Julian-Ferdinand Vögele

CamoFei Meets the Taliban

CamoFei (which overlaps with ChamelGang, TAG-112, or Evasive Panda) sets itself apart within the landscape of China-linked APT groups through a dual-track operational model that blends traditional cyber espionage with disruptive activities. The group continues to target high-profile entities of strategic interest to Chinese intelligence, including Tibetan and Taiwanese organizations, while simultaneously engaging in operations that suggest influence or destabilization objectives, often layered with plausible deniability.

As of early 2025, CamoFei remains highly active, expanding its reach across a diverse set of governmental and private-sector targets in Southeast Asia, Europe, and the Middle East while adopting new tactics and techniques. Its recent compromise of Taliban networks in Afghanistan, which coincided with a suspected hack-and-leak influence campaign targeting the Taliban itself, points to a possible evolution toward hybrid operations that merge technical intrusions with geopolitical narratives. While the shift remains unconfirmed, it reflects the broader challenge posed by the increasingly blurred lines between espionage, influence operations, and cybercrime, making attribution and intent analysis more difficult. As multiple of these CamoFei victims exhibit signs of concurrent compromise by other Chinese-nexus groups, the case underscores a broader analytic challenge, namely, that overlapping intrusions within the same victim environments complicate attribution and intent analysis, raising important questions about coordination, operational autonomy, and competition within the broader Chinese threat ecosystem.

Julian-Ferdinand is a Senior Threat Researcher at Recorded Future’s Insikt Group, specializing in malware analysis and infrastructure detection. He investigates cybercriminal, state-sponsored, and mercenary spyware operations. He previously worked in offensive security, studied computer science, and is a Virtual Routes fellow.