Ddos 
Volexity has uncovered a sophisticated cyber-espionage operation in which a China-aligned threat actor, tracked as UTA0388, weaponized Large Language Models (LLMs) such as ChatGPT to automate spear-phishing, create multilingual lures, and even assist in malware development.
According to Volexity, “Starting in June 2025, Volexity detected a series of spear phishing campaigns targeting several customers and their users in North America, Asia, and Europe.” The attackers impersonated credible researchers and policy analysts from fake institutions, tricking victims into opening archives that contained malware payloads.
Volexity assesses with high confidence that UTA0388 operates in alignment with the Chinese state, based on both technical indicators and targeting behavior centered on Asian geopolitical issues — particularly Taiwan.
What distinguishes UTA0388 from conventional APT groups is its rapport-building phishing technique — a slower, more human-like approach. Instead of sending malicious links immediately, the attackers engaged victims in multiple email exchanges before delivering infected files.
Volexity explains, “Once the initial and broader campaigns subsided, Volexity further observed multiple instances of highly tailored spear phishing… where UTA0388 did not send a link to malware at first. Instead they engaged the target in conversation, and only after corresponding over the course of several emails would a malicious phishing link be sent.”
This patient social-engineering style was amplified by AI-generated content. Emails appeared fluent in English, Chinese, Japanese, French, and German — far beyond the normal linguistic capabilities of a single operator or small team. Yet, beneath the polish lay a pattern of nonsensical inconsistencies that revealed AI assistance.
As the report notes, “The fluency of the language in the emails was not reflected in the coherence of their use… an email sent to an English-speaking target supposedly from an American persona had a subject line in Mandarin and a German message body.”
Every phishing campaign ultimately delivered GOVERSHELL, a malware family exclusive to UTA0388. This backdoor was deployed via search order hijacking, where a legitimate executable loaded a malicious DLL from a hidden /lib folder.
“Inside the archive would be a legitimate executable that was given a filename relevant to the targeted organization,” Volexity explains. “When executed, this legitimate executable would load a malicious payload in an included Dynamic Link Library (DLL), via search order hijacking.”
Over time, Volexity identified five GOVERSHELL variants, each written in C++ or Go, evolving rapidly between June and September 2025. These variants showcased different C2 communication methods — from fake TLS traffic to HTTPS POSTs and encrypted WebSocket channels. The later “Beacon” version even introduced jitter and sleep functions for stealthy command timing, showing a high degree of technical refinement.
One intriguing clue tying the malware to Chinese origins was found in developer artifacts. “One GOVERSHELL sample contained a folder path from the developer’s device that included Simplified Chinese characters: C:\Users\Dev\Desktop\20250608新码\lib\te64 — translated as ‘new code.’”
Perhaps the most alarming revelation in Volexity’s report is the confirmed use of ChatGPT by UTA0388 for both phishing and malware development. The analysis highlights that “OpenAI’s October 2025 report confirmed Volexity’s suppositions that UTA0388 leveraged OpenAI’s ChatGPT platform for several components of their spear phishing and malware development operations.”
Volexity writes, “The inclusion of fabricated domains, nonsensical personas, and errors such as wrong day/date combinations or incorrect department names lead us to assess with a high degree of confidence that UTA0388 used an LLM to craft the phishing emails in this campaign, with little oversight of whether the output was plausible.”
In one case, phishing archives even contained bizarre “Easter eggs” — pornographic images with random overlaid text like “TES” and “NO,” religious audio recordings, and meaningless text files. These chaotic inclusions, Volexity notes, “appear to be nonsensical and counterproductive for the success of the campaign,” further suggesting automated, unreviewed content generation.
UTA0388’s infrastructure evolved alongside its malware. Early operations used Netlify and Sync to host payloads, before migrating to self-registered domains such as cdn-apple[.]info, azure-app[.]store, and twmoc[.]info — often themed around Taiwan and global tech companies.
Interestingly, the GOVERSHELL codebase displayed signs of non-iterative rewrites, suggesting it may have been regenerated by an LLM rather than traditionally updated by humans. “Each variant implements a new communication method, new capabilities, and rewrites how basic functionality works,” Volexity observed, noting that this was inconsistent with normal software development cycles.
While it remains unclear how effective UTA0388’s AI-driven phishing was, the volume and speed of their campaigns — 26 emails in just three days — demonstrate the threat that automated social engineering poses to global organizations.
Volexity warns that the continued development of GOVERSHELL and its AI-enhanced delivery mechanisms represent a persistent and evolving espionage risk, stating, “UTA0388’s activity appears to have slowed down from its peak in July 2025 but remains a consistent threat.”
Related Posts:
- Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
- Russian Hackers Exploit Microsoft Device Code Authentication in Targeted Attacks Against M365 Accounts
- Volexity: Indian APT hacker organization Patchwork target US think tanks
- China-Aligned APTs Intensify Cyber Espionage on Taiwan’s Semiconductor Industry
Donate