{ "id": "68459b27-0dcb-4a6f-87b7-6e6b374e8260", "created_at": "2026-04-06T00:16:22.211743Z", "updated_at": "2026-04-10T13:12:09.114475Z", "deleted_at": null, "sha1_hash": "da9ad35f01ce1e207f4bfff4b3a53190e4fedb8e", "title": "Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting  | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3431532, "plain_text": "Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan\r\nSemiconductor Industry Targeting  | Proofpoint US\r\nBy July 16, 2025 Mark Kelly and the Proofpoint Threat Research Team\r\nPublished: 2025-07-11 · Archived: 2026-04-05 14:58:08 UTC\r\nKey findings \r\nBetween March and June 2025, Proofpoint Threat Research observed three Chinese state-sponsored threat actors\r\nconduct targeted phishing campaigns against the Taiwanese semiconductor industry. In all cases, the motive was most\r\nlikely espionage. \r\nTargets of these campaigns ranged from organizations involved in the manufacturing, design, and testing of\r\nsemiconductors and integrated circuits, wider equipment and services supply chain entities within this sector, as well\r\nas financial investment analysts specializing in the Taiwanese semiconductor market. \r\nThis activity likely reflects China’s strategic priority to achieve semiconductor self-sufficiency and decrease reliance\r\non international supply chains and technologies, particularly in light of US and Taiwanese export controls. \r\nOverview \r\nAnalyst note: Proofpoint uses the UNK_ designator to define clusters of activity that are still developing and have not been\r\nobserved for long enough to receive a numerical TA designation. \r\nChina-aligned threat actors have routinely targeted the semiconductor industry for many years. This activity likely aligns\r\nwith China’s internal strategic economic priorities, which have increasingly emphasized the importance of semiconductor\r\ntechnologies in successive national economic development initiatives, including the Five-Year Plans. A growing focus on\r\nensuring strategic self-reliance for semiconductor technologies, accelerated by external pressures from export controls, has\r\nlikely reinforced the priority of intelligence collection operations directed at this industry. This is reflected in China-aligned\r\nespionage activity tracked by the Proofpoint Threat Research team, where we are currently observing an elevated level of\r\ntargeting of the industry by China-aligned groups compared to historical activity.\r\nBetween March and June 2025, Proofpoint identified multiple China-aligned threat actors specifically targeting Taiwanese\r\norganizations within the semiconductor industry. This included a China-aligned threat actor tracked as UNK_FistBump\r\ntargeting semiconductor design, manufacturing, and supply chain organizations in employment-themed phishing campaigns\r\nresulting in the delivery of Cobalt Strike or the custom Voldemort backdoor.  \r\nAdditionally, Proofpoint observed another China-aligned threat actor tracked as UNK_DropPitch targeting individuals in\r\nmultiple major investment firms who specialize in investment analysis specifically within the Taiwanese semiconductor\r\nindustry. This UNK_DropPitch targeting is exemplary of intelligence collection priorities spanning less obvious areas of the\r\nsemiconductor ecosystem beyond just design and manufacturing entities. Finally, we also observed an actor tracked as\r\nUNK_SparkyCarp conducting credential phishing activity against a Taiwanese semiconductor company using a custom\r\nAdversary in the Middle (AiTM) phishing kit.\r\nUNK_FistBump targets semiconductor manufacturing and supply chain with job seeking lures \r\nIn May and June 2025, Proofpoint observed UNK_FistBump conducting multiple spearphishing campaigns targeting\r\nTaiwan-based semiconductor manufacturing, packaging, testing, and supply chain organizations. Posing as a graduate\r\nstudent seeking employment, the actor used compromised Taiwanese university email addresses to send their phishing email\r\nto recruitment and HR personnel. Subject lines observed across this activity include the following: \r\n產品工程(材料分析/製程優化)-台灣大學-薛豪 [附履歷] (Machine Translation: Product Engineering (Material\r\nAnalysis/Process Optimization) - National Taiwan University - Xue Hao [with resume]) \r\nBumping工程師-台灣大學-材料工程學類-薛豪 (Machine Translation: Bumping Engineer-National Taiwan\r\nUniversity-Material Engineering-Xue Hao) \r\n【重要】麻煩協助確認 (Machine translation: [Important] Please help confirm) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 1 of 12\n\nExample UNK_FistBump job application phishing email (machine translated from Traditional Chinese). \r\nDelivery \r\nUNK_FistBump phishing emails were sent via a likely compromised account and contained either a password-protected\r\narchive attachment or a PDF attachment. The PDF attachments contained URLs leading to an archive file hosted on either a\r\nZendesk instance or the Filemail file sharing service. Earlier UNK_FistBump campaigns delivered a Cobalt Strike Beacon\r\npayload, but the group shifted to delivery of the custom Voldemort backdoor in late May 2025. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 2 of 12\n\nUNK_FistBump PDF attachment leading to file sharing site (machine translated from Traditional Chinese). \r\nIn an unusual campaign in late May 2025, UNK_FistBump included two distinct infection chains beginning with the same\r\npassword-protected archive, one of which loaded a Cobalt Strike Beacon payload, and the second loading Voldemort. These\r\ninfection chains were initially triggered by distinct Microsoft Shortcut (LNK) files. \r\nUNK_FistBump RAR archive containing two distinct infection chains. \r\nContents of job application zip containing two distinct infection chains. \r\nInfection chain 1: Cobalt Strike payload \r\nExecution of the first LNK file named 崗位匹配度說明.pdf.lnk runs a VBS script Store.vbs stored within the cache\r\nsubfolder. This folder contains the following files: \r\ncache/Store.vbs  \r\ncache/javaw.exe \r\ncache/崗位匹配度說明.pdf \r\ncache/rc4.log \r\ncache/jli.dll \r\nThis Store.vbs script copies the files javaw.exe, jli.dll, and rc4.log to the C:\\Users\\Public\\Videos directory and opens a decoy\r\ndocument named 崗位匹配度說明.pdf (machine translation: Explanation of Job Compatibility.pdf). It then executes the\r\nbenign signed executable javaw.exe, which is vulnerable to DLL-sideloading. This loads the malicious DLL jli.dll, which in\r\nturn decrypts the RC4-encrypted Cobalt Strike Beacon payload from the rc4.log file using the key qwxsfvdtv and loads it\r\ninto memory. The Cobalt Strike Beacon payload uses a customized GoToMeeting malleable C2 profile and communicates\r\nwith the Evoxt VPS C2 IP address 166.88.61[.]35 over port TCP 443. The jli.dll loader also establishes persistence by\r\nsetting a HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run key value for runs to the path of\r\nthe DLL sideloading executable javaw.exe. \r\nInfection chain 2: Voldemort payload \r\nExecution of the second LNK named 台灣大學-材料工程學類-薛豪.pdf.lnk runs another VBS file also called Store.vbs,\r\nthis time within the MACOSX subfolder. This MACOSX folder contains the following files: \r\n_MACOSX/Store.vbs \r\n_MACOSX/台灣大學-材料工程學類-薛豪.pdf \r\n_MACOSX/CiscoSparkLauncher.dll \r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 3 of 12\n\n_MACOSX/CiscoCollabHost.exe \r\n_MACOSX/Cisco.xml \r\nSimilar to the Cobalt Strike infection chain, the Store.vbs script copies the malicious executable files to\r\nC:\\Users\\Public\\Videos and opens a different decoy document 台灣大學-材料工程學類-薛豪.pdf (Machine translation:\r\nNational Taiwan University - Materials Engineering - Xue Hao.pdf). It then executes the benign signed executable\r\nCiscoCollabHost.exe, which is vulnerable to DLL sideloading and loads the malicious DLL CiscoSparkLauncher.dll. This\r\nDLL sideloading chain results in the delivery of the custom Voldemort backdoor, which uses Google Sheets for command\r\nand control (C2).  \r\nUNK_FistBump resume decoy document. \r\nThe specific Voldemort DLL sideloading infection chain and payload observed closely resembles one used by the China\r\nstate-sponsored threat actor TA415 (APT41, Brass Typhoon), as previously documented by Proofpoint. An earlier Voldemort\r\nvariation used by UNK_FistBump in May 2025 exfiltrated host information in plain text to the Google Sheets C2, while a\r\nlater variation Base64-encoded and RC4-encrypted the values using the executable's filename as the RC4 key\r\n(CiscoCollabHost.exe) in an identical manner previously highlighted in TA415 activity. \r\nExamining UNK_FistBump and TA415 attribution overlaps \r\nVoldemort is a custom malware family publicly reported by Proofpoint and Google that was historically only used by TA415\r\nwithin Proofpoint telemetry. Proofpoint Threat Research also previously observed TA415 conducting spearphishing\r\ncampaigns targeting the Taiwanese semiconductor sector using compromised Taiwanese university senders, in a similar\r\nmanner to the highlighted UNK_FistBump activity.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 4 of 12\n\nHowever, the observed UNK_FistBump campaigns diverge from activity typically tracked as TA415. For example, the\r\nCobalt Strike infection chain uses a loader not typical of TA415, which usually favors ChaCha20-based loaders rather than\r\nthe more simplistic RC4 loader used by UNK_FistBump. Similarly, the use of a hardcoded IP address for a C2, rather than a\r\nCloudflare Worker or actor-controlled domain behind Cloudflare CDN, is atypical of TA415 activity. Due to these and other\r\ndivergences, coupled with the wider propensity of custom capability sharing across Chinese cyberespionage threat actors,\r\nProofpoint is tracking UNK_FistBump activity as distinct to TA415 at this time.  \r\nUNK_DropPitch pitches semiconductor investment analysts \r\nIn April and May 2025, Proofpoint observed another China-aligned threat actor tracked as UNK_DropPitch conducting\r\ntargeted phishing campaigns against multiple large investment banks. This activity focused specifically on individuals\r\nspecializing in financial investment analysis of Taiwanese semiconductor and technology sectors. The phishing emails were\r\nsent from attacker-owned email addresses and purported to come from a fictitious financial investment firm seeking to\r\ncollaborate with the individual.  \r\nDelivery \r\nExample UNK_DropPitch investment research collaboration phishing email (machine translated from Traditional Chinese). \r\nIn a campaign observed in late April 2025, an UNK_DropPitch phishing email contained a link to\r\nhxxps://api[.]moctw[.]info/Intro.pdf. This resulted in the download of a file named Intro.zip containing both a benign\r\nexecutable vulnerable to DLL-sideloading and a malicious DLL libcef.dll, which are designed to load a simple custom\r\nbackdoor Proofpoint tracks as HealthKick.  \r\nUNK_DropPitch Intro.zip contents. \r\nUpon execution, both files are copied to a randomly named subfolder under the ProgramData directory and the following\r\nscheduled task named SystemHealthMonitor is created to execute [PDF] Introduction Documents 2 - 250409.exe every five\r\nminutes: \r\nschtasks.exe /Create /TN \"SystemHealthMonitor\" /TR \"\\\"C:\\ProgramData\\zumArSAB\\[PDF] Introduction Documents 2 -\r\nThe HealthKick backdoor then attempts to create a web socket to the actor-controlled IP address 82.118.16[.]72 over TCP\r\nport 465. HealthKick employs a FakeTLS protocol and expects a response from the C2 starting with the magic bytes 0x17\r\n0x03 0x03 (the standard header for TLSv1.2), followed by the payload size. Due to the way the malware verifies that\r\nincoming packets start with these magic bytes and then later verifies this again, the FakeTLS header needs to be included\r\ntwice for commands to be properly parsed and decoded, it is unclear if this was an intended feature or a mistake. This double\r\nFakeTLS header is then followed by a payload which is XOR encoded with the key mysecretkey. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 5 of 12\n\nHealthKick TCP socket C2 communication. \r\nHealthKick is a simple backdoor that executes commands and captures their output via a redirected anonymous pipe, which\r\nis then sent back to the C2 using the same FakeTLS and XOR-encoded payload format. \r\nA later UNK_DropPitch campaign in late May 2025 linked to the Netlify URL   https://brilliant-bubblegum-137cfe[.]netlify[.]app/files/Introduction%20Document.zip\r\nand again delivered a ZIP file containing an executable used to load a malicious DLL named pbvm90.dll. In this case, the\r\nresultant malware is a simple raw TCP reverse shell that communicates with the actor-controlled VPS server\r\n45.141.139[.]222 again over TCP port 465 and persists via an identical scheduled task to the one noted above.  \r\nThis reverse shell features minimal exception or error handling, meaning the server’s response to the malware client\r\nconnecting (“Server ready”) is interpreted as a command by the implant. Similarly, the reverse shell sends regular “ping”\r\nmessages to its C2 as a heartbeat. Similar “ping” check ins were also received back from the C2 and often concatenated with\r\nthe operator’s commands, resulting in errors. Proofpoint also observed typos in the command responses from the operators,\r\nindicating the commands are likely issued manually rather than in an automated fashion. \r\nUNK_DropPitch reverse shell errors and typos. \r\nProofpoint observed UNK_DropPitch using this reverse shell to conduct initial enumeration and discovery against targets.\r\nSubsequently, if the target is deemed of interest, the group dropped the Remote Monitoring and Management (RMM) tool\r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 6 of 12\n\nIntel Endpoint Management Assistant (EMA), which was configured to communicate with the actor-controlled domain\r\nema.moctw[.]info. \r\nUNK_DropPitch infection chain. \r\nUNK_DropPitch network infrastructure analysis   \r\nBoth the 82.118.16[.]72 HealthKick backdoor C2 IP address and 80.85.156[.]234 Intel EMA C2 server used very similar\r\nreverse DNS names associated with the Russian VPS hosting provider ProfitServer and referenced the Mr. Robot character\r\nElliot Alderson: \r\nelliot-alderson-971.pserver[.]space \r\nelliot-alderson-97.pserver[.]space \r\nMultiple similarly named email addresses have also been used by the threat actor. Pivoting on this artifact uncovered\r\nadditional likely actor-controlled servers, several of which were used as C2 servers in subsequent June 2025\r\nUNK_DropPitch campaigns targeting US academic and think tank organizations: \r\n31.192.234[.]97 (elliot-alderson-15.pserver[.]space) \r\n80.85.154[.]48 (elliot-alderson-973.pserver[.]space) \r\n80.85.154[.]101 (elliot-alderson-151.pserver[.]space) \r\n80.85.156[.]237 (elliot-alderson-974.pserver[.]space) \r\n80.85.157[.]116 (elliot-alderson-972.pserver[.]space) \r\n80.85.157[.]145 (elliot-alderson-978.pserver[.]space) \r\n82.118.16[.]72 (elliot-alderson-971.pserver[.]space) \r\n82.118.16[.]106 (elliot-alderson-972.pserver[.]space) \r\nTwo of these servers were concurrently configured as SoftEther VPN servers, an open-source VPN product commonly used\r\nby a range of China-aligned threat actors for both infrastructure administration and tunnelling traffic out of victim networks.\r\nThe hosting IP address for the UNK_DropPitch subdomain mx.moctw[.]info (43.247.132[.]96) was also configured as a\r\nSoftEther VPN server during time of use.  \r\nThe 80.85.154[.]101 IP address identified above concurrently exhibited a TLS certificate with the common name\r\nCN=AS.website (SHA256 fingerprint: 000062e9e212231328b660f759f8878ac47604b9609f71c05ad19d7ef56b17a8) on port\r\nTCP 4444. This certificate has been historically associated exhibited on C2 infrastructure associated with multiple custom\r\nmalware families used by Chinese state-sponsored threat actors, most frequently the SideWalk (aka ScrambleCross)\r\nbackdoor. The TLS certificate was also noted in Kaspersky reporting on the MoonBounce firmware rootkit and PWC\r\nreporting on TA415 (APT41, Brass Typhoon) activity, both in relation to SideWalk usage. At this time, Proofpoint analysts\r\nwere unable to determine conclusively if the reuse of this TLS certificate is an artifact of a specific custom malware family\r\nshared across multiple China-aligned threat actors, most likely SideWalk, or of shared infrastructure provisioning across\r\nthese groups. \r\nAdditional China-aligned threat actors targeting Taiwanese semiconductor industry \r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 7 of 12\n\nIn addition to the highlighted UNK_FistBump and UNK_DropPitch activity, Proofpoint has also identified multiple\r\nadditional Chinese state-sponsored threat actors specifically targeting organizations within Taiwan’s semiconductor\r\nindustry. \r\nIn March 2025, a China-aligned threat actor Proofpoint tracks as UNK_SparkyCarp conducted a credential phishing\r\ncampaign using a custom adversary-in-the-middle (AITM) framework targeting a Taiwanese semiconductor industry\r\ncompany, which the group also previously targeted in November 2024. The phishing emails masqueraded as account login\r\nsecurity warnings and contained a link to the actor-controlled credential phishing domain accshieldportal[.]com, as well as a\r\ntracking beacon URL for acesportal[.]com. \r\nTypical UNK_SparkyCarp AITM phishing kit landing page. \r\nSimilarly, in October 2024 Proofpoint observed the China aligned threat actor UNK_ColtCentury (overlaps TAG-100,\r\nStorm-2077) sending benign conversation starter emails to legal personnel at a Taiwanese semiconductor organization in an\r\nattempt to engage the target. Based on related activity associated with this threat actor, this was likely an attempt to deploy\r\nthe SparkRAT backdoor.  \r\nConclusion \r\nWithin Proofpoint telemetry in recent years, traditional espionage targets – including governments, aerospace and defense\r\ncompanies, and non-governmental organizations – have continued to be consistently targeted by China-aligned espionage\r\nthreat actors. Despite public reporting on semiconductor targeting from China-aligned threat actors, Proofpoint directly\r\nobserved only sporadic targeting of this sector. Since March 2025, this shifted to sightings of multiple campaigns from\r\ndifferent China-aligned groups specifically targeting this sector, with a particular emphasis on Taiwanese entities. \r\nAs many well-established China-aligned threat actors have shifted tactics, techniques and procedures (TTPs) towards\r\nexploitation of edge devices and other initial access vectors, Proofpoint has observed an influx of new China-aligned\r\nclusters to the phishing threat landscape, as demonstrated by the subset of activity highlighted within this report. These\r\nemerging threat actors continue to exhibit long-standing targeting patterns consistent with Chinese state interests, as well as\r\nTTPs and custom capabilities historically associated with China-aligned cyberespionage operations. \r\nIndicators of compromise \r\nUNK_FistBump Network Indicators \r\nIndicator \r\n166.88.61[.]35 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 8 of 12\n\nhxxps://sheets[.]googleapis[.]com:443/v4/spreadsheets/1z8ykHVYh9DF-b_BFDA9c4Q2ojfrgl-fq1v797Y5576Y \r\nhxxps://sheets[.]googleapis[.]com:443/v4/spreadsheets/14H0Gm6xgc2p3gpIB5saDyzSDqpVMKGBKIdkVGh2y1bo \r\njohn.doe89e@gmail[.]com \r\nhxxps://3008[.]filemail[.]com/api/file/get?\r\nfilekey=DeHjMusPPgDt5EsWxOcgYCfRh5yI6MIIg7vvwn9yFEzh93Cts5UxrfXMYEPiMWffVCp36UCsVgYSlC47WGdjHZ7m9bAw0QWcgqQZcg\u0026\r\nUNK_FistBump Malware Indicators \r\n1a2530010ecb11f0ce562c0db0380416a10106e924335258ccbba0071a19c852 \r\n084b92365a25e6cd5fc43efe522e5678a2f1e307bf69dd9a61eb37f81f304cc6 \r\n85e4809e80e20d9a532267b22d7f898009e74ed0dbf7093bfa9a8d2d5403f3f9 \r\n338f072cc1e08f1ed094d88aa398472e3f04a8841be2ff70f1c7a2e4476d8ef7 \r\n13fad7c6d0accb9e0211a7b26849cf96c333cf6dfa21b40b65a7582b79110e4b \r\nd783c40c0e15b73b62f28d611f7990793b7e5ba2436e203000a22161e0a00d0e \r\n1016ba708fb21385b12183b3430b64df10a8a1af8355b27dd523d99ca878ffbb \r\n13fad7c6d0accb9e0211a7b26849cf96c333cf6dfa21b40b65a7582b79110e4b \r\n1016ba708fb21385b12183b3430b64df10a8a1af8355b27dd523d99ca878ffbb \r\nbab8618bc6fc3fdfa7870b5fe0f52b570fabf0243d066f410a7e76ebeed0088c \r\n0d992762c69d624a1f14a8a230f8a7d36d190b49e787fd146e9010e943c5ef78 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 9 of 12\n\nec5fef700d1ed06285af1f2d01fa3db5ea924de3c2da2f0e6b7a534f69d8409c \r\n82ecfe0ada6f7c0cea78bca2e8234241f1a1b8670b5b970df5e2ee255c3a56ef \r\ncd009ea4c682b61963210cee16ed663eee20c91dd56483d456e03726e09c89a7 \r\nbbdad59db64c48f0a9eb3e8f2600314b0e3ebd200e72fa96bf5a84dd29d64ac5 \r\nfc8f7185a90af4bf44332e85872aa7c190949e3ec70055a38af57690b6604e3c \r\nUNK_DropPitch Network Indicators \r\nIndicator  Type  Description \r\nFirst\r\nSeen \r\namelia_w_chavez@proton[.]me  Email \r\nMalware\r\ndelivery \r\nApril\r\n2025 \r\nlisan_0818@outlook[.]com  Email \r\nMalware\r\ndelivery \r\nMay\r\n2025 \r\nmoctw[.]info  Domain \r\nMalware\r\ndelivery \r\nApril\r\n2025 \r\nhxxps://api[.]moctw[.]info/Intro.pdf  URL \r\nMalware\r\ndelivery \r\nApril\r\n2025 \r\nhxxps://api[.]moctw[.]info/Document-2025.4.25.pdf  URL \r\nMalware\r\ndelivery \r\nApril\r\n2025 \r\nhxxps://api[.]moctw[.]info/Install.zip  URL \r\nMalware\r\ndelivery \r\nApril\r\n2025 \r\nhxxps://brilliant-bubblegum-137cfe[.]netlify[.]app/files/Introduction%20Document.zip \r\nURL \r\nMalware\r\ndelivery \r\nMay\r\n2025 \r\nema.moctw[.]info  Domain  C2 \r\nApril\r\n2025 \r\nwww.twmoc[.]info  Domain  C2 \r\nJune\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 10 of 12\n\n80.85.156[.]234 \r\nIP\r\nAddress \r\nC2 \r\nApril\r\n2025 \r\n82.118.16[.]72 \r\nIP\r\nAddress \r\nC2 \r\nApril\r\n2025 \r\n45.141.139[.]222 \r\nIP\r\nAddress \r\nC2  May\r\n2025 \r\n80.85.156[.]237 \r\nIP\r\nAddress \r\nC2 \r\nJune\r\n2025 \r\n80.85.154[.]48 \r\nIP\r\nAddress \r\nC2 \r\nJune\r\n2025 \r\nUNK_DropPitch Malware Indicators \r\n7bffd21315e324ef7d6c4401d1bf955817370b65ae57736b20ced2c5c08b9814  SHA256  Intro.zip \r\nApril\r\n2025 \r\n9b2cbcf2e0124d79130c4049f7b502246510ab681a3a84224b78613ef322bc79  SHA256  libcef.dll \r\nApril\r\n2025 \r\n4ee77f1261bb3ad1d9d7114474a8809929f4a0e7f9672b19048e1b6ac7acb15c  SHA256  libcef.dll \r\nApril\r\n2025 \r\nd3a71c6b7f4be856e0cd66b7c67ca0c8eef250bc737a648032d9d67c2c37d911  SHA256 \r\n[PDF]\r\nIntroduction\r\nDocument-2025.4.25.lnk \r\nApril\r\n2025 \r\n366d7de8a941daa6a303dc3e39af60b2ffacaa61d5c1fb84dd1595a636439737  SHA256 \r\nIntroduction\r\nDocument.zip \r\nMay\r\n2025 \r\nd51c195b698c411353b10d5b1795cbc06040b663318e220a2d121727c0bb4e43  SHA256 \r\n[PDF]Taiwan-Cooperation-Introduction-Document-20250521.exe \r\nMay\r\n2025 \r\nffd69146c5b02305ac74c514cab28d5211a473a6c28d7366732fdc4797425288  SHA256  pbvm90.dll  May\r\n2025 \r\nUNK_SparkyCarp Network Indicators \r\naccshieldportal[.]com  Domain \r\nUNK_SparkyCarp credential\r\nphishing domain \r\nMarch\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 11 of 12\n\nacesportal[.]com  Domain  Tracking pixel domain \r\nMarch\r\n2025 \r\nhxxps://ttot.accshieldportal[.]com/v3/ls/click/?c=b5c64761  URL   Credential phishing URL \r\nMarch\r\n2025 \r\nhxxps://aqrm.accshieldportal[.]com/v2/account/validate/?\r\nvid=35f46f46 \r\nURL  Credential phishing URL \r\nMarch\r\n2025 \r\nhxxps://acesportal[.]com/T/bfzWhb  URL  Tracking pixel URL \r\nMarch\r\n2025  \r\nhxxps://acesportal[.]com/T/KRfzAH  URL  Tracking pixel URL \r\nMarch\r\n2025 \r\nmenglunwuluegg226@proton[.]me  Email   Malware delivery \r\nMarch\r\n2025 \r\nlonelyboymaoxcz231@proton[.]me  Email   Malware delivery \r\nMarch\r\n2025 \r\nET rules \r\n2063450 - ET HUNTING GoogleSheets API V4 Activity (Fetch Single Cell with A1 Notation) \r\n2063451 - ET HUNTING GoogleSheets API V4 Response (Single Cell with UUID) \r\n2063452 - ET HUNTING GoogleSheets API V4 Activity (Possible Exfil) \r\n2063453 - ET MALWARE Voldemort System Info Exfil \r\n2063454 - ET PHISHING Observed DNS Query to UNK_SparkyCarp Domain \r\n2063455 - ET PHISHING Observed DNS Query to UNK_SparkyCarp Domain \r\n2063456 - ET PHISHING Observed UNK_SparkyCarp Domain in TLS SNI \r\n2063457 - ET MALWARE Observed DNS Query to UNK_DropPitch Domain \r\n2063458 - ET MALWARE Observed UNK_DropPitch Domain in TLS SNI \r\n2063459 - ET PHISHING Observed UNK_SparkyCarp Domain in TLS SNI \r\n2063460 - ET MALWARE Observed DNS Query to UNK_DropPitch Domain \r\n2063461 - ET MALWARE Observed UNK_DropPitch Domain in TLS SNI \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nhttps://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting" ], "report_names": [ "phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting" ], "threat_actors": [ { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "64a08f65-4ef8-4ad5-bac1-ce4e0fd2808c", "created_at": "2024-08-28T02:02:09.663698Z", "updated_at": "2026-04-10T02:00:04.927384Z", "deleted_at": null, "main_name": "TAG-100", "aliases": [ "Storm-2077" ], "source_name": "ETDA:TAG-100", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "CrossC2", "LESLIELOADER", "Pantegana", "SparkRAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "5af25e74-ab1e-4b3e-a3f8-c39227d79a2d", "created_at": "2025-09-27T02:00:03.95423Z", "updated_at": "2026-04-10T02:00:03.889451Z", "deleted_at": null, "main_name": "UNK_DropPitch", "aliases": [], "source_name": "MISPGALAXY:UNK_DropPitch", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9678b3fd-5373-4049-af73-25ab371ced8b", "created_at": "2025-09-27T02:00:03.956533Z", "updated_at": "2026-04-10T02:00:03.890321Z", "deleted_at": null, "main_name": "UNK_SparkyCarp", "aliases": [], "source_name": "MISPGALAXY:UNK_SparkyCarp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "604a4a41-3fa7-4bee-9c1b-4f83c21b9d35", "created_at": "2025-09-27T02:00:03.938884Z", "updated_at": "2026-04-10T02:00:03.888766Z", "deleted_at": null, "main_name": "UNK_FistBump", "aliases": [], "source_name": "MISPGALAXY:UNK_FistBump", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "db5b833a-965e-4f46-b75d-7e829466a5fa", "created_at": "2024-12-21T02:00:02.843374Z", "updated_at": "2026-04-10T02:00:03.780907Z", "deleted_at": null, "main_name": "Storm-2077", "aliases": [ "TAG-100", "RedNovember" ], "source_name": "MISPGALAXY:Storm-2077", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434582, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/da9ad35f01ce1e207f4bfff4b3a53190e4fedb8e.pdf", "text": "https://archive.orkl.eu/da9ad35f01ce1e207f4bfff4b3a53190e4fedb8e.txt", "img": "https://archive.orkl.eu/da9ad35f01ce1e207f4bfff4b3a53190e4fedb8e.jpg" } }