UTA0388 spear-phishing campaign delivering GOVERSHELL
Campaign
Summary
Hide ▲
Show ▼
A China-aligned actor, UTA0388, is running a spear-phishing campaign across North America, Asia, and Europe to deliver the GOVERSHELL implant. The operation matters because it uses tailored espionage lures, malicious archives, and DLL side-loading to push an actively developed backdoor.
Related Happenings
OP-512 Microsoft IIS espionage campaign
Campaign
H score52
First: 05.06.2026 15:33
Last: 05.06.2026 15:33
Sources 1
About this happening:
**OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
OP-512 Microsoft IIS espionage campaign
CampaignAbout this happening: **OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
H score33
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityAbout this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Operation Dragon Weave cyber-espionage campaign
Campaign
H score37
First: 01.06.2026 14:54
Last: 01.06.2026 14:54
Sources 1
About this happening:
The **Operation Dragon Weave** campaign is actively targeting **officials and citizens in the Czech Republic and Taiwan** with **spear-phishing ZIP attachments**. The infection ch...
Operation Dragon Weave cyber-espionage campaign
CampaignAbout this happening: The **Operation Dragon Weave** campaign is actively targeting **officials and citizens in the Czech Republic and Taiwan** with **spear-phishing ZIP attachments**. The infection ch...
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
Campaign
H score33
First: 22.05.2026 19:20
Last: 22.05.2026 19:20
Sources 1
About this happening:
A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
CampaignAbout this happening: A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Timeline
-
09.10.2025 20:19 3 articles · 9mo ago
Volexity attributes UTA0388 spear-phishing campaign to GOVERSHELL
Initial DisclosureVolexity attributes a China-aligned actor codenamed UTA0388 to spear-phishing campaigns targeting North America, Asia, and Europe that deliver the Go-based implant GOVERSHELL. The operation uses tailored lures, fabricated researcher and analyst personas, remotely hosted or self-hosted archive links, and DLL side-loading to launch a backdoor Volexity says overlaps Proofpoint's UNK_DropPitch cluster and succeeds the HealthKick malware family. The campaign set includes five identified GOVERSHELL variants first observed between April 2025 and September 2025, and the actor is assessed to have used OpenAI ChatGPT to generate phishing content in English, Chinese, and Japanese and to support malicious workflows.
Show sources
- From HealthKick to GOVERSHELL: The Evolution of UTA0388's Espionage Malware — thehackernews.com — 09.10.2025 20:19
- From HealthKick to GOVERSHELL: The Evolution of UTA0388's Espionage Malware — thehackernews.com — 09.10.2025 20:19
- China-Aligned UTA0388 Uses AI Tools in Global Phishing Campaigns — www.infosecurity-magazine.com — 10.11.2025 18:00