Chinese State-Sponsored Hackers Target Semiconductor Industry with Weaponized Cobalt Strike

Proofpoint Threat Research has identified a sophisticated multi-pronged cyberespionage campaign targeting Taiwan’s semiconductor industry between March and June 2025.

Three distinct Chinese state-sponsored threat actors, designated as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp, conducted coordinated phishing operations against organizations spanning semiconductor manufacturing, design, testing, supply chain entities, and financial investment analysts specializing in the Taiwanese semiconductor market.

The campaign’s primary motivation appears to be intelligence collection supporting China’s strategic priority to achieve semiconductor self-sufficiency and reduce dependence on international supply chains.

This activity coincides with increasing external pressures from US and Taiwanese export controls, reinforcing the critical importance of semiconductor technologies in China’s national economic development initiatives.

UNK_FistBump emerged as the most technically sophisticated actor, conducting employment-themed phishing campaigns targeting semiconductor manufacturing, packaging, testing, and supply chain organizations throughout May and June 2025.

Posing as graduate students from National Taiwan University seeking employment opportunities, the threat actors compromised legitimate university email accounts to enhance their credibility when contacting recruitment and HR personnel.

The group’s infection methodology involved password-protected archive attachments or PDF documents containing URLs leading to files hosted on Zendesk instances or Filemail sharing services.

In an unusual tactical evolution, UNK_FistBump initially deployed Cobalt Strike Beacon payloads before transitioning to the custom Voldemort backdoor in late May 2025.

Most remarkably, one campaign featured dual infection chains within the same archive, simultaneously delivering both Cobalt Strike and Voldemort payloads through distinct Microsoft Shortcut files.

Chinese Espionage Operations

The technical analysis reveals sophisticated DLL sideloading techniques employed by UNK_FistBump, leveraging legitimate signed executables vulnerable to sideloading attacks.

The Cobalt Strike infection chain utilized a VBS script copying malicious files to the C:UsersPublicVideos directory, executing javaw.exe to load the malicious jli.dll, which subsequently decrypted an RC4-encrypted Cobalt Strike Beacon payload using the hardcoded key “qwxsfvdtv”.

The payload communicated with infrastructure at 166.88.61[.]35 over TCP port 443 using a customized GoToMeeting malleable C2 profile.

The Voldemort infection chain demonstrated similar sophistication, employing CiscoCollabHost.exe to sideload CiscoSparkLauncher.dll, ultimately delivering the custom backdoor that utilized Google Sheets for command and control communications.

This specific implementation closely resembles techniques previously attributed to TA415 (APT41, Brass Typhoon), though sufficient differences exist to warrant separate tracking.

UNK_DropPitch represented a strategic departure from traditional manufacturing-focused targeting, instead concentrating on financial investment analysts at major banks who specialize in Taiwanese semiconductor market analysis.

Operating in April and May 2025, this group masqueraded as a fictitious financial investment firm seeking collaboration opportunities.

Their initial payload delivery involved the HealthKick backdoor, a simple custom tool employing FakeTLS protocol communicating with 82.118.16[.]72 over TCP port 465.

The group’s infrastructure analysis revealed consistent use of Russian VPS hosting provider ProfitServer with reverse DNS names referencing the “Mr. Robot” character Elliot Alderson.

Multiple servers exhibited SoftEther VPN configurations, a common technique among Chinese threat actors for both infrastructure administration and traffic tunneling.

A particularly notable finding was the identification of a TLS certificate (CN=AS.website) historically associated with multiple Chinese state-sponsored operations, including the SideWalk backdoor and MoonBounce firmware rootkit.

Advanced Persistent Threat Landscape

The third actor, UNK_SparkyCarp, conducted credential phishing operations using custom adversary-in-the-middle (AITM) frameworks targeting Taiwanese semiconductor companies.

Their phishing emails masqueraded as account login security warnings, directing victims to the actor-controlled domain accshieldportal[.]com.

This represents a more direct approach compared to the malware-focused campaigns of the other two groups.

The broader implications of this coordinated activity extend beyond individual company targeting.

The simultaneous deployment of multiple threat actors with distinct capabilities suggests a well-orchestrated intelligence collection strategy aligned with China’s national priorities.

The shift from sporadic semiconductor targeting to sustained, multi-vector campaigns indicates an escalation in Chinese cyber espionage activities against this critical sector.

Proofpoint’s analysis reveals that these emerging threat actors continue exhibiting long-standing targeting patterns consistent with Chinese state interests while adapting their tactics, techniques, and procedures to current security landscapes.

The influx of new China-aligned phishing groups represents a concerning evolution in the threat landscape, particularly as established actors increasingly pivot toward edge device exploitation and alternative initial access vectors.

The coordinated nature of these campaigns, targeting different aspects of the semiconductor ecosystem from manufacturing to financial analysis, demonstrates the comprehensive intelligence requirements driving Chinese state-sponsored cyber operations.

This multi-dimensional approach enables intelligence collection across the entire semiconductor value chain, from technical specifications to market dynamics and investment strategies.

Indicators of Compromise

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now