CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

China-aligned UTA0388 Targets Multiple Regions with GOVERSHELL Malware

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A China-aligned threat actor, UTA0388, has conducted spear-phishing campaigns targeting North America, Asia, and Europe to deliver the GOVERSHELL backdoor. These campaigns use tailored lures and fictional identities in multiple languages. The malware, which has evolved through several variants, is designed to execute commands and gather system information. The actor has leveraged legitimate services like Netlify, Sync, and OneDrive to stage archive files and used OpenAI ChatGPT to generate phishing content and assist with malicious workflows. The campaigns have been highly tailored, with the threat actors building trust with recipients over time before sending malicious links. The targeting profile indicates a focus on Asian geopolitical issues, particularly Taiwan. Additionally, a separate campaign targeting European institutions has been observed, involving the use of PlugX malware. New insights reveal that UTA0388 has shifted from simple phishing links to 'rapport-building phishing,' engaging in extended conversations with targets before delivering malicious files. The GOVERSHELL malware has evolved to use encrypted WebSocket and HTTPS communication channels. The campaigns involved archive files containing a legitimate-looking executable and a hidden malicious dynamic link library (DLL). The use of cloud hosting services like Netlify and OneDrive to deliver payloads, along with domain names impersonating major firms such as Microsoft and Apple, has been observed. The rapid campaign tempo, with up to 26 phishing emails sent within three days, indicates a high level of activity.

Timeline

  1. 09.10.2025 20:19 2 articles · 1mo ago

    UTA0388 Conducts Spear-Phishing Campaigns with GOVERSHELL Malware

    A China-aligned threat actor, UTA0388, has conducted spear-phishing campaigns targeting North America, Asia, and Europe to deliver the GOVERSHELL backdoor. These campaigns use tailored lures and fictional identities in multiple languages. The malware, which has evolved through several variants, is designed to execute commands and gather system information. The actor has leveraged legitimate services like Netlify, Sync, and OneDrive to stage archive files and used OpenAI ChatGPT to generate phishing content and assist with malicious workflows. The campaigns have been highly tailored, with the threat actors building trust with recipients over time before sending malicious links. The targeting profile indicates a focus on Asian geopolitical issues, particularly Taiwan. Additionally, a separate campaign targeting European institutions has been observed, involving the use of PlugX malware. New insights reveal that UTA0388 has shifted from simple phishing links to 'rapport-building phishing,' engaging in extended conversations with targets before delivering malicious files. The GOVERSHELL malware has evolved to use encrypted WebSocket and HTTPS communication channels. The campaigns involved archive files containing a legitimate-looking executable and a hidden malicious dynamic link library (DLL). The use of cloud hosting services like Netlify and OneDrive to deliver payloads, along with domain names impersonating major firms such as Microsoft and Apple, has been observed. The rapid campaign tempo, with up to 26 phishing emails sent within three days, indicates a high level of activity.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. The campaign began with spear phishing emails themed around diplomatic meetings and conferences. The malicious LNK files exploit ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025. The LNK file invokes PowerShell with an obfuscated command that decodes a tar archive file named rjnlzlkfe.ta. The tar archive contains three critical files that enable the attack chain through DLL side-loading. The malware includes a legitimate Canon printer assistant utility with an expired digital signature. The second file, cnmpaui.dll, serves as a lightweight loader designed to decrypt and execute the PlugX payload. PlugX is a RAT that provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions.

Open in new tab

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools.

Open in new tab

SVG Files Used in Phishing Attacks Impersonating Colombian Judicial System

A malware campaign uses SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system. The SVG files are distributed via email and execute a JavaScript payload to inject a phishing page. The campaign has been active since mid-August 2025, with 523 undetected SVG files identified by VirusTotal. The phishing pages simulate a document download process while downloading a ZIP archive in the background. The ZIP file contains a legitimate executable, a malicious DLL, and two encrypted files. The malicious DLL is sideloaded to install further malware on the system. The campaign highlights the evolving tactics of attackers, who use obfuscation and polymorphism to evade detection. The phishing pages target users by impersonating official government portals, increasing the likelihood of successful attacks. The disclosure coincides with reports of macOS systems being targeted by the Atomic macOS Stealer (AMOS), which steals a wide range of sensitive data. Attackers use cracked software and ClickFix-style tactics to infect macOS devices, exposing businesses to credential stuffing and financial theft.

Open in new tab

APT29 Watering Hole Campaign Disrupted by Amazon

Amazon disrupted a watering hole campaign orchestrated by the Russia-linked APT29 group, also known as Midnight Blizzard. The campaign targeted Microsoft 365 accounts and data, using compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow. This activity highlights APT29's ongoing efforts to harvest credentials and gather intelligence. The campaign involved compromising legitimate websites and injecting JavaScript to redirect approximately 10% of visitors to actor-controlled domains. These domains mimicked Cloudflare verification pages to deceive users into entering legitimate device codes, granting attackers access to Microsoft accounts and data. The campaign also employed various evasion techniques, including Base64 encoding and cookie-based redirect prevention. Amazon's intervention led to the disruption of the campaign, despite APT29's attempts to migrate to new infrastructure. APT29 has previously targeted European embassies, Hewlett Packard Enterprise, and TeamViewer. The group is known for its sophisticated phishing methods and has been linked to Russia's Foreign Intelligence Service (SVR).

Open in new tab

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

The ClickFix malware campaign has evolved to include multi-OS support and video tutorials that guide victims through the self-infection process. The campaign, which uses fake Cloudflare CAPTCHA pages and malicious PowerShell scripts, has been observed deploying various payloads, including information stealers and backdoors. The FileFix attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Previously, threat actors tracked as UNC5518 leveraged a social engineering tactic called ClickFix to deploy the CORNFLAKE.V3 backdoor. The campaign used fake CAPTCHA pages to trick users into executing malicious PowerShell scripts, providing initial access to systems. This access was then monetized by other threat groups, including UNC5774 and UNC4108, which deployed additional payloads. The attack began with users interacting with compromised search results or malicious ads, leading them to fake CAPTCHA pages. Users were then tricked into running a malicious PowerShell command, which downloaded and executed the CORNFLAKE.V3 backdoor. This backdoor supported various payload types and could collect system information, which was transmitted via Cloudflare tunnels to evade detection. CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, featuring host persistence and additional payload support. The campaign also involved the deployment of WINDYTWIST.SEA, a backdoor that supports lateral movement within infected networks.

Open in new tab