The abandoned update server associated with the Input Method Editor (IME) software Sogou Zhuyin was primarily used by threat actors as part of a spy campaign that provided several malware families, including C6DOOR and GTELAM, mainly targeting users in East Asia.
“Attackers used sophisticated infection chains such as hijacked software updates and fake cloud storage and login pages to distribute malware and collect sensitive information.”
The campaign, identified in June 2025, is known as the codename by cybersecurity companies. Targets for the activities include primarily opposition, journalists, researchers, and technology/business leaders from Taiwan communities in China, Taiwan, Hong Kong, Japan, Korea and overseas. Taiwan accounts for 49% of all targets, followed by Cambodia (11%) and the US (7%).
The attacker is said to have controlled the wrapped domain name in October 2024 (“Sogouzhuyin[.]com”) spreading malicious payloads a month later in connection with Sogou Zhuyin, a legitimate IME service that stopped receiving updates in June 2019. It is estimated that hundreds of victims have been affected.
“The attacker took over an abandoned update server and registered it, then used the domain to host malicious updates since October 2024,” the researchers said. “Through this channel, multiple malware families are deployed, including Gtelam, C6Door, Desfy, and Toshis.”
The deployed malware family serves a variety of purposes, including remote access (rat), information theft, and backdoor functions. To avoid detection, threat actors leveraged third-party cloud services to hide network activity across the attack chain.
These malware stocks allow remote access, information theft and backdoor functions. Attackers can also use legitimate cloud storage services, such as Google Drive, as data exfiltration points to hide malicious network traffic.
The attack chain begins when unsuspecting users download the official Sogou Zhuyin installer from the internet. For example, traditional Chinese Wikipedia page entries from Sogou Zhuyin that were changed in March 2025 to point to malicious domain downloads.[.]sogouzhuyin[.]com.
The installer is completely harmless, but when the automatic update process is triggered a few hours after installation, the malicious activity starts and retrieves the update configuration file from the URL with the updater’s binary “Zhuyinup.exe”.[.]com/v1/upgrade/version. “
Tampered with Desfy, Gtelam, C6Door and Toshis, this update process has the ultimate goal of profiling and collecting data from high value targets –
Toshis (first discovered December 2024) is a loader designed to obtain the next stage payload (cobalt strike or Merlin agent) from an external server. It is also a variant of Xiangoop and is attributed to the Tropic Trooper, and has been used in the past to provide cobalt strikes or backdoors called EntryShell. Desfy (first detected in May 2025), spyware that collects file names from two locations, desktop and program files GTELAM (first detected in May 2025), beased beased direction the google directionale fascated fascated fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fasced fa Collect extx Collect spyware system information for spyware, collect spyware system information, execute any command, perform file operations, upload/download files, capture screenshots, capture running processes, enumerate directories, and insert shellcode into target processes, use HTTP and WebSocket protocols for commands and controls.
Further analysis of C6DOOR reveals the presence of simplified kanji embedded within the sample, suggesting that the threat actors behind the artifacts may be proficient in Chinese.
“The attackers were still in the reconnaissance phase and were primarily looking for high-value targets,” Trend Micro said. “As a result, in most of the victim system, no further post-exposure activity was observed. When analyzed, the attacker inspected the victim’s environment and used visual studio codes to establish the tunnel.”
Interestingly, there is evidence that Toshis was distributed to targets using phishing websites. Perhaps in relation to spear phishing campaigns targeting East Asia, it has been observed that phishing attacks employ two broad approaches in Norway and the US.
Provides fake login pages using free coupons or lures associated with PDF readers to redirect and grant OAUTH to attacker-controlled apps, or provide fake cloud storage pages that mimic Tencent Cloud StrayLink to download malicious ZIP archives containing Toshis
These phishing emails include booby-trapped URLs and decoy documents in which recipients trick the interaction with malicious content. Finally, activate a multi-stage attack sequence designed to drop Toshis using sideloads of DLLs.
Trend Micro said Taoth will share his infrastructure and tools and paint pictures of previously documented threat activities by itochu and enduring threat actors focusing on reconnaissance, espionage and email abuse.
To combat these threats, organizations recommend routinely auditing their environment for end-of-support software and quickly removing or replacing such applications. It is recommended that users check the permissions requested by the cloud application before granting access.
“In the Sogou Zhuyin operation, the threat actors maintained a low profile and conducted reconnaissance to identify valuable targets among the victims,” the company said. “On the other hand, during the ongoing spear phishing operation, the attackers distributed malicious emails to the targets, further exploitation.”
Source link
