TAOTH Campaign: Hijacked Software Updates Are Spreading Malware Across Asia

Trend Micro researchers have detailed a sophisticated cyber-espionage operation, dubbed TAOTH, which leverages hijacked software updates and spear-phishing to deliver multiple malware families across Eastern Asia. The campaign, which began in late 2024, has targeted dissidents, journalists, researchers, and business leaders in China, Taiwan, Hong Kong, Japan, and South Korea.

The campaign first came to light when researchers investigated infections involving C6DOOR and GTELAM. According to Trend Micro, “The software had stopped receiving updates in 2019; in October 2024 attackers took over the lapsed domain name and used it to distribute malicious payloads.”

By seizing control of the abandoned Sogou Zhuyin IME update server, attackers distributed four malware families—TOSHIS, DESFY, GTELAM, and C6DOOR—via what appeared to be legitimate update processes. Victims often downloaded the official installer, but “a few hours after installation, the automatic update process is triggered” and malicious updates were retrieved from the attacker-controlled domain.

In addition to the supply-chain style attack, TAOTH also relied on spear-phishing campaigns. These targeted emails used politically themed decoy documents to lure victims. Trend Micro explains, “The targeted victims are mainly located in Eastern Asia, including China, Hong Kong, Taiwan, Japan, and South Korea. A small portion of victims were identified in the United States and Norway.”

Phishing lures included fake cloud storage pages that prompted downloads of malware-laced archives, and fake login portals designed to trick victims into granting OAuth consent for attacker-controlled applications. Once consent was granted, adversaries could manipulate victims’ Google or Microsoft mailboxes for espionage or lateral phishing.

Trend Micro’s analysis highlighted several distinct malware families:

• TOSHIS: A loader variant of Xiangoop, designed to fetch additional payloads like Cobalt Strike or Merlin agents. It selectively targeted victims with system languages in Chinese (Taiwan/China) and Japanese.
• DESFY: A spyware tool focused on profiling victims by collecting filenames from Desktop and Program Files directories.
• GTELAM: Another spyware variant designed to collect document filenames (PDF, Word, Excel, PowerPoint) and exfiltrate them to Google Drive.
• C6DOOR: A custom Golang backdoor supporting HTTP and WebSocket, capable of executing commands, uploading files, performing port scans, and even injecting shellcode.

As the report notes, “Based on our analysis, there were at least four malware families delivered through the update, including DESFY, GTELAM, C6DOOR and TOSHIS. So far, we have observed the attacker deploying malware such as DESFY and GTELAM to profile victims and identify high-value targets.”

Infrastructure and tooling analysis suggests TAOTH is part of a persistent espionage-focused threat group. Trend Micro observed overlaps with previous activity: “Analysis identified overlapping C&C infrastructure between TAOTH and ITOCHU’s cases… The threat actor employs consistent methods, such as establishing VSCode tunnels and launching supply chain attacks via legitimate applications, including YouDao and Sogou.”

This consistency in infrastructure, malware variants, and TTPs strongly indicates a single, long-running attacker group focused on reconnaissance, espionage, and email abuse.

Related Posts:

• SpyNote RAT Targets High-Value Individuals in Southern Asia
• From Spear-Phishing to Zero-Day: Lazarus Group’s Latest Cyber Strategies
• Pacific Rim: Sophos Exposes 5 Years of Chinese Cyber Espionage
• Midnight Blizzard Targets 100+ Organizations in RDP Phishing Attack
• Spear-Phishing Campaign Targets CFOs with Sophisticated Multi-Stage Intrusion