Chinese State-Sponsored Hackers Attacking Semiconductor Industry with Weaponized Cobalt Strike

A sophisticated Chinese state-sponsored cyber espionage campaign has emerged targeting Taiwan’s critical semiconductor industry, employing weaponized Cobalt Strike beacons and advanced social engineering tactics.

Between March and June 2025, multiple threat actors launched coordinated attacks against semiconductor manufacturing, design, and supply chain organizations, reflecting China’s strategic imperative to achieve technological self-sufficiency in this vital sector.

The campaign represents a significant escalation in Chinese cyber operations against Taiwan’s semiconductor ecosystem, with attackers leveraging employment-themed phishing emails to deliver malicious payloads.

The timing of these operations coincides with heightened geopolitical tensions and ongoing export controls that have intensified China’s focus on acquiring semiconductor technologies and intelligence through cyber means.

The primary threat actor, designated UNK_FistBump, orchestrated the most technically sophisticated attacks during May and June 2025, specifically targeting Taiwan-based semiconductor manufacturers and their supply chain partners.

These operations utilized compromised Taiwanese university email accounts to enhance credibility and bypass initial security screening mechanisms.

Proofpoint analysts identified that UNK_FistBump employed a dual-payload strategy, delivering both Cobalt Strike Beacon implants and a custom backdoor called Voldemort through carefully crafted spearphishing campaigns.

The attackers posed as graduate students seeking employment opportunities, using subject lines such as “Product Engineering (Material Analysis/Process Optimization) – National Taiwan University” to lure human resources personnel and recruitment staff.

The malware’s infection mechanism demonstrates remarkable technical sophistication, beginning with password-protected RAR archives containing malicious LNK files.

Upon execution, the LNK file 崗位匹配度說明.pdf.lnk triggers a VBS script named Store.vbs that performs several critical operations.

The script copies four essential files to the C:UsersPublicVideos directory: javaw.exe, jli.dll, rc4.log, and a decoy PDF document to maintain operational security.

Advanced DLL Sideloading and Persistence Mechanisms

The attack chain leverages DLL sideloading techniques against the legitimate javaw.exe executable, which loads the malicious jli.dll library.

This DLL serves as a sophisticated loader that decrypts an RC4-encrypted Cobalt Strike Beacon payload stored in the rc4.log file using the hardcoded key qwxsfvdtv.

The decryption process can be represented as:-

RC4_Decrypt(rc4.log, "qwxsfvdtv") → Cobalt Strike Beacon

The malware establishes persistence through registry modification, creating an entry at HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun that ensures the malicious javaw.exe executable launches during system startup.

The Cobalt Strike Beacon subsequently establishes command and control communications with the server 166.88.61[.]35 over TCP port 443, utilizing a customized GoToMeeting malleable C2 profile to blend network traffic with legitimate collaboration software communications.

This campaign underscores the evolving threat landscape facing Taiwan’s semiconductor industry, where state-sponsored actors are increasingly deploying sophisticated multi-stage malware delivery systems to compromise critical infrastructure and intellectual property.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now