TOATH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents
Essential information
- Published
- 28/08/2025 14:51
- Modified
- 28/08/2025 15:34
- Tags
- 2025-08-28 apt c6door cobeacon desfy eastern asia gtelam information theft merlin reconnaissance sogou zhuyin spear-phishing taoth targeted attacks toshis
- Related entities
- 23 observables, 1 intrusion sets (apt), 19 techniques (mitre), 6 malware, 9 others
Description
The TAOTH campaign leveraged an abandoned Sogou Zhuyin IME update server and spear-phishing operations to deliver multiple malware families, primarily targeting users across Eastern Asia. Attackers employed sophisticated infection chains, such as hijacked software updates and fake cloud storage or login pages, to distribute malware and collect sensitive information. The campaign focused on high-value targets, including dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. Infrastructure and tool analysis link TAOTH to previously documented threat activity, showing shared C&C infrastructure, malware variants, and tactics indicative of a single, persistent attacker group with a focus on reconnaissance, espionage, and email abuse.