Espionage campaign targets Eastern Asia using hijacked Sogou Zhuyin update server
Summary
Hide β²
Show βΌ
An espionage campaign, codenamed TAOTH, has been targeting users in Eastern Asia since June 2025. The attackers hijacked an abandoned update server for the Sogou Zhuyin input method editor (IME) software to distribute multiple malware families, including C6DOOR and GTELAM. The campaign primarily targets dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. The attackers took control of the lapsed domain name associated with Sogou Zhuyin in October 2024 and used it to disseminate malicious payloads. The malware families deployed serve various purposes, including remote access, information theft, and backdoor functionality. The attack chain begins with users downloading the official installer for Sogou Zhuyin, which triggers a malicious update process. The campaign has impacted several hundred victims, with Taiwan accounting for 49% of all targets. The attackers also leveraged third-party cloud services to conceal their network activities.
Timeline
-
29.08.2025 16:12 π° 1 articles Β· β± 18d ago
TAOTH campaign targets Eastern Asia using hijacked Sogou Zhuyin update server
An espionage campaign, codenamed TAOTH, has been targeting users in Eastern Asia since June 2025. The attackers hijacked an abandoned update server for the Sogou Zhuyin input method editor (IME) software to distribute multiple malware families, including C6DOOR and GTELAM. The campaign primarily targets dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. The attackers took control of the lapsed domain name associated with Sogou Zhuyin in October 2024 and used it to disseminate malicious payloads. The malware families deployed serve various purposes, including remote access, information theft, and backdoor functionality. The attack chain begins with users downloading the official installer for Sogou Zhuyin, which triggers a malicious update process.
Show sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
Information Snippets
-
The TAOTH campaign targets dissidents, journalists, researchers, and technology/business leaders in Eastern Asia.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The attackers hijacked the Sogou Zhuyin update server in October 2024 to distribute malware.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The malware families deployed include GTELAM, C6DOOR, DESFY, and TOSHIS.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The attack chain involves a malicious update process triggered by the Sogou Zhuyin installer.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The campaign has impacted several hundred victims, with a significant portion in Taiwan.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The attackers used third-party cloud services to conceal their network activities.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The TAOTH campaign shares infrastructure and tooling overlap with previously documented ITOCHU activity.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
Similar Happenings
SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids
A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).
FileFix Attack Using Steganography to Deploy StealC Infostealer
A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.
Supply Chain Attack Targeting npm Registry Compromises 40 Packages
A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.
UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns
The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.
Akira Ransomware Group Exploits SonicWall SSL VPN Flaws
The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.