Proofpoint Threat Research identified a surge in sophisticated phishing campaigns targeting the Taiwanese semiconductor sector, led by three China-aligned, state-sponsored threat actors.
These campaigns, observed at levels above the historical norm, demonstrate a strategic pivot by Chinese espionage groups towards critical Taiwanese semiconductor organizations and their supporting ecosystems, highlighting an increased prioritization by China for semiconductor technology intelligence.
This escalation comes against the backdrop of intensifying US and Taiwanese export controls, directly affecting China’s ambitions for semiconductor self-sufficiency.
Multi-Stage Infection Chains
The campaign activity included attackers tracked as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp.
UNK_FistBump focused spearphishing against recruitment and HR teams across Taiwan-based semiconductor manufacturing, packaging, and testing firms, often leveraging compromised Taiwanese university accounts.
Attackers delivered password-protected ZIP or PDF documents containing links to externally hosted archives, with payloads shifting from standard Cobalt Strike Beacons to the custom Voldemort backdoor as the campaign evolved.
UNK_FistBump’s attack chains cleverly exploited DLL sideloading vulnerabilities in benign signed executables (such as javaw.exe and CiscoCollabHost.exe) to load malicious payloads.
These chains enabled memory-resident Cobalt Strike or Voldemort malware, providing covert command and control channels, with Voldemort notably leveraging Google Sheets for communications.
Proofpoint notes overlaps with techniques and tooling from the established TA415 (APT41/Brass Typhoon) group, though differences in loader and infrastructure usage led researchers to treat UNK_FistBump as a distinct entity for now.
Meanwhile, UNK_DropPitch launched targeted phishing attacks on financial analysts within major investment banks tracking the Taiwanese semiconductor market.
These campaigns distributed ZIP files with vulnerable executables and custom DLLs, culminating in the deployment of simple backdoors such as HealthKick and raw TCP reverse shells.
Subsequent post-compromise activity included the installation of remote management tools, like Intel Endpoint Management Assistant, for persistent access.
UNK_DropPitch’s infrastructure exhibited further links to Chinese espionage tools, including use of TLS certificates and VPS hosting characteristics associated with APT41’s SideWalk malware family.
Credential Harvesting
Proofpoint also reported activity from UNK_SparkyCarp, which in March 2025 executed an adversary-in-the-middle (AiTM) credential phishing campaign, using bespoke frameworks and lure pages to compromise authentication data from targeted Taiwanese semiconductor companies.
This wave reflects a wider trend: as established Chinese threat actor TTPs shift toward exploiting edge devices, a new generation of China-aligned clusters are intensifying their focus on phishing-based initial access against high-value technology sector targets.
These observed intrusions underscore a notable expansion in Chinese cyberespionage initiatives, specifically calibrated to Taiwan’s semiconductor industry and its value chain.
By expanding targeting to include not only chip manufacturers and design houses, but also downstream supply chain players and financial analysis professionals, Chinese state-sponsored threat groups are broadening their intelligence collection efforts to support long-term strategic priorities.
Indicators of Compromise (IOCs)
| Indicator | Type | Description / Associated Actor | Date First Seen |
|---|---|---|---|
| 166.88.61[.]35 | IP Address | Cobalt Strike C2 (UNK_FistBump) | May 2025 |
| hxxps://sheets[.]googleapis[.]com/v4/spreadsheets/1z8ykHVYh9DF-b_BFDA9c4Q2ojfrgl-fq1v797Y5576Y | URL | Voldemort Google Sheets C2 (UNK_FistBump) | May 2025 |
| john.doe89e@gmail[.]com | Malware delivery (UNK_FistBump) | May 2025 | |
| hxxps://api[.]moctw[.]info/Intro.pdf | URL | Malware delivery (UNK_DropPitch) | April 2025 |
| ema.moctw[.]info | Domain | C2 (UNK_DropPitch) | April 2025 |
| 80.85.156[.]234 | IP Address | C2 (UNK_DropPitch) | April 2025 |
| accshieldportal[.]com | Domain | Credential phishing (UNK_SparkyCarp) | March 2025 |
| menglunwuluegg226@proton[.]me | Malware delivery (UNK_SparkyCarp) | March 2025 | |
| 1a2530010ecb11f0ce562c0db0380416a10106e924335258ccbba0071a19c852 | SHA256 | Zip Archive (UNK_FistBump) | June 2025 |
| d51c195b698c411353b10d5b1795cbc06040b663318e220a2d121727c0bb4e43 | SHA256 | Introduction Document.exe (UNK_DropPitch) | May 2025 |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
