The Taiwanese semiconductor industry has been targeted by spear-phishing campaigns carried out by three Chinese state-sponsored threat actors.
“Targets of these campaigns ranged from organizations involved in the manufacturing, design, and testing of semiconductors and integrated circuits, wider equipment and services supply chain entities within this sector, as well as financial investment analysts specializing in the Taiwanese semiconductor market,” Proofpoint said in a report published Wednesday.
The activity took place between March and June 2025 and has been attributed to three China-aligned clusters known as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp.
UNK_FistBump targeted semiconductor design, packaging, manufacturing, and supply chain organizations in employment-themed phishing campaigns that resulted in the delivery of Cobalt Strike or a C-based custom backdoor dubbed Voldemort. The attack chain involves the threat actor posing as a graduate student in emails seeking job opportunities at the targeted company.
UNK_DropPitch targeted individuals in major investment firms focusing on investment analysis within the Taiwanese semiconductor industry. The phishing emails embedded a link to a PDF document containing a malicious DLL payload launched using DLL side-loading.
The rogue DLL, named HealthKick, is capable of executing commands, capturing results, and exfiltrating them to a C2 server. In another attack, a TCP reverse shell was used to establish contact with an actor-controlled VPS server for reconnaissance and discovery.
UNK_SparkyCarp conducted credential phishing attacks on a Taiwanese semiconductor company using an adversary-in-the-middle kit. The campaign masqueraded as account login security warnings and contained links to actor-controlled credential phishing domains.
Further analysis revealed that two servers were configured as SoftEther VPN servers, and a TLS certificate was reused for C2 servers, suggesting ties to Chinese hacking groups.
These threat actors continue to exhibit targeting patterns consistent with Chinese state interests, using TTPs historically associated with China-aligned cyber espionage operations.
Salt Typhoon Goes After U.S. National Guard
Chinese state-sponsored hackers known as Salt Typhoon breached at least one U.S. state’s National Guard, providing Beijing with data to facilitate further hacking. The breach lasted for nine months and extensively compromised a state’s Army National Guard network.
Salt Typhoon exfiltrated configuration files from U.S. government and critical infrastructure entities, harvested administrator credentials, and leveraged access to gather strategic intelligence.
The initial access was facilitated by exploiting known security vulnerabilities in Cisco and Palo Alto Networks appliances. The sustained presence of Salt Typhoon raises concerns about visibility gaps, segmentation policies, and detection capabilities in defense networks.
This escalation in cyber espionage highlights the persistent threat posed by advanced threat actors targeting federal agencies and state-level components with varying security postures.
Follow us on Twitter and LinkedIn for more exclusive content.
