocols T1071.003 T1074 T1074.001 T1074.002 T1078 - Valid Accounts T1078.004 T1083 T1090 - Proxy T1090.001 T1090.002 T1090.003 T1091 T1092 T1098 - Account Manipulation T1098.002 T1102 - Web Service T1102.002 T1105 - Ingress Tool Transfer T1106 - Native API T1110 T1110.001 T1110.003 T1113 T1114 T1114.002 T1114.003 - Email Forwarding Rule T1119 T1120 T1132.001 - Standard Encoding T1133 - External Remote Services T1134 T1134.001 T1137 T1137.002 T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1189 T1190 T1199 T1203 T1204 T1204.001 - Malicious Link T1204.002 T1210 T1211 T1212 - Exploitation for Credential Access T1213 T1213.002 T1218 - Signed Binary Proxy Execution T1218.011 T1221 T1498 T1505 T1505.003 T1528 T1542 T1542.003 T1546 T1546.015 T1547 - Boot or Logon Autostart Execution T1547.001 T1550 T1550.001 T1550.002 T1557 T1557.004 T1559 T1559.002 T1560 T1560.001 T1561 T1561.001 T1562 - Impair Defenses T1562.004 T1564 T1564.001 T1564.003 T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1567 T1573 T1573.001 T1583 T1583.001 T1583.003 T1583.006 - Web Services T1584 T1584.008 T1586 T1586.002 T1588 T1588.002 T1589 T1589.001 T1591 T1593 - Search Open Websites/Domains T1595 T1595.002 T1596 T1598 T1598.003 T1669

Related Zero-Days 16

CVE-2017-0199 CVE-2017-5638 CVE-2019-0708 CVE-2021-44228 CVE-2024-37079 CVE-2025-37164 CVE-2025-40551 CVE-2025-52691 CVE-2025-68645 CVE-2025-8110 CVE-2026-20045 CVE-2026-20805 CVE-2026-21509 CVE-2026-21513 CVE-2026-24423 CVE-2026-24858

Known Names 1 entries

TAG-28 Recorded Future

Observed Target Countries 1

Based on ETDA data — countries highlighted in red

India

Description

(Recorded Future) We have identified further suspected intrusions targeting the Indian media conglomerate Bennett Coleman And Co Ltd (BCCL), commonly known as “The Times Group”; the Unique Identification Authority of India (UIDAI); and the Madhya Pradesh Police department. The UIDAI is the Indian government agency responsible for the national identification database, more commonly called “Aadhaar”, which contains private biometric information for over 1 billion Indian citizens. These intrusions were conducted by an activity group we track using a temporary designation, TAG-28.

Tools Used 2

Cobalt Strike Winnti

Reports & References 2

https://www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group/ https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf

ETDA Profile

TAG-28

Origin

China

First Seen 2021

Sponsor State-sponsored

Motivation

Information theft and espionage

View on ETDA APT Groups ↗