{
	"id": "23be1e08-4146-41df-b198-a9a10ed99fe4",
	"created_at": "2026-04-06T00:06:56.289059Z",
	"updated_at": "2026-04-10T03:37:00.544587Z",
	"deleted_at": null,
	"sha1_hash": "883c750f13689fb8f7e7bcf7fe4b96705f558290",
	"title": "APT Meets GPT: Targeted Operations with Untamed LLMs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 954729,
	"plain_text": "APT Meets GPT: Targeted Operations with Untamed LLMs\r\nBy Steven Adair\r\nPublished: 2025-10-08 · Archived: 2026-04-05 16:56:07 UTC\r\nStarting in June 2025, Volexity detected a series of spear phishing campaigns targeting several customers and their\r\nusers in North America, Asia, and Europe. The initially observed campaigns were tailored to the targets, and the\r\nmessages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated\r\norganizations. The goal of these spear phishing campaigns was to socially engineer targets into clicking links that\r\nled to a remotely hosted archive containing a malicious payload. Volexity tracks the threat actor behind these\r\ncampaigns under the alias UTA0388 and assesses with a high degree of confidence that this is a China-aligned\r\nthreat actor. This assessment is based both on technical artifacts and the targeting profile of the campaigns.\r\nOver the course of three months, Volexity observed UTA0388 using various themes and fictional identities across\r\ndozens of spear phishing campaigns. As time passed, Volexity observed UTA0388 broaden their targeting and\r\nsend emails in a variety of different languages, including English, Chinese, Japanese, French, and German. In\r\nmost cases, the initial email sent by UTA0388 contained a link to phishing content hosted on a cloud-based\r\nservice that would lead to malware. In a limited set of cases, Volexity observed UTA0388 hosting malware on\r\ntheir own servers. Once the initial and broader campaigns subsided, Volexity further observed multiple instances\r\nof highly tailored spear phishing against organizations where UTA0388 did not send a link to malware, at first.\r\nInstead they engaged the target in conversation, and only after corresponding over the course of several emails\r\nwould a malicious phishing link be sent. Volexity refers to this overall technique as “rapport-building phishing“.\r\nIn all observed cases, UTA0388 sent a link leading to a ZIP or RAR archive file. Inside this file would be a\r\nlegitimate executable that was given a filename relevant to the targeted organization or tied to the theme of the\r\nspear phish email.When executed, this legitimate executable would load a malicious payload in an included\r\nDynamic Link Library (DLL), via search order hijacking which provided operators with the ability to remotely\r\nexecute commands on infected devices.. Volexity tracks the deployed payload as GOVERSHELL and has\r\nobserved five distinct variants of this malware family. Volexity assesses with high confidence that GOVERSHELL\r\nis used exclusively by UTA0388 and is still actively being developed at the time of writing.\r\nThis blog post outlines technical details of various UTA0388 campaigns, and the evidence that led Volexity to\r\nassess with a high degree of confidence that UTA0388 employs Large Language Models (LLMs) to assist with\r\ntheir operations. Such an assessment can be difficult to credibly make, as no single data point can provide\r\nconclusive evidence of LLM usage. However, the aggregate evidence across UTA0388’s campaigns, including\r\nnonsensical decisions made, the campaign tempo, and the sheer variety of campaigns supports this assessment.\r\nSince Volexity’s initial research, and just prior to publishing this blog post, OpenAI published a report called\r\nOctober 2025 Disrupting malicious uses of AI: an update. That report confirms Volexity’s suppositions that\r\nUTA0388 leveraged OpenAI’s ChatGPT platform for several components of their spear phishing and malware\r\ndevelopment operations.\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 1 of 15\n\nVolexity notes that UTA0388 is the same actor that Proofpoint tracks as “UNK_DropPitch”, as described in a blog\r\npost published on July 16, 2025. That report described a malware family called “HealthKick”, which is the earliest\r\nobserved variant of what Volexity calls GOVERSHELL. Volexity also observed overlap in command-and-control\r\n(C2) infrastructure, and at least one sending email address from Proofpoint’s reporting as well.\r\nTechnical Details\r\nSpear Phishing Campaigns\r\nBased on Volexity’s visibility, UTA0388’s primary and sole method for targeting organizations is by conducting\r\nspear phishing campaigns. Between June and August 2025, UTA0388 sent phishing emails containing HTML that\r\nincluded an image to make it appear a document was attached to the email. If the image were clicked, it led to the\r\ndownload of a remotely hosted archive file. Users would then need to open and execute the executable file within\r\nthe archive in order to become infected. An example body from one such email is included below.\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 2 of 15\n\nIn this example, the email message body designed to look like a PDF was included with it. However, this was an\r\nimage that was hyperlinked to the following URL:\r\nhttps://aesthetic-donut-1af43s2.netlify[.]app/file/rar\r\nVisiting the URL would result in a 302 redirect to a RAR file at the following URL:\r\nhttps://aesthetic-donut-1af43s2.netlify[.]app/index/file/A_Introduction_Docs_v00546823.rar\r\nVolexity observed several campaigns using different subdomains under the domain netlify.app, and the URL\r\nwould vary between /file/rar and /file/zip. Each of the hostnames that UTA0388 used would support both\r\nendpoints and serve up both RAR and ZIP archives containing the same malicious files. UTA0388 would often\r\nuse the same sending email address, but vary the “friendly name” and identity used in the actual email body. In the\r\nabove example, an immediate series of mismatches is obvious, with the left-hand side of the email containing\r\n“Amelia_Chavez_Y”, while the friendly name displayed “Elliot H Alderson” and the identity in the message body\r\nbeing “James Wilson”. These mismatches were consistently seen throughout the campaigns where phishing links\r\nwere sent in the initial email.\r\nBeginning in August 2025, Volexity observed UTA0388 alter their approach, using rapport-building phishing.\r\nThey would first contact targets with no malicious content, and only later deliver malicious content if the user\r\nreplied. Based on Volexity’s visibility, this approach is increasingly popular amongst a variety of different threat\r\nactors, serving to only risk exposing the threat actor’s infrastructure and malware if a user has positively engaged\r\nin benign conversation first.\r\nPhishing emails sent by UTA0388 that were observed by Volexity have all been sent from webmail providers that\r\ninclude ProtonMail, Outlook, and Gmail. Throughout June and July 2025, UTA0388 made use of Netlify to host\r\ntheir malicious RAR and ZIP archives, but they then diversified to use Sync, OneDrive, and their own domains\r\nnot long after.\r\nThe remotely hosted archives are a mixture of RAR and ZIP formats containing at least one benign executable, a\r\nmalicious Dynamic Link Library (DLL), and sometimes other superfluous files. The benign executable is always\r\nnamed to appear as though it were a legitimate document file. An example folder structure is shown below:\r\n\\Directory\r\n│ 2025 Important Documents and Materials.exe\r\n│\r\n└───lib (hidden directory)\r\n te64.dll\r\nIf the user runs the executable file, search order hijacking ensures the malicious DLL (\\lib\\te64.dll) placed\r\nalongside it is loaded. This would result in the end user’s system being compromised with a variant of UTA0388’s\r\nGOVERSHELL backdoor. This attack path is summarized in the image below.\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 3 of 15\n\nGOVERSHELL\r\nAt the time of writing, Volexity has identified five distinct variants of the GOVERSHELL malware family.\r\nThroughout various campaigns Volexity observed active changes in the malware, with significant differences in\r\nhow the malware communicated and functioned. All variants observed by Volexity make use of a scheduled task\r\nfor persistence and provide the operator the ability to execute arbitrary commands on the target’s device. With the\r\nexception of the first variant, all GOVERSHELL implants were DLL files that were loaded via search order\r\nhijacking from the legitimate version of either the 32- or 64-bit version of an open-source project called Tablacus\r\nExplorer.\r\nEach variant of GOVERSHELL sets up persistence via a scheduled task on its first execution and includes a\r\ncommand-line flag in that persistence execution, which is required to execute the logic that includes C2\r\ncommunication. If the flag is not present, the malware assumes it has been run for the first time, sets up\r\npersistence, and then exits. This has a potential side effect of evading sandbox dynamic detections, as the actual\r\nC2 traffic will not occur upon initial execution.\r\nA high-level overview of some of the most notable differences in the GOVERSHELL variants is provided in the\r\ntable below:\r\nVariant\r\nFirst\r\nObserved\r\nC2 Comms Command Execution Language\r\n1. Early (aka\r\nHealthKick)\r\nApril 2025\r\nFake TLS (Double header)\r\nto Port 465, XOR Encoded\r\nCMD Reverse Shell C++\r\n2. TE32 June 2025 Fake TLS to Port 443, AES\r\nPowerShell Reverse\r\nShell\r\nGolang\r\n3. TE64\r\nEarly July\r\n2025\r\nHTTPS POST, Poll C2 for\r\nCommands, JSON Format\r\nPowerShell + Predefined\r\nCommands\r\nGolang\r\n4. WebSocket\r\nMid July\r\n2025\r\nWebSocket’s, AES,\r\nCommand Task Queue\r\nModel\r\nPowerShell + Partially\r\nImplemented Commands\r\nGolang\r\n5. Beacon\r\nSeptember\r\n2025\r\nHTTPS GET, B64 encoded,\r\nJitter, Sleep\r\nPowerShell + Predefined\r\ncommands\r\nGolang\r\nThe subsections that follow include more detail for each of the observed variants.\r\nGOVERSHELL Variant 1 (Early)\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 4 of 15\n\nCapabilities\r\nCan execute commands directly on the Windows command prompt ( cmd.exe /c \u003ccommand\u003e).\r\nPersistence\r\nCheck for the presence of the -run command-line argument; if this is not present, it will set up persistence\r\nand exit. The malware is first copied to the following persistence location:\r\nC:\\ProgramData\\{RANDOM_DIR_8_CHAR}.\r\nA scheduled task named SystemHealthMonitor is created and set to run every five minutes via the\r\nfollowing command:\r\nschtasks.exe /Create /TN “%hs” /TR “\\”%s\\” -run” /SC MINUTE /MO 5 /F\r\nThis sample uses a legitimate binary named adobe_licensing_wf_helper.exe to perform search order\r\nhijacking in order to load malicious code via the file libcef.dll.\r\nC2 Communication\r\nThis GOVERSHELL variant attempts to blend in with legitimate network traffic by wrapping its C2\r\ncommunication with a TLSv1.2 header. However, likely by mistake, this is done twice. The traffic is\r\nformatted as follows:\r\n(17 03 03 [LEN WORD] (17 03 03 [LEN WORD] (Encoded payload)))\r\nThere is no authentification with the C2 server for this variant. The payload, however, is encoded using a\r\ncustom encoding function with the key  mysecretkey.\r\nGOVERSHELL Variant 2 (TE32)\r\nCapabilities\r\nCan execute commands directly via a PowerShell reverse shell.\r\nPersistence\r\nIt checks for the presence of the cuVn command-line argument. If this is not present, it will set up\r\npersistence and exit. The malware is first copied to the following persistence location:\r\nC:\\ProgramData\\{RANDOM_DIR_8_CHAR}.\r\nPersistence is then achieved through a scheduled task named MyGoTask , which is created through\r\nWindows’s COM interface. The scheduled task is set to run the malware with the cuVn command-line\r\nargument every 15 minutes.\r\nThis sample is loaded via search order hijacking through the 32-bit version of Tablacus Explorer via a file\r\nnamed te32.dll located in a directory named lib.\r\nC2 Communication\r\nThis variant attempts to blend in with legitimate network traffic by wrapping its C2 communications with a\r\nTLSv1.2 header and encrypts its content with the AES (CFB) cypher. The AES key used is\r\nsupersecretkey16. This sample eliminates the second TLSv1.2 header found in the Variant 1.\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 5 of 15\n\nThe malware’s AES cypher is initialized with a randomly generated 16-byte IV. This value is sent to the C2\r\nin plain text along with an Authentication packet consisting of the byte 0x01 followed by the C2 password\r\nyour_secure_password. This is done such that the C2 can authenticate the malware and set up its own AES\r\ncipher.\r\nGOVERSHELL Variant 3 (TE64)\r\nCapabilities\r\nSupports multiple native and dynamic command execution via PowerShell. The malware expects the\r\nfollowing commands:\r\nbuiltin\r\nData that follows is passed to powershell.exe -NoProfile -Command \u003ccommand\u003e\r\ntime\r\nGet the formatted current time on the victim’s machine\r\nExample: “2006-01-02 15:04:05”\r\nsysinfo\r\nRetrieve the following information about the victim’s machine:\r\nOS\r\nCPU Architecture\r\nNumber of CPU cores\r\nHostname\r\ninterval\r\nSet the malware polling rate in seconds\r\nPersistence\r\nIt checks for the presence of the cuVn command-line argument. If this not present, it will set up persistence\r\nand exit. The malware is first copied to the following persistence location:\r\nC:\\ProgramData\\{RANDOM_DIR_8_CHAR}\r\nPersistence is then achieved through a scheduled task named MyGoTask, which is created through\r\nWindows’s COM interface. The scheduled task is set to run the malware with the cuVn command-line\r\nargument every 15 minutes.\r\nThis sample is loaded via search order hijacking through the 64-bit version of Tablacus Explorer via a file\r\nnamed te64.dll located in a directory named lib.\r\nC2 Communication\r\nThe malware polls the C2 over HTTPS at a regular interval (default is 10 seconds) to obtain the command\r\nto execute. Once the configured interval has elapsed, the malware sends an HTTP GET request to the\r\nfollowing URL:\r\n/fgbwwezskdfbeadgalidegsdfhfhaWhatHappenedTask?\r\nfgbwwezskdfbeadgalidegsdfhfhaclient_id=%s\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 6 of 15\n\nIf the C2 accepts the malware’s command request, it returns JSON data ( application/json) which will be\r\nparsed as a te64_payload_Task structure:\r\nstruct te64_payload_Task // sizeof=0x48\r\n {\r\n string ID; // The ID of the current task.\r\n string Command; // The command to execute.\r\n string ClientID; // The victim's IP address.\r\n time_Time Time; // The timestamp when the task was sent.\r\n };\r\nThe contents of Command are parsed and run based on what is described in the Capabilities section above.\r\nThe result of the command’s execution is then formatted as JSON data ( application/json) from the\r\nfollowing structure:\r\n struct te64_payload_Result // sizeof=0x58\r\n {\r\n string TaskID; // The ID of the current task.\r\n string ClientID; // The victim's IP address.\r\n string Output; // The command's output.\r\n string Error; // The commands's error output.\r\n time_Time Timestamp; // The timestamp when the task was run.\r\n };\r\nThe resulting JSON data is sent to the C2 with an HTTP POST request to the following URL:\r\n/fgbwwezskdfbeadgalidegsdfhfhaWhatCanIdoResult\r\nGOVERSHELL Variant 4 (WebSocket)\r\nCapabilities\r\nSupports two native commands that allow for execution via PowerShell or a further command subsystem\r\nwhich was not fully implemented in the samples Volexity analyzed. The following commands were\r\nsupported:\r\nsystem\r\nSupports the sub-command update , which is unimplemented\r\ncommand\r\nRun a PowerShell command via powershell.exe -NoProfile -Command \u003ccommand\u003e\r\nPersistence\r\nIt checks for the presence of the cuVn command-line argument. If this is not present, it will set up\r\npersistence and exit. The malware is first copied to the following persistence location:\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 7 of 15\n\nC:\\ProgramData\\{RANDOM_DIR_8_CHAR}.\r\nPersistence is then achieved through a scheduled task named MyGoTask or UPnPHostUpdater, which is\r\ncreated through Windows’s COM interface. The scheduled task is set to run the malware with the cuVn\r\ncommand-line argument every 15 minutes.\r\nThis sample is loaded via search order hijacking through the 64-bit version of Tablacus Explorer via a file\r\nnamed te64.dll located in a directory named lib.\r\nC2 Communication\r\nThe malware connects to the C2 over WebSocket and communicates with the C2 using JSON encoded data\r\nthat is encrypted with the AES (GCM) cypher using a dynamically established session key.\r\nWhen connecting to the C2, the malware waits for a message of type key_exch that contains the session\r\nkey in the session field , which is encrypted by the malware’s master key AES (GCM). The master key\r\nused varie per sample. Further exchanges are then encrypted using the established session key.\r\nThe following is a list of the observed master keys:\r\ntopIBApru76wra8REBrIb1it52H6B9Ap\r\n626bmcGzKuKfRvk4hW4pM3g70Q8XyBsq\r\nnO3esWO4ucaCHLxayeblswO5iTRL37Ab\r\nThe AgentID\r\nMD5 of { hostname}-{mac address}-{os name}-{CPU architecture} with format\r\nFFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF.\r\nThe HostID\r\nBase64-encoded BCrypt hash of {HostName}{MAC Addr}{Boot time}  which is then sent\r\nto the C2, along with the device’s metadata and a Base64-encoded 16-byte nonce. The\r\nmalware registers the victim’s device with the C2. To do so it generates two IDs:\r\nThis registration message has the following JSON format:\r\n{“id”: “\u003cAgentID\u003e”,”host_id”: “\u003cHostId\u003e”,”metadata”: {“Hostname”: “…”,”OS”:\r\n“…”,”Arch”: “…”,”Username”: “…”,”IP”: “…”,},”nonce”: “\u003cBase64 16 Byte nonce\u003e”}\r\nGOVERSHELL Variant 5 (Beacon)\r\nCapabilities\r\nSupports multiple native and dynamic command execution via PowerShell. The malware expects the\r\nfollowing commands:\r\nbuiltin\r\nData that follows is passed to powershell.exe -NoProfile -Command \u003ccommand\u003e\r\ncheckin\r\nTriggers “instant checking”\r\nAffects te64_payload_immediateCheckin\r\nEffect: Next sleep delay is zero (0) seconds\r\njitter\r\nUsage: jitter \u003c0-100\u003e %\r\nSets the jitter percentage\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 8 of 15\n\nAffects te64_payload_jitterPercent\r\nEffect: Set how much the base sleep delay should be randomized\r\nsleep\r\nUsage: sleep \u003cseconds\u003e\r\nThe value ranges from 0 to 599800\r\nAffects te64_payload_sleepTime\r\nEffect: Set the base sleep delay (the delay between two client C2 request, jittered for stealth)\r\nAdditional GOVERSHELL Observations\r\nOne GOVERSHELL sample obtained from a mid-June 2025 phishing campaign contains a string referencing a\r\nfolder path from the developer’s device that contains Simplified Chinese characters:\r\nC:\\Users\\Dev\\Desktop\\20250608新码\\lib\\te64\\. The machine translation of these characters is “new code”. Other\r\ndeveloper paths observed in additional GOVERSHELL samples suggest there is more than one system being used\r\nto develop the malware. However, this was the only sample whose path included Simplified Chinese characters.\r\nSimilarly, the WebSocket variant (Variant 4) of GOVERSHELL contains log statements in Chinese characters,\r\nwhile other variants have these statements in English.\r\nThe number of rewrites of the network stack of the GOVERSHELL malware family could be a data point that\r\nsupports the case for LLM usage, a case made later in this blog post. The development of GOVERSHELL does\r\nnot appear to have been iterative, which is a commonly observed pattern for human development. Instead, each\r\nvariant implements a new communication method, new capabilities, and rewrites of how basic functionality works\r\n(such as how a command should be executed).\r\nInfrastructure\r\nAs the GOVERSHELL network stack has changed over time, so has the related C2 infrastructure. C2 was\r\ntypically direct-to-IP until mid-July 2025, after which the threat actor switched to using DNS names and domains\r\nUTA0388 had registered. Domains used by UTA0388 for GOVERSHELL are named in the following ways:\r\nReferences to Taiwan, such as moctw[.]info and twmoc[.]info\r\nImpersonations of  large organizations or legitimate-sounding services, such as cdn-apple[.]info, azure-app[.]store, doccloude[.]info, sliddeshare[.]online, and windows-app[.]store\r\nUTA0388 domains are consistently registered and hosted behind Cloudflare. The C2 servers for the WebSocket\r\nvariant have a default response showing “Secure C2 Server is running”. A screenshot of Censys Platform’s record\r\nof this is shown below:\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 9 of 15\n\nA Case for Identification of LLM Usage\r\nBefore discussing UTA0388’s potential LLM usage, it is important to understand how LLMs generate their\r\noutput, and therefore how use of LLMs might be identified. A brief primer on this is provided in the Appendix .\r\nFabrications and Nonsensical Usage\r\nThis section gives examples of fabrications and nonsensical usage that may suggest LLM usage.\r\nEmails\r\nUTA0388 impersonates multiple entities in their phishing emails, but many of these entities are fabrications rather\r\nthan impersonations of real-world personas. An example of this is shown in the following screenshot of the\r\nsignature block from a spear phishing message sent by UTA0388. Neither “Copenhagen Governance Institute” nor\r\n“Dr. Michael Andersen” are real entities.\r\nThe phone number includes “3 45 67 89,” a sequential pattern that suggests fabrication. The PGP key identifier\r\nintermingles “1234” and “ABCD” patterns, which is another clue that this was fabricated. Use of predictable\r\npatterns for values like these are an inherent trait of LLM-generated output.\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 10 of 15\n\nIn several emails, the domains used in the email signatures were fabricated domains that do not exist or otherwise\r\ndo not have MX records or any active DNS resolutions, and therefore would not be able to receive email. One\r\nexample is researchanalytics.co[.]uk. It could be argued this is a human decision to add legitimacy to the\r\nphishing email; however, in Volexity’s experience, the inclusion of a non-existent domain for this is extremely\r\nrare; more commonly, a legitimate and related domain is included. This tactic was used by UTA0388 in some of\r\ntheir most recent phishing emails, with the first email containing no malicious content and only subsequent replies\r\ncontaining the malicious links to archives. It is Volexity’s view that the inclusion of a fabricated domain is\r\nreflective of an LLM’s propensity to fabricate information.\r\nLater, in one UTA0388’s campaigns, the use of friendly names in other emails became more atypical and included\r\npornographic references, like the following two examples:\r\nporndude2025 \u003cLaurenBlackwell3278@proton.me\u003e\r\npornhublis \u003cLaurenBlackwell3278@proton.me\u003e\r\nThe use of fabricated personas and details is not necessarily proof of LLM usage; threat actors commonly\r\nfabricate details. However, it is usually observed as part of low-effort phishing operations that have similarly low-effort email body content, which was not the case with UTA0388. This contributes towards a picture of\r\nnonsensical usage, especially when factoring in details like the friendly names that seem implausible usage for a\r\nserious human operator.\r\nEaster Eggs\r\nUTA0388 campaigns were consistent in delivery of archive files containing a benign executable and a malicious\r\nGOVERSHELL payload in the form of a DLL found with a folder name lib. These files generally had names that\r\nwould appear to be a legitimate document file and had themes focused on Asian geopolitical issues. However, in\r\nseveral instances, additional files were included in these archives. The additional files were not used as decoys to\r\ndisplay to users, nor did they serve any purpose in the malware’s operation.\r\nThe first odd file inclusion was a pornographic image that was modified to include brightly colored lines drawn\r\nover the image. The lines spelled out some text over the image: “TES”, “XWX”, and “NO”. Volexity observed\r\nmultiple other instances of pornographic media being included in the archives by UTA0388. In another instance, a\r\nfile named Meeting-Cooperation introduction video by Jun 30.pdf” was included in the archive within the lib\r\nfolder. This file was actually a 53 MB MPEG-4 file that contained pornographic content. In another case, a hidden\r\nfile had a name that was a long Base64-encoded string that decoded to “I am the sun from Korea, shining at 1000\r\ndegrees to burn you all!”\r\nIn several archives, the threat actor included a waveform audio file (WAV) that is a recording of the reading of the\r\nNīlakaṇṭha Dhāraṇī, a religious recitation that is popular in the Chinese form of Mahayana Buddhism. There were\r\nalso several text files included in the archives, one of which just contained the “text no!can i help me%”. And\r\nfinally, in some archives the threat actor included the same benign executable multiple times with different names.\r\nThere is no functional reason for this inclusion, as duplicate instances do not change the execution of the final\r\npayload.\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 11 of 15\n\nVolexity cannot suggest a clear reason for a human to include the additional files mentioned in this section. Their\r\ninclusion appears to be nonsensical and counterproductive for the success of the campaign, as odd files are more\r\nlikely to raise suspicion among targets. At the same time, these files were not designed to be seen by the recipient\r\nand were often, but not always, in the hidden lib folder. It is possible these files served as either intentional or\r\nunintentional “Easter eggs”.\r\nLack of Coherence\r\nVolexity identified more than 50 unique phishing emails sent by UTA0388. In addition to emails written in\r\nEnglish, Volexity also observed emails written in Chinese (Mandarin), German, French, and Japanese. Each\r\ncontained target-specific text, were of reasonable length, did not follow a consistent template, and appeared to be\r\nin fluent natural-sounding language. Fluent crafting of emails in a wide variation of languages is unusual in a\r\nsingle campaign due to the language skills required by the humans crafting them, and the introduction of errors or\r\nawkward phrasing that can occur when using direct machine translations.\r\nThe fluency of the language in the emails was not reflected in the coherence of their use. For example, Volexity\r\nobserved an email sent to an English-speaking target that was supposedly sent from an American persona, but the\r\nemail had a subject line in Mandarin and a German message body. Another email was sent to a European target\r\npurportedly from a Spanish-speaking author but written in Japanese. It is not unheard of for threat actors to send\r\npoorly tailored phishes or emails to the wrong targets by accident; however, this campaign consistently lacked\r\ncoherence in a way that is more suggestive of context-unaware automation.\r\nThis lack of coherence was also reflected in persona use, such as the example below; note the following:\r\nThe email “friendly name” of GeoffreyLewisMD3850\r\nAn email address of ChristopherDelgado5328@proton.me\r\nThe introduction and email signature of Michael Brown\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 12 of 15\n\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 13 of 15\n\nThe use of three personas in a single email does not align with human patterns, where a single persona is typically\r\nused in order to appear legitimate. Humans do make mistakes, and so more than one may be used accidentally\r\nwhen using a template or not creating new email accounts for different targets. However, the use of three different\r\npersonas becomes less likely without some kind of automated input. This was also observed repeatedly, which\r\nsuggests context-unaware automation rather than manual curation. The example email above also provides a fake\r\nphone number (starting with “555” after the area code) and invites the recipient to contact them using that number.\r\nThe domain used in the email, globalsolutionsinc[.]com, is actually registered. However, it is just a parked website\r\nand does not have an MX record or accept email at the A records returned for the domain. In short, there would be\r\nno way to contact “Michael Brown” at the means specified in the email.\r\nIn terms of targeting, the majority of the phishing emails observed by Volexity were sent to addresses that were\r\nidentified as being visible on publicly accessible webpages. This is not out of the ordinary; however, in several\r\ninstances the attacker sent phishing emails to addresses that were clearly example data of email format and not\r\nreal email addresses, e.g., first.last@\u003cdomain\u003e. This could be a human mistake, but a known shortcoming of\r\nLLMs is their inability to understand the context of the data they are processing. Other targeted emails included a\r\nwebmaster address, group contact addresses (such as info@domain), individuals no longer working at the target\r\norganization, and the email address of a podcast, all of which were available online. This pattern suggests\r\nautomation, LLM or otherwise, that is not fully context aware.\r\nOther incoherent details in the phishing emails included the following artifacts:\r\nWrong day/date combinations\r\nAsking to be contacted by phone without providing a number\r\nNon-existent departments at real institutions\r\nWrong names for targets\r\nOverall, the phishing campaigns often lack coherence and contain multiple errors of a nature that leads Volexity\r\nassesses with high degree of confidence the threat actor used an LLM to craft the phishing emails in this\r\ncampaign, with little oversight of whether the output was plausible or not.\r\nTechnical Artifacts\r\nIn a later phishing email the threat actor provided a link to an archive that contained the usual benign binary and\r\nGOVERSHELL DLL, as well as a benign Microsoft Word document file. This document contained metadata that\r\nindicated it had been created using python-docx, an open-source Python library. This library is documented online\r\nas being used by multiple LLMs to generate Word documents. This is not conclusive evidence of usage of these\r\nplatforms but is another data point that supports the assessment that UTA0388 makes use of LLMs in their\r\noperations.\r\nConclusion\r\nThe evidence presented in this blog post provides insight into a persistent and active threat actor that conducts\r\nphishing campaigns using a single, if ever changing, malware family. The targeting profile of the campaign is\r\nconsistent with a threat actor interested in Asian geopolitical issues, with a special focus on Taiwan. When\r\ncombined with several technical artifacts that indicate the author of GOVERSHELL uses Simplified Chinese, this\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 14 of 15\n\nleads Volexity to assess with a high degree of confidence that UTA0388 operates in the interest of the Chinese\r\nstate. The activity does not significantly overlap with any other existing threat actor that Volexity tracks.\r\nMaking the case for LLM usage by a threat actor can be difficult, as no single data point is conclusive enough to\r\ndefinitively prove its use. Volexity has detailed different aspects of UTA0388’s campaign that illustrate an\r\nincoherent and nonsensical pattern of behavior that would align with LLM usage without oversight. This body of\r\nevidence leads Volexity to assess with a high degree of confidence that UTA0388 used LLMs to support its\r\noperations.\r\nThe emails and files used in this campaign leads Volexity to assess with medium confidence that UTA0388 made\r\nuse of automation, LLM or otherwise, that generated and sent this content to targets with little to no human\r\noversight in some cases. It is not clear if this is agentic AI usage, automation, or just a human operator that did not\r\nreview and correct the outputs. The frequency of phishing emails sent through July 2025, where the threat actor\r\nwas observed sending 26 emails in a three-day period to targets across Volexity’s visibility, also supports the\r\nassessment.\r\nVolexity does not have sufficient data to be able to say whether UTA0388’s foray into LLM-powered campaigns\r\nhas been a success, but the volume of tailored phishing output (even if sometimes in the wrong language) will\r\nyield a significant number of opportunities to successfully gain access to targets. UTA0388’s activity appears to\r\nhave slowed down from its peak in July 2025 but remains a consistent threat. The observed continued\r\ndevelopment of the GOVERSHELL malware family speaks to intended ongoing activity.\r\nTo detect UTA0388 related activity Volexity recommends the following:\r\nUse the IOCs listed here.\r\nUse the rules provided here.\r\nSource: https://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nhttps://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/"
	],
	"report_names": [
		"apt-meets-gpt-targeted-operations-with-untamed-llms"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5af25e74-ab1e-4b3e-a3f8-c39227d79a2d",
			"created_at": "2025-09-27T02:00:03.95423Z",
			"updated_at": "2026-04-10T02:00:03.889451Z",
			"deleted_at": null,
			"main_name": "UNK_DropPitch",
			"aliases": [],
			"source_name": "MISPGALAXY:UNK_DropPitch",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b93df948-f4c4-459c-8877-5b65c29ce8e5",
			"created_at": "2026-01-23T02:00:03.289868Z",
			"updated_at": "2026-04-10T02:00:03.930135Z",
			"deleted_at": null,
			"main_name": "UTA0388",
			"aliases": [],
			"source_name": "MISPGALAXY:UTA0388",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434016,
	"ts_updated_at": 1775792220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/883c750f13689fb8f7e7bcf7fe4b96705f558290.pdf",
		"text": "https://archive.orkl.eu/883c750f13689fb8f7e7bcf7fe4b96705f558290.txt",
		"img": "https://archive.orkl.eu/883c750f13689fb8f7e7bcf7fe4b96705f558290.jpg"
	}
}