Espionage campaign targets Eastern Asia via hijacked Sogou Zhuyin update server
Summary
Hide β²
Show βΌ
An espionage campaign has been targeting users in Eastern Asia by exploiting an abandoned Sogou Zhuyin update server. The attackers, identified as TAOTH, have been distributing multiple malware families, including C6DOOR and GTELAM, to gather sensitive information from high-value targets such as dissidents, journalists, and technology leaders. The campaign began in October 2024 and has primarily affected users in Taiwan, Cambodia, and the U.S. The attackers hijacked the lapsed domain associated with Sogou Zhuyin, a discontinued input method editor (IME) software, to deliver malicious updates. The malware families deployed include RATs, spyware, and backdoors, which enable remote access, information theft, and backdoor functionality. The attackers also used legitimate cloud services to conceal their activities and exfiltrate data. The infection chain starts with users downloading the official Sogou Zhuyin installer, which triggers a malicious update process. The campaign has been ongoing since June 2025, with several hundred victims impacted. The attackers have been conducting reconnaissance to identify valuable targets and have not yet engaged in further post-exploitation activities on most systems.
Timeline
-
29.08.2025 16:12 π° 1 articles
Espionage campaign targets Eastern Asia via hijacked Sogou Zhuyin update server
An espionage campaign has been targeting users in Eastern Asia by exploiting an abandoned Sogou Zhuyin update server. The attackers, identified as TAOTH, have been distributing multiple malware families, including C6DOOR and GTELAM, to gather sensitive information from high-value targets such as dissidents, journalists, and technology leaders. The campaign began in October 2024 and has primarily affected users in Taiwan, Cambodia, and the U.S. The attackers hijacked the lapsed domain associated with Sogou Zhuyin, a discontinued input method editor (IME) software, to deliver malicious updates. The malware families deployed include RATs, spyware, and backdoors, which enable remote access, information theft, and backdoor functionality. The attackers also used legitimate cloud services to conceal their activities and exfiltrate data. The infection chain starts with users downloading the official Sogou Zhuyin installer, which triggers a malicious update process. The campaign has been ongoing since June 2025, with several hundred victims impacted. The attackers have been conducting reconnaissance to identify valuable targets and have not yet engaged in further post-exploitation activities on most systems.
Show sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
Information Snippets
-
The TAOTH campaign targets users in Eastern Asia, primarily in Taiwan, Cambodia, and the U.S.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The attackers hijacked the lapsed domain "sogouzhuyin[.]com" associated with Sogou Zhuyin, a discontinued IME software.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The malware families deployed include C6DOOR, GTELAM, DESFY, and TOSHIS.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The infection chain begins with users downloading the official Sogou Zhuyin installer, which triggers a malicious update process.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The attackers used legitimate cloud services to conceal their activities and exfiltrate data.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The campaign has been ongoing since June 2025, with several hundred victims impacted.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
-
The attackers have been conducting reconnaissance to identify valuable targets and have not yet engaged in further post-exploitation activities on most systems.
First reported: 29.08.2025 16:12π° 1 source, 1 articleShow sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign β thehackernews.com β 29.08.2025 16:12
Similar Happenings
APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign
The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.
Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns
Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to MarchβApril 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.
TOR-based Cryptojacking Campaign Targets Misconfigured Docker APIs
A new variant of a TOR-based cryptojacking campaign targets misconfigured Docker APIs to propagate malware. The attack chain involves exploiting exposed Docker instances to deploy XMRig miners and reconnaissance tools. The malware also scans for additional ports and attempts to propagate via Telnet and Chromium remote debugging ports. The campaign may be setting up a complex botnet. The attack leverages Base64-encoded payloads and TOR domains for anonymity. It includes a dropper written in Go that parses user login information and uses Masscan for further propagation. The malware's source code includes an emoji, suggesting it may have been crafted using a large language model (LLM). The attackers mount the host root to the fresh container, allowing them to manipulate the host system and escape the container. The attackers modify the SSH configuration of the host system to elevate privileges and provide backdoor access. The attackers create a cron job that executes every minute to block access to the Docker APIβs port 2375, denying other attackers future access to the exposed instance. The threat actors deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The malware installs curl and tor, launches a Tor daemon, and waits for confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The malware appends an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem to enable persistent SSH access. The malware writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using available firewall utilities. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it, and runs it as a dropper. The Go binary parses the hostβs utmp file to identify logged-in users. The malware attempts to infect other exposed Docker APIs and removes competitor containers after gaining access. The malware includes inactive logic for exploiting Telnet (port 23) using default router credentials and for interacting with Chromeβs remote debugging interface (port 9222). The malware's behavior suggests it is an initial version of a complex botnet with capabilities for lateral movement, persistence, and potential future expansion for credential theft and browser hijacking. The campaign highlights the importance of securing Docker APIs and segmenting networks to prevent such attacks.
Kazakhstan's KazMunayGas Phishing Test Mistaken for Noisy Bear Campaign
Kazakhstan's state-owned oil and gas company KazMunayGas conducted a phishing test in May 2025, which was initially misinterpreted as a cyber espionage campaign by a new threat group named Noisy Bear. The test involved phishing emails targeting KazMunayGas employees with fake documents related to internal communications and policy updates. The phishing emails were sent from a compromised internal email address and included a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file with instructions. The campaign was designed to mimic official internal communications and included themes such as policy updates, internal certification procedures, and salary adjustments. The phishing test was conducted to train employees on identifying and responding to phishing attempts. However, it was mistakenly reported as a cyber espionage campaign by Seqrite Labs, which attributed the activity to a new threat group tracked as Noisy Bear. The threat actor was believed to be of Russian origin and had been active since at least April 2025. The misinterpretation led to speculation about the involvement of a new threat group and the use of sophisticated malware, including a PowerShell loader dubbed DOWNSHELL and a DLL-based implant. The threat actor used a compromised email address belonging to a KazMunayGas finance department employee to send phishing emails. The phishing emails impersonated mundane company business, including reviewing work schedules, incentive systems, and wages. The phishing emails contained a ZIP file with a decoy document and a shortcut (LNK) file named "Salary Schedule.lnk." The LNK file downloaded a batch script, which retrieved the attackers' PowerShell loader named DownShell. DownShell consists of two scripts: one for anti-analysis by undermining the Windows Antimalware Scan Interface (AMSI), and another for CreateRemoteThread Injection to establish a reverse shell. Noisy Bear used a sanctioned Russian bulletproof hosting provider, Aeza Group, to maintain its infrastructure. The threat activity carries geopolitical implications, targeting Kazakhstan's largest oil and gas company, which is state-owned and a significant economic entity. Seqrite Labs found infrastructure and tooling overlaps across other Central Asian attacks, indicating a broader campaign. The incident highlights the importance of clear communication and coordination between cybersecurity researchers and organizations to avoid misinterpretations and ensure accurate reporting of cyber threats.
TAG-150 Expands Operations with CastleRAT in Python and C
The threat actor TAG-150, known for CastleLoader malware, has developed a new remote access trojan named CastleRAT. CastleRAT is available in both Python and C variants, and it is used to collect system information, execute commands, and download additional payloads. CastleRAT's development began in March 2025, and it is part of a multi-tiered infrastructure used by TAG-150. The malware is distributed through phishing attacks, fraudulent GitHub repositories, and other methods. The Python variant, also known as PyNightshade, and the C variant have different capabilities. The C variant includes keylogging, screenshot capture, file upload/download, and cryptocurrency clipper functionality. CastleRAT uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150's operations have targeted critical infrastructure, including U.S. government agencies, and have been linked to a Play Ransomware attack against a French organization. The group's MaaS operation is likely promoted within closed circles, indicating a sophisticated and connected user base. TAG-150 is likely to develop and release additional malware in the near term and expand its distribution efforts.