Aleksandar Milenkoski
CamoFei Meets the Taliban
CamoFei (which overlaps with ChamelGang, TAG-112, or Evasive Panda) sets itself apart within the landscape of China-linked APT groups through a dual-track operational model that blends traditional cyber espionage with disruptive activities. The group continues to target high-profile entities of strategic interest to Chinese intelligence, including Tibetan and Taiwanese organizations, while simultaneously engaging in operations that suggest influence or destabilization objectives, often layered with plausible deniability.
As of early 2025, CamoFei remains highly active, expanding its reach across a diverse set of governmental and private-sector targets in Southeast Asia, Europe, and the Middle East while adopting new tactics and techniques. Its recent compromise of Taliban networks in Afghanistan, which coincided with a suspected hack-and-leak influence campaign targeting the Taliban itself, points to a possible evolution toward hybrid operations that merge technical intrusions with geopolitical narratives. While the shift remains unconfirmed, it reflects the broader challenge posed by the increasingly blurred lines between espionage, influence operations, and cybercrime, making attribution and intent analysis more difficult. As multiple of these CamoFei victims exhibit signs of concurrent compromise by other Chinese-nexus groups, the case underscores a broader analytic challenge, namely, that overlapping intrusions within the same victim environments complicate attribution and intent analysis, raising important questions about coordination, operational autonomy, and competition within the broader Chinese threat ecosystem.
Aleksandar Milenkoski is a Senior Threat Researcher at SentinelLabs. With expertise in malware research and focus on targeted attacks, he brings a blend of practical and deep insights to the forefront of cyber threat intelligence. Aleksandar has a PhD in system security and is the author of numerous reports on cyberespionage and high-impact cybercriminal operations, conference talks, and peer-reviewed research papers. From 2011 to 2014, he was a European Commission Marie Skłodowska-Curie Research Fellow.
