The Chinese National Computer Virus Emergency Response Center, in conjunction with the National Engineering Laboratory for Computer Virus Prevention Technology and the 360 Digital Security Group.
It has released a detailed technical report accusing Taiwan’s Information, Communications and Electronic Force Command (ICEFCOM) of orchestrating a series of advanced cyberattacks against critical infrastructure, government bodies, and strategic industries within mainland China, Hong Kong, and Macao.
The report further claims that these activities are conducted with direct support from the United States, citing intelligence-sharing, operational cooperation, and the deployment of American cyber capabilities as key enablers for Taiwanese APT (Advanced Persistent Threat) groups.
Technical Overview of Taiwan-Linked Threat Actors
The report, based on multi-year investigations, identifies five core APT groups APT-C-01 (Poison Vine), APT-C-62 (Viola Tricolor), APT-C-64 (Anonymous 64), APT-C-65 (Neon Pothos), and APT-C-67 (Ursa) purportedly supported by Taiwan’s Democratic Progressive Party (DPP) government and commanded by ICEFCOM.
Each group reportedly specializes in cyber espionage and attack campaigns targeting government agencies, research institutions, defense companies, and critical sectors such as transport, energy, and maritime operations.
APT-C-01, for example, is described as having close ties to US Cyber Command, conducting phishing-based intrusions primarily around defense, cross-Strait policy, and maritime intelligence.
These operations are said to intensify around sensitive events such as PLA military drills near Taiwan.
Similarly, APT-C-62 has reportedly leveraged both traditional phishing and web-application vulnerability exploits to compromise entities in research and transport, expanding its activity in concert with US military sales and defense forums involving Taiwan.
APT-C-64, meanwhile, is noted for its impact operations targeting digital media, allegedly aiming to disrupt public order and promote “Taiwan independence content” across online and outdoor media platforms in mainland urban centers.
Other groups, such as APT-C-65 and APT-C-67, have focused on stealing sensitive data from aerospace and energy sectors and infiltrating IoT and surveillance systems for intelligence gathering, respectively.
Attack Tactics and Tools
According to the Report, China’s technical analysis details extensive use of open-source and commercial penetration testing frameworks (such as Cobalt Strike, Metasploit, and Sliver RAT), RATs (Quasar, Gh0st, Poison Ivy), and commonly abused remote access tools (GotoHTTP, Jump Desktop, Sunflower).
Attack chains typically begin with tailored phishing emails and decoy documents themed around current events, exploiting known vulnerabilities in operating systems and mainstream business applications.
Lateral movement within compromised networks is facilitated using credential-dumping utilities (pwdump8, MirrorDump), while persistence is achieved via scheduled tasks and registry modifications.
Notably, the report claims that, while the T-APT groups display coordination in timing and objectives with DPP political activities, their technical sophistication remains primarily reliant on public tools and known exploits rather than zero-day vulnerabilities or novel malware development.
ICEFCOM, officially the “Ministry of National Defense Information, Communications and Electronics Command,” is alleged to function as Taiwan’s “fourth military branch,” integrating cyber operations across the military, government, and civilian sectors.
The report outlines ICEFCOM’s organizational evolution, cyber warfare doctrine, and its collaboration with the United States on both talent cultivation and joint cyber defense/offense exercises.
The command, headquartered in New Taipei City, is said to have over 6,000 staff, many recruited from top Taiwanese technical universities with incentives for international certification.
The Chinese government’s report asserts that ICEFCOM’s activities constitute a direct threat to national security, accusing the DPP authorities of betraying national interests through collaboration with foreign “anti-China forces,” especially the United States.
Indicators of Compromise (IOC)
| Tool/Sample | Malware Type | Hash/MD5 | C2 Servers | Description/Notes |
|---|---|---|---|---|
| Bypass | Trojan | 214888402b3cb924e40035d1b4bafc85 | 51...162:9000 | Win stager, uses InstallUtil.exe |
| Stager | Trojan | 864c832949cc0c8c7ef6ed23d4a6eef3 | 180...219:9008 | Cobalt Strike/Metasploit loader |
| QuasarRAT | RAT | cc1cdb893f6b4a00d65bbef2794b0499 | 1...214:9000 | Open-source C# RAT |
| Sliver RAT | RAT | 61c42751f6bb4efafec524be23055fba | 158...174:443 | Cross-platform, obfuscated loader |
| GotoHTTP | Remote Tool | a3736b69a88da7d2472cec131b10c50e | N/A | Legit tool abused for remote access |
| pwdump8 | Tool | 1b5337482c4a05680da61f02eb27dda1 | N/A | Credential dumping utility |
| fscan64 | Tool | 7b29f9754718e9d284115f5f573de257 | N/A | Network/vulnerability scanner |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
