Taiwan’s semiconductor industry has been the target of a spear phishing campaign carried out by three threatening actors sponsored by China.
“The goals of these campaigns ranged from organizations involved in the manufacturing, design and testing of semiconductors and integrated circuits, a wide range of equipment and service supply chain entities within this sector, and financial investment analysts specializing in the Taiwanese semiconductor market.
According to the Enterprise Security Company, the activity took place between March and June 2025. They are attributed to three China-located clusters that they track as UNK_FISTBUMP, UNK_DROPPITCH, and UNK_SPARKYCARP.
UNK_FISTBUMP is said to have targeted semiconductor design, packaging, manufacturing and supply chain organizations in a employment-themed phishing campaign in which C-based custom backdoors were used in more than 70 attacks globally, resulting in Voldemort delivery.
The attack chain includes threat actors who pretend to be graduate students in emails sent to recruiting and HR personnel, seeking employment opportunities in targeted companies.
Messages that may be sent from compromised accounts include resumes (LNK files pose as PDFs) that trigger multi-stage sequences that, when published, lead to the deployment of Cobalt Strike or Voldemort. At the same time, a document will be displayed to the victim to avoid raising suspicions.
The use of VoldeMort is attributed to a threat actor called Ta415 by Proofpoint, which overlaps with the prolific Chinese nation-state group called APT41 and the Brass Typhoon. That said, Voldemort’s activity linked to UNK_FISTBUMP is rated as different from TA415 due to the differences in the loader used to drop cobalt strikes and the reliance on command and control’s hard-coding IP address.
Meanwhile, UNK_DROPPITCH has been observed impressive individuals from several major investment companies, particularly focusing on investment analysis within the Taiwanese semiconductor industry. Phishing emails sent in April and May 2025 have embedded links to PDF documents. This will download a ZIP file containing the malicious DLL payload that was launched using the DLL sideload.
The Rogue DLL is the backdoor code name HealthKick that allows you to run commands, capture the results of their executions, and extract them to a C2 server. Another attack detected in late May 2025 uses the same DLL sideload approach to generate a TCP reverse shell that establishes contact with the actor-controlled VPS server 45.141.139.[.]222 exceeds TCP port 465.
The reverse shell serves as a pathway for attackers to perform reconnaissance and discovery procedures, and, if considered an interest, drops an Intel Endpoint Management Assistant (EMA) for remote control via the C2 domain.[.]information. “
“This UNK_DROPPITCH targeting is modelled on the priorities of intelligence collections that span not only design and manufacturing entities but also less obvious areas of the semiconductor ecosystem,” ProofPoint said.
Further analysis of the threat actor infrastructure revealed that the two servers are configured as soft acre VPN servers, an open source VPN solution widely used by Chinese hacking groups. Additional connections to China come from reusing one TLS certificate on the C2 server. This certificate has been linked to the past in relation to malware families such as MoonBounce and Sidewalk (also known as Scramblecross).
That said, it is unclear whether reuse comes from a family of custom malware shared by multiple Chinese-located threat actors, such as sidewalks, or the provisioning of shared infrastructure across these groups.
The third cluster, UNK_Sparkycarp, is characterized by a qualified phishing attack to select an unnamed Taiwanese semiconductor company using a custom enemy (AITM) kit. The campaign was discovered in March 2025.
“The phishing email spoofed an account login security warning contained a link to an actor-controlled qualification phishing domain.[.]com, and tracking beacon URL for aceSportal[.]com, “Proofpoint added that in November 2024, threat actors had previously targeted the company.
The company also observed UNK_Coltcentury, also known as the TAG-100 and Storm-2077, and said it sent benign emails to legal staff at Taiwanese semiconductor organizations to build trust and ultimately provide a remote access troyang known as Spark Rat.
“This activity likely reflects China’s strategic priorities to achieve semiconductor self-sufficiency and reduce dependence on international supply chains and technologies, particularly in light of export controls in the US and Taiwan,” the company said.
“These emerging threat actors continue to demonstrate long-standing targeting patterns consistent with China’s national interests, demonstrating TTP and custom capabilities historically related to cyber-espionage activities deployed in China.”
Salted typhoon chases US National Guard
Development took place as NBC News reported that Salt Typhoon (aka Earth Estries, Ghost Emperal, and UNC2286) had invaded at least one US state national guard and signaled an expansion of targeting, resulting in a Chinese state-sponsored hacker being tracked. The violation is said to have lasted more than nine months between March and December 2024.
On June 11, 2025, a report from the U.S. Department of Defense (DOD) said that “it is likely that it provided Beijing with data that could facilitate hacking of Army National Guard units in other states, and possibly state-level cybersecurity partners.”
“Salt Typhoon extensively violated the US state’s Army National Guard network, collecting network configuration and data traffic, among other things, across networks of counterparts in all other US states and at least four US territory.”
Threat actors also ruled out configuration files related to critical infrastructure agencies, including other US governments and two state government agencies, between January and March 2024. That same year, Salt Typhoon leveraged access to the US state’s Army National Guard network to collect maps of administrator qualifications, network traffic maps, nationally-wide geographic locations, and Pii members’ geographic locations.
These network configuration files could allow for further utilization of computer networks on other networks, such as data capture, manipulation of administrator accounts, and lateral movements between networks, the report says.
Initial access is known to be driven by the exploitation of known Cisco security vulnerabilities (CVE-2018-0171, CVE-2023-20198, and CVE-2023-20273) and Palo Alto Networks (CVE-2024-3400) appliances.
“Salt typhoon access to these state Army National Guard networks includes information about the state’s cyber defense attitude, personally identifiable information (PII) and the location of state cybersecurity personnel – data that can be used to inform future cybertargeting efforts.”
Socradar CISO Ensar Seker said in a statement that the attack is another reminder that sophisticated persistent threat actors who may have a more diverse security attitude are chasing federal agencies and state-level components.
“The revelation that salt typhoons have maintained access to the US National Guard network for almost a year is a serious escalation of the cyber domain,” Seker said. “This is not just an opportunistic invasion, it reflects intentional, long-term espionage designed to quietly extract strategic intelligence.”
“The persistent presence of the group suggests that they are gathering more than just files. They were probably mapping infrastructure, monitoring the flow of communication, identifying vulnerabilities that could be exploited for future use. This activity has been undetected in the military environment for a very long time.
Source link
