Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign
Summary:
The TAOTH campaign, attributed to a persistent threat actor cluster, represents a significant cyber-espionage effort focused on high-value targets in Eastern Asia and among overseas Taiwanese communities. The activity was first identified in June 2025, when investigators discovered that attackers had gained a foothold inside victim environments by compromising the update infrastructure of Sogou Zhuyin, a discontinued input method editor widely used in Taiwan for Chinese character input. After the official update domain for the software was abandoned in 2019, the attackers re-registered it in October 2024 and began using it to distribute malicious updates, which in turn deployed a range of malware families including TOSHIS, DESFY, GTELAM, and C6DOOR. These tools provided varied capabilities, from remote access and command execution to credential harvesting, file theft, network scanning, and data exfiltration.
The infection chain showed careful planning and technical sophistication. In the Sogou Zhuyin operation, users downloaded legitimate installers, which later triggered automatic update requests to attacker-controlled infrastructure. The threat actor injected malicious configuration files that appeared authentic, ultimately leading to stealthy deployment of spyware and backdoors. TOSHIS functioned as a loader, patching legitimate executables to fetch additional payloads such as Cobalt Strike and the Mythic-based Merlin agent, while DESFY and GTELAM were used to harvest sensitive documents and filenames, particularly focusing on Office and PDF files. Meanwhile, C6DOOR, a Golang-based backdoor containing embedded Simplified Chinese characters, provided extensive control features such as system reconnaissance, SSH command execution, file transfers, and shellcode injection. Analysis of the infrastructure and malware code showed significant overlap with previously documented campaigns, including shared command-and-control servers, identical Cobalt Strike watermarks, and malware variants tied to earlier Xiangoop infections. These similarities support the conclusion that the TAOTH activity is part of a broader, persistent espionage campaign run by a single, highly capable threat actor.
Security Officer Comments:
Alongside this supply chain compromise, researchers also uncovered a related spear-phishing campaign that relied on fake cloud storage download pages and fraudulent login portals. These phishing lures were designed around political or professional themes, such as requests for research papers or collaboration on trending public issues, and often impersonated IT or business contacts. Some fake login sites redirected users to attacker-controlled OAuth applications that requested excessive permissions, enabling access to Gmail or Microsoft accounts and allowing attackers to read, send, or manipulate victim emails. Other lures delivered booby-trapped ZIP files containing corrupted documents and disguised executables that triggered DLL sideloading to install the TOSHIS loader, eventually leading to further malware deployment.
Victimology revealed a consistent focus on sensitive and strategically valuable targets. Most of those affected were based in Taiwan, though individuals in China, Hong Kong, Japan, South Korea, and even overseas Taiwanese communities in countries like the United States and Norway were also compromised. Many of the decoy lures were crafted to appeal directly to dissidents, journalists, academics, and business or technology leaders, indicating that the actor’s objectives were aligned with intelligence collection, surveillance, and long-term espionage operations rather than indiscriminate disruption.
Suggested Corrections:
https://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html
The TAOTH campaign, attributed to a persistent threat actor cluster, represents a significant cyber-espionage effort focused on high-value targets in Eastern Asia and among overseas Taiwanese communities. The activity was first identified in June 2025, when investigators discovered that attackers had gained a foothold inside victim environments by compromising the update infrastructure of Sogou Zhuyin, a discontinued input method editor widely used in Taiwan for Chinese character input. After the official update domain for the software was abandoned in 2019, the attackers re-registered it in October 2024 and began using it to distribute malicious updates, which in turn deployed a range of malware families including TOSHIS, DESFY, GTELAM, and C6DOOR. These tools provided varied capabilities, from remote access and command execution to credential harvesting, file theft, network scanning, and data exfiltration.
The infection chain showed careful planning and technical sophistication. In the Sogou Zhuyin operation, users downloaded legitimate installers, which later triggered automatic update requests to attacker-controlled infrastructure. The threat actor injected malicious configuration files that appeared authentic, ultimately leading to stealthy deployment of spyware and backdoors. TOSHIS functioned as a loader, patching legitimate executables to fetch additional payloads such as Cobalt Strike and the Mythic-based Merlin agent, while DESFY and GTELAM were used to harvest sensitive documents and filenames, particularly focusing on Office and PDF files. Meanwhile, C6DOOR, a Golang-based backdoor containing embedded Simplified Chinese characters, provided extensive control features such as system reconnaissance, SSH command execution, file transfers, and shellcode injection. Analysis of the infrastructure and malware code showed significant overlap with previously documented campaigns, including shared command-and-control servers, identical Cobalt Strike watermarks, and malware variants tied to earlier Xiangoop infections. These similarities support the conclusion that the TAOTH activity is part of a broader, persistent espionage campaign run by a single, highly capable threat actor.
Security Officer Comments:
Alongside this supply chain compromise, researchers also uncovered a related spear-phishing campaign that relied on fake cloud storage download pages and fraudulent login portals. These phishing lures were designed around political or professional themes, such as requests for research papers or collaboration on trending public issues, and often impersonated IT or business contacts. Some fake login sites redirected users to attacker-controlled OAuth applications that requested excessive permissions, enabling access to Gmail or Microsoft accounts and allowing attackers to read, send, or manipulate victim emails. Other lures delivered booby-trapped ZIP files containing corrupted documents and disguised executables that triggered DLL sideloading to install the TOSHIS loader, eventually leading to further malware deployment.
Victimology revealed a consistent focus on sensitive and strategically valuable targets. Most of those affected were based in Taiwan, though individuals in China, Hong Kong, Japan, South Korea, and even overseas Taiwanese communities in countries like the United States and Norway were also compromised. Many of the decoy lures were crafted to appeal directly to dissidents, journalists, academics, and business or technology leaders, indicating that the actor’s objectives were aligned with intelligence collection, surveillance, and long-term espionage operations rather than indiscriminate disruption.
Suggested Corrections:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operati
https://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html