TAOTH Eastern Asia espionage campaign using hijacked Sogou Zhuyin updates
Campaign
Summary
Hide ▲
Show ▼
A TAOTH espionage campaign abused a hijacked Sogou Zhuyin update path and phishing pages to deliver malware and steal sensitive information from Eastern Asia targets. The operation focused on dissidents, journalists, researchers, and technology/business leaders, with activity extending to overseas Taiwanese communities and affecting several hundred victims.
Related Happenings
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
About this happening:
**BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware ActivityAbout this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
Kimsuky AI-assisted phishing campaign using deepfake South Korean military IDs
Campaign
First: 17.09.2025 03:00
Last: 17.09.2025 03:00
Sources 1
About this happening:
**North Korea-linked Kimsuky** began using **ChatGPT and other AI services** to generate fake identities and make phishing lures more convincing. In the latest **phishing campaign...
Kimsuky AI-assisted phishing campaign using deepfake South Korean military IDs
CampaignAbout this happening: **North Korea-linked Kimsuky** began using **ChatGPT and other AI services** to generate fake identities and make phishing lures more convincing. In the latest **phishing campaign...
China-backed Moolenaar impersonation spear-phishing campaign
Campaign
First: 10.09.2025 19:44
Last: 10.09.2025 19:44
Sources 1
About this happening:
The **US House Select Committee on China** warned of an ongoing **spear-phishing espionage campaign** in which suspected Chinese state actors impersonated **Rep. John Moolenaar**...
China-backed Moolenaar impersonation spear-phishing campaign
CampaignAbout this happening: The **US House Select Committee on China** warned of an ongoing **spear-phishing espionage campaign** in which suspected Chinese state actors impersonated **Rep. John Moolenaar**...
Sogou Zhuyin hit by network compromise
Incident
First: 29.08.2025 16:12
Last: 29.08.2025 16:12
Sources 1
How related:
It's said the attackers, in October 2024, took control of the lapsed domain name ("sogouzhuyin[.]com") associated with Sogou Zhuyin, a legitimate IME service that stopped receiving updates in June 2019, to disseminate malicious payloads a month later.
About this happening:
The **Sogou Zhuyin** update server takeover turned a trusted software channel into a **malicious update** path, enabling malware delivery to unsuspecting users. The compromise beg...
Sogou Zhuyin hit by network compromise
IncidentHow related: It's said the attackers, in October 2024, took control of the lapsed domain name ("sogouzhuyin[.]com") associated with Sogou Zhuyin, a legitimate IME service that stopped receiving updates in June 2019, to disseminate malicious payloads a month later.
About this happening: The **Sogou Zhuyin** update server takeover turned a trusted software channel into a **malicious update** path, enabling malware delivery to unsuspecting users. The compromise beg...
Kimsuky diplomatic spear-phishing campaign using GitHub and cloud storage
Campaign
First: 20.08.2025 12:18
Last: 20.08.2025 12:18
Sources 1
About this happening:
A **North Korean** spear-phishing campaign targeted **diplomatic missions** in South Korea, using **GitHub** and cloud storage to deliver **Xeno RAT** and enable remote control of...
Kimsuky diplomatic spear-phishing campaign using GitHub and cloud storage
CampaignAbout this happening: A **North Korean** spear-phishing campaign targeted **diplomatic missions** in South Korea, using **GitHub** and cloud storage to deliver **Xeno RAT** and enable remote control of...
Timeline
-
29.08.2025 16:12 2 articles · 9mo ago
TAOTH hijacks Sogou Zhuyin update server to deliver spyware and backdoors across Eastern Asia
Initial DisclosureTrend Micro details a TAOTH espionage operation that hijacked an abandoned Sogou Zhuyin update server and used the software update path, fake login pages, and fake cloud storage pages to deliver C6DOOR, GTELAM, DESFY, and TOSHIS to targets across Eastern Asia, including dissidents, journalists, researchers, and technology/business leaders. The operation also used Google Drive for exfiltration and concealment, and Trend Micro says several hundred victims were impacted.
Show sources
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign — thehackernews.com — 29.08.2025 16:12
- Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign — thehackernews.com — 29.08.2025 16:12