A Chinese-aligned threat actor codenamed UTA0388 is believed to be involved in a series of spear-phishing campaigns targeting North America, Asia, and Europe aimed at delivering a Go-based implant known as GOVERSHELL.
“The campaign initially observed was tailored to targets, with messages purportedly sent by senior researchers and analysts at the organization that sounded legitimate and were completely fabricated,” Volexity said in a report on Wednesday. “The goal of these spear-phishing campaigns was to socially engineer targets into clicking on a link that directed them to a remotely hosted archive containing a malicious payload.”
Since then, the attackers behind the attack are said to be using a variety of lures and fictitious identities across multiple languages, including English, Chinese, Japanese, French, and German.
Early campaigns were found to include embedded links to phishing content hosted on cloud-based services or proprietary infrastructure, which in some cases led to the deployment of malware. However, subsequent waves are said to be “highly orchestrated”, with attackers relying on taking time to build trust with recipients before sending the link. This is a technique called trust-building phishing.
Regardless of the approach used, the link leads to a ZIP or RAR archive containing a malicious DLL payload that is launched using DLL sideloading. The payload is an actively developed backdoor called GOVERSHELL. It’s worth noting that this activity overlaps with a cluster tracked by Proofpoint under the name UNK_DropPitch. Volexity characterizes GOVERSHELL as a successor to a C++ malware family called HealthKick.
To date, five different variants of GOVERSHELL have been identified.
HealthKick (first seen in April 2025) TE32 with the ability to run commands using cmd.exe (first seen in June 2025) TE64 with the ability to run commands directly via PowerShell reverse shell (first seen in early July 2025) Use PowerShell to run native and dynamic commands, retrieve system information, the current system time, and powershell.exe The ability to execute commands and poll external servers via WebSockets (first seen in mid-July 2025) for new instructions. Provides the ability to run PowerShell commands via powershell.exe, as well as the unimplemented “update” subcommand as part of the system command. Beacon (first seen in September 2025). It has the ability to run native and dynamic commands to set and randomize basic polling intervals or run PowerShell commands using PowerShell. powershell.exe
Legitimate services exploited to stage archive files include Netlify, Sync, and OneDrive, but the email messages were identified as coming from Proton Mail, Microsoft Outlook, and Gmail.
What’s notable about UTA0388’s trade craft is that it uses OpenAI ChatGPT to generate content for English, Chinese, and Japanese phishing campaigns. Facilitate malicious workflows. Find information related to installing open source tools like nuclei and fscan revealed by AI companies earlier this week. The ChatGPT account used by the threat actor was subsequently banned.
According to Volexity, the use of large-scale language models (LLMs) to enhance operations is evidenced by the pervasive fabrications in phishing emails, from the persona used to send the message to the overall lack of consistency in the message content itself.
“The targeting of this campaign is consistent with threat actors interested in geopolitical issues in Asia, with a particular focus on Taiwan,” the company added. “From the emails and files used in this campaign, Volexity assesses with medium confidence that UTA0388 utilized automation (such as LLM) to generate and send this content to its targets, in some cases with little or no human oversight.”
The disclosure comes amid StrikeReady Labs’ announcement that a suspected China-linked cyber espionage operation is targeting the aviation sector of the Serbian government, as well as other European institutions in Hungary, Belgium, Italy and the Netherlands.
The campaign, identified in late September, sends phishing emails containing links that, when clicked, redirect victims to a fake Cloudflare CAPTCHA verification page and download a ZIP archive. Inside is a Windows Shortcut (LNK) file that runs a PowerShell that opens a decoy document and secretly launches PlugX using DLL sideloading.
Source link
