Ethical Hacking News
Chinese hackers have been targeting Taiwan's semiconductor sector with spear-phishing campaigns using malicious software such as Cobalt Strike and custom backdoors like Voldemort. The attacks are attributed to three Chinese state-sponsored threat actors - UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp. The campaigns resulted in the delivery of malware to organizations involved in semiconductor design, manufacturing, and supply chain management.
Chinese hackers targeted Taiwan's semiconductor sector with spear-phishing campaigns using Cobalt Strike and custom backdoors. The attacks resulted in the delivery of malware to organizations involved in semiconductor design, manufacturing, and supply chain management. Three Chinese state-sponsored threat actors - UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp - were identified as responsible for the attacks. The attackers used phishing emails masquerading as employment opportunities or account login security warnings to deliver malware payloads. UNK_FistBump targeted semiconductor design and manufacturing organizations using employment-themed phishing campaigns, delivering Cobalt Strike exploit kit or Voldemort custom backdoor. Salt Typhoon, a separate Chinese state-sponsored threat actor, breached at least one U.S. state's National Guard network, collecting sensitive data. The breach demonstrated the expansion of Salt Typhoon's targeting to federal agencies and state-level components.
Chinese hackers have been targeting Taiwan's semiconductor sector with spear-phishing campaigns, using malicious software such as Cobalt Strike and custom backdoors like Voldemort. The attacks, attributed to three Chinese state-sponsored threat actors - UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp - have resulted in the delivery of malware to organizations involved in semiconductor design, manufacturing, and supply chain management.
According to a report published by Proofpoint, a cybersecurity firm, these attacks took place between March and June 2025. The attackers used phishing emails that masqueraded as employment opportunities or account login security warnings, containing links to malicious domains and downloading malware payloads onto unsuspecting victims' computers.
UNK_FistBump, one of the threat actors identified by Proofpoint, was observed to have targeted semiconductor design and manufacturing organizations using employment-themed phishing campaigns. The campaign resulted in the delivery of Cobalt Strike, a popular exploit kit used for targeted attacks, or Voldemort, a custom backdoor previously used in attacks aimed at over 70 organizations globally.
The attack chain involves the threat actor posing as a graduate student in emails sent to recruitment and human resources personnel, seeking job opportunities at the targeted company. The messages likely came from compromised accounts, including a purported resume that triggered a multi-stage sequence when opened, which led to the deployment of Cobalt Strike or Voldemort. Meanwhile, a decoy document was displayed to the victim to avoid raising suspicion.
UNK_DropPitch, on the other hand, has been observed targeting individuals in multiple major investment firms who focus on investment analysis, particularly within the Taiwanese semiconductor industry. The phishing emails sent in April and May 2025 embedded a link to a PDF document that downloaded a ZIP file containing a malicious DLL payload launched using DLL side-loading.
The rogue DLL is codenamed HealthKick, capable of executing commands, capturing results of those runs, and exfiltrating them to a C2 server. Another attack detected in late May 2025 used the same DLL side-loading approach to spawn a TCP reverse shell that established contact with an actor-controlled VPS server over TCP port 465.
The development comes as NBC News reported that Chinese state-sponsored hackers tracked as Salt Typhoon broke into at least one U.S. state's National Guard, signaling an expansion of its targeting. The breach likely provided Beijing with data that could facilitate the hacking of other states' Army National Guard units and possibly many of their state-level cybersecurity partners.
The breach "likely provided Beijing with data that could facilitate the hacking of other states' Army National Guard units, and possibly many of their state-level cybersecurity partners," a June 11, 2025, report from the U.S. Department of Defense (DoD) said. Salt Typhoon extensively compromised a US state's Army National Guard's network, collecting its network configuration and data traffic with its counterparts' networks in every other U.S. state and at least four U.S. territories.
The attack is a yet another reminder that advanced persistent threat actors are going after federal agencies and state-level components, which may have a more varied security posture. "This isn't just an opportunistic intrusion. It reflects deliberate, long-term espionage designed to quietly extract strategic intelligence," said Ensar Seker, CISO at SOCRadar.
The revelation that Salt Typhoon maintained access to a U.S. National Guard network for nearly a year is a serious escalation in the cyber domain. This isn't just an opportunistic intrusion. It reflects deliberate, long-term espionage designed to quietly extract strategic intelligence," said Ensar Seker, CISO at SOCRadar.
Related Information:
https://www.ethicalhackingnews.com/articles/Chinese-Hackers-Target-Taiwans-Semiconductor-Sector-with-Cobalt-Strike-and-Custom-Backdoors-A-Growing-Concern-for-Global-Security-ehn.shtml
https://thehackernews.com/2025/07/chinese-hackers-target-taiwans.html
Published: Thu Jul 17 05:36:06 2025 by llama3.2 3B Q4_K_M
