China-Aligned APTs Intensify Cyber Espionage on Taiwan’s Semiconductor Industry

A new report from Proofpoint Threat Research sheds light on a coordinated espionage campaign by multiple China-aligned threat actors targeting Taiwan’s semiconductor industry. Between March and June 2025, researchers observed a sharp escalation in spearphishing attacks, malware deployment, and intelligence collection efforts—indicative of China’s strategic push toward semiconductor self-sufficiency amid tightening export controls.

According to the report, attackers cast a wide net, targeting not only chip manufacturers but also design and testing firms, supply chain entities, and financial analysts focused on semiconductor investments.

“This activity likely reflects China’s strategic priority to achieve semiconductor self-sufficiency and decrease reliance on international supply chains and technologies,” the report states.

One of the most active actors, UNK_FistBump, employed phishing emails disguised as job applications. These were sent from compromised Taiwanese university accounts to HR personnel at semiconductor firms.

Each phishing email contained a password-protected archive that, when extracted, launched dual infection chains—one delivering Cobalt Strike, the other a custom malware called Voldemort.

“In an unusual campaign in late May 2025, UNK_FistBump included two distinct infection chains… one of which loaded a Cobalt Strike Beacon payload, and the second loading Voldemort,” the report explains.

The Voldemort backdoor, linked previously to TA415 (aka APT41), leverages DLL sideloading via legitimate software like CiscoCollabHost.exe and uses Google Sheets as a command-and-control (C2) channel—a stealthy method to evade detection.

A second group, UNK_DropPitch, turned its attention to analysts within investment firms tracking Taiwan’s semiconductor sector. Masquerading as a fictitious finance firm, attackers lured targets into downloading a ZIP file containing a vulnerable executable and the HealthKick backdoor.

“HealthKick is a simple backdoor that executes commands and captures their output via a redirected anonymous pipe, which is then sent back to the C2,” the report reveals.

In another campaign, the same actor deployed a raw TCP reverse shell with minimal error handling, leading to operator typos being directly executed by the malware.

Two additional actors also emerged:

• UNK_SparkyCarp used a custom adversary-in-the-middle (AiTM) phishing kit targeting login credentials.
• UNK_ColtCentury (linked to TAG-100 and Storm-2077) engaged in benign-seeming email conversations with legal staff, believed to be a precursor to SparkRAT deployment.

“In March 2025, a China-aligned threat actor Proofpoint tracks as UNK_SparkyCarp conducted a credential phishing campaign using a custom adversary-in-the-middle (AITM) framework.”

These campaigns demonstrate a blend of tactical creativity, malware reuse, and overlapping infrastructure—consistent with previous Chinese state-sponsored espionage efforts, yet diversified in execution.

Related Posts:

• Cyber Espionage Campaign Leverages Novel Tactics and “Voldemort” Malware to Target Global Organizations
• The Dark Side of ChatGPT: Trade Secret Leaks in Samsung
• Intel Secures Nearly $8 Billion in CHIPS Act Funding to Boost US Semiconductor Production
• China-Aligned Hive0154 APT Strikes Tibetan Community: Pubload Backdoor Delivered via Phishing Lures
• East Asia’s Semiconductor Industry Targeted in New Espionage Campaign