Chinese Hackers Target Taiwan’s Semiconductor Sector with Cobalt Strike, Custom Backdoors
The Taiwanese semiconductor industry has become the target of spear-phishing campaigns undertaken by three Chinese state-sponsored threat actors.
“Targets of these campaigns ranged from organizations involved in the manufacturing, design, and testing of semiconductors and integrated circuits, wider equipment and services supply chain entities within this sector, as well as financial investment analysts specializing in the Taiwanese semiconductor market,” Proofpoint said in a report published Wednesday.
The activity, per the enterprise security firm, took place between March and June 2025. They have been attributed to three China-aligned clusters it tracks as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp.
UNK_FistBump is said to have targeted semiconductor design, packaging, manufacturing, and supply chain organizations in employment-themed phishing campaigns that resulted in the delivery of Cobalt Strike or a C-based custom backdoor dubbed Voldemort that has been previously used in attacks aimed at over 70 organizations globally.
The attack chain involves the threat actor posing as a graduate student in emails sent to recruitment and human resources personnel, seeking job opportunities at the targeted company.
The messages, likely sent from compromised accounts, include a purported resume (a LNK file masquerading as a PDF) that, when opened, triggers a multi-stage sequence that either leads to the deployment of Cobalt Strike or Voldemort. Simultaneously, a decoy document is displayed to the victim to avoid raising suspicion.
The use of Voldemort has been attributed by Proofpoint to a threat actor called TA415, which overlaps with the prolific Chinese nation-state group referred to as APT41 and Brass Typhoon. That said, the Voldemort activity linked to UNK_FistBump is assessed to be distinct from TA415 due to differences in the loader used to drop Cobalt Strike and the reliance on a hard-coded IP address for command-and-control.
UNK_DropPitch, on the other hand, has been observed striking individuals in multiple major investment firms who focus on investment analysis, particularly within the Taiwanese semiconductor industry. The phishing emails, sent in April and May 2025, embed a link to a PDF document, which, upon opening, downloads a ZIP file containing a malicious DLL payload that’s launched using DLL side-loading.
The rogue DLL is a backdoor codenamed HealthKick that’s capable of executing commands, capturing the results of those runs, and exfiltrating them to a C2 server. In another attack detected in late May 2025, the same DLL side-loading approach has been put to use to spawn a TCP reverse shell that establishes contact with an actor-controlled VPS server 45.141.139[.]222 over TCP port 465.
The reverse shell serves as a pathway for the attackers to conduct reconnaissance and discovery steps, and if deemed of interest, drop the Intel Endpoint Management Assistant (EMA) for remote control via the C2 domain “ema.moctw[.]info.”
“This UNK_DropPitch targeting is exemplary of intelligence collection priorities spanning less obvious areas of the semiconductor ecosystem beyond just design and manufacturing entities,” Proofpoint said.
Further analysis of the threat actor infrastructure has revealed that two of the servers have been configured as SoftEther VPN servers, an open-source VPN solution widely used by Chinese hacking groups. An additional connection to China comes from the reuse of a TLS certificate for one of the C2 servers. This certificate has been tied in the past in connection with malware families like MoonBounce and SideWalk (aka ScrambleCross).
That said, it’s currently not known if the reuse stems from a custom malware family shared across multiple China-aligned threat actors, such as SideWalk, or due to shared infrastructure provisioning across these groups.
The third cluster, UNK_SparkyCarp, is characterized by credential phishing attacks that single out an unnamed Taiwanese semiconductor company using a bespoke adversary-in-the-middle (AitM) kit. The campaign was spotted in March 2025.
“The phishing emails masqueraded as account login security warnings and contained a link to the actor-controlled credential phishing domain accshieldportal[.]com, as well as a tracking beacon URL for acesportal[.]com,” Proofpoint said, adding the threat actor had previously targeted the company in November 2024.
The company said it also observed UNK_ColtCentury, which is also called TAG-100 and Storm-2077, sending benign emails to legal personnel at a Taiwanese semiconductor organization in an effort to build trust and ultimately deliver a remote access trojan known as Spark RAT.
“This activity likely reflects China’s strategic priority to achieve semiconductor self-sufficiency and decrease reliance on international supply chains and technologies, particularly in light of U.S. and Taiwanese export controls,” the company said.
“These emerging threat actors continue to exhibit long-standing targeting patterns consistent with Chinese state interests, as well as TTPs and custom capabilities historically associated with China-aligned cyber espionage operations.”
Salt Typhoon Goes After U.S. National Guard
The development comes as NBC News reported that the Chinese state-sponsored hackers tracked as Salt Typhoon (aka Earth Estries, Ghost Emperor, and UNC2286) broke into at least one U.S. state’s National Guard, signaling an expansion of its targeting. The breach is said to have lasted for no less than nine months between March and December 2024.
The breach “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” a June 11, 2025, report from the U.S. Department of Defense (DoD) said.
“Salt Typhoon extensively compromised a US state’s Army National Guard’s network and, among other things, collected its network configuration and its data traffic with its counterparts’ networks in every other U.S. state and at least four U.S. territories.”
The threat actor also exfiltrated configuration files associated with other U.S. government and critical infrastructure entities, including two state government agencies, between January and March 2024. That same year, Salt Typhoon leveraged its access to a U.S. state’s Army National Guard network to harvest administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and PII of its service members.
These network configuration files could enable further computer network exploitation of other networks, including data capture, administrator account manipulation, and lateral movement between networks, the report said.
Initial access has been found to be facilitated by the exploitation of known security vulnerabilities in Cisco (CVE-2018-0171, CVE-2023-20198, and CVE-2023-20273) and Palo Alto Networks (CVE-2024-3400) appliances.
“Salt Typhoon access to Army National Guard networks in these states could include information on state cyber defense posture as well as the personally identifiable information (PII) and work locations of state cybersecurity personnel – data that could be used to inform future cyber-targeting efforts.”
Ensar Seker, CISO at SOCRadar, said in a statement that the attack is a yet another reminder that advanced persistent threat actors are going after federal agencies and state-level components, which may have a more varied security posture.
“The revelation that Salt Typhoon maintained access to a U.S. National Guard network for nearly a year is a serious escalation in the cyber domain,” Seker said. “This isn’t just an opportunistic intrusion. It reflects deliberate, long-term espionage designed to quietly extract strategic intelligence.”
“The group’s sustained presence suggests they were gathering more than just files, they were likely mapping infrastructure, monitoring communication flows, and identifying exploitable weak points for future use. What’s deeply concerning is that this activity went undetected for so long in a military environment. It raises questions about visibility gaps, segmentation policies, and detection capabilities in hybrid federal-state defense networks.”
