UTA0388 spear-phishing campaign delivering GOVERSHELL
Campaign
Summary
Hide ▲
Show ▼
A China-aligned actor, UTA0388, is running a spear-phishing campaign across North America, Asia, and Europe to deliver the GOVERSHELL implant. The operation matters because it uses tailored espionage lures, malicious archives, and DLL side-loading to push an actively developed backdoor.
Related Happenings
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
Campaign
First: 22.05.2026 19:20
Last: 22.05.2026 19:20
Sources 1
About this happening:
A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
CampaignAbout this happening: A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
**Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm expanded European government and South Africa university espionage campaign
Campaign
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Tax-season credential phishing and RMM malware campaign
Campaign
First: 30.03.2026 18:00
Last: 30.03.2026 18:00
Sources 1
About this happening:
A **tax-themed** cyber campaign is using **credential phishing**, **remote monitoring and management (RMM) tools**, and **fraud lures** to target people handling **financial data*...
Tax-season credential phishing and RMM malware campaign
CampaignAbout this happening: A **tax-themed** cyber campaign is using **credential phishing**, **remote monitoring and management (RMM) tools**, and **fraud lures** to target people handling **financial data*...
Timeline
-
09.10.2025 20:19 3 articles · 7mo ago
Volexity attributes UTA0388 spear-phishing campaign to GOVERSHELL
Initial DisclosureVolexity attributes a China-aligned actor codenamed UTA0388 to spear-phishing campaigns targeting North America, Asia, and Europe that deliver the Go-based implant GOVERSHELL. The operation uses tailored lures, fabricated researcher and analyst personas, remotely hosted or self-hosted archive links, and DLL side-loading to launch a backdoor Volexity says overlaps Proofpoint's UNK_DropPitch cluster and succeeds the HealthKick malware family. The campaign set includes five identified GOVERSHELL variants first observed between April 2025 and September 2025, and the actor is assessed to have used OpenAI ChatGPT to generate phishing content in English, Chinese, and Japanese and to support malicious workflows.
Show sources
- From HealthKick to GOVERSHELL: The Evolution of UTA0388's Espionage Malware — thehackernews.com — 09.10.2025 20:19
- From HealthKick to GOVERSHELL: The Evolution of UTA0388's Espionage Malware — thehackernews.com — 09.10.2025 20:19
- China-Aligned UTA0388 Uses AI Tools in Global Phishing Campaigns — www.infosecurity-magazine.com — 10.11.2025 18:00