TOATH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents

Aug. 28, 2025, 3:34 p.m.

Description

The TAOTH campaign leveraged an abandoned Sogou Zhuyin IME update server and spear-phishing operations to deliver multiple malware families, primarily targeting users across Eastern Asia. Attackers employed sophisticated infection chains, such as hijacked software updates and fake cloud storage or login pages, to distribute malware and collect sensitive information. The campaign focused on high-value targets, including dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. Infrastructure and tool analysis link TAOTH to previously documented threat activity, showing shared C&C infrastructure, malware variants, and tactics indicative of a single, persistent attacker group with a focus on reconnaissance, espionage, and email abuse.

External References

https://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html
https://otx.alienvault.com/pulse/68b06d0bccbf428e203613d6
Tags
apt
reconnaissance
targeted attacks
information theft
spear-phishing
cobeacon
2025-08-28
merlin
sogou zhuyin
gtelam
desfy
c6door
eastern asia
toshis
taoth

Date

  • Created: Aug. 28, 2025, 2:51 p.m.
  • Published: Aug. 28, 2025, 2:51 p.m.
  • Modified: Aug. 28, 2025, 3:34 p.m.

Indicators

  • fee8211f723b5bfeb74cc45b0eac7fcd275397ea8f538cf5ea138f12586e5b26
  • f8845b4957fdad691e2826aeb770103345e80375a67cc13772c48ca02e1812fc
  • c9e539a64275814e198db6830939f0d6c335574f7016696d3ee1cae42b97f838
  • c36c2657a9a5fa31227631c440450ec42a8c5b274cc4bfd9a500e92ab357b736
  • c88d5256d85024ffd628becc631df5deab6a1daf16d8fab24d2366aaa3fd7fc5
  • a53c96108d171392a29f221614086d8311e25af521c6b4da3e4af019370164cf
  • 99eee95b1d5d16ea7f8d515d2333221a2308eb41640978617c6477928d0a5d75
  • 79ce1bb062f6dcdaf01cc33125f68dc2d030da2390255c4fb39d362a22032da1
  • 90a9be7cf4b7a1786697d5adfff781d9b6ed8db06da33ebef9438dee5a181106
  • 587e1fa9d32f2a7134c158d965a32751b58ce5ad3a07533436472105be46a481
  • 4c172211a462cc6e95d9537ecd917ca7c456512006474b4105c1342f0b138dfe
  • 484c886221136ce94a8ca3ea78980f434f3fcddeaf54beaa873cf285009e337a
  • 3bdac367a7aeab050b8b57c4303110d4db043b939a8f721f3052416c1c3b9fdc
  • 33c137aca85d7026e143c6da3eddb15825bf174dd788e02169b6bac4f7cb9de0
  • 1774066df2121e28a6c71b41bbec1804384d7b3106f3d49b8c3eb6d45d081cf5
  • 0685dbb345160fcbcad33548cb3c747a46f3a11c6a243ab445fd20a71f4b3de7
  • 0abf0972d8a7e87c4749e142009c1bb7e826055c3bc8d742055cf209a11ee540
  • 0384733cfcdd32b008642391da7e439c390e7ce8d16e6d9d3bdcbc720b330b84
  • 38.60.203.134
  • 192.124.176.51
  • 154.90.62.210
  • sogouzhuyin.com
  • auth.onedrive365-jp.com
Download all indicators here!

Attack Patterns

  • DESFY
  • C6DOOR
  • GTELAM
  • TOSHIS
  • COBEACON
  • Merlin
  • TAOTH

Additional Informations

  • Technology
  • Media
  • Government
  • Hong Kong
  • Taiwan
  • China
  • Norway
  • Japan
  • United States of America