
"Targets of the activity mainly include dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. Taiwan accounts for 49% of all targets, followed by Cambodia (11%) and the U.S. (7%). It's said the attackers, in October 2024, took control of the lapsed domain name ("sogouzhuyin[.]com") associated with Sogou Zhuyin, a legitimate IME service that stopped receiving updates in June 2019, to disseminate malicious payloads a month later. It's estimated that several hundred victims were impacted."
"An abandoned update server associated with input method editor (IME) software Sogou Zhuyin was leveraged by threat actors as part of an espionage campaign to deliver several malware families, including C6DOOR and GTELAM, in attacks primarily targeting users across Eastern Asia. "Attackers employed sophisticated infection chains, such as hijacked software updates and fake cloud storage or login pages, to distribute malware and collect sensitive information," Trend Micro researchers Nick Dai and Pierre Lee said in an exhaustive report."
Campaign codenamed TAOTH used a lapsed Sogou Zhuyin update domain registered in October 2024 to host malicious updates and distribute payloads. Multiple malware families were deployed through the compromised channel, including GTELAM, C6DOOR, DESFY, and TOSHIS. Deployed strains provided remote access, information theft, and backdoor capabilities. Attackers used hijacked software updates, fake cloud storage or login pages, and legitimate third‑party cloud services such as Google Drive to conceal network activity and evade detection. Primary targets included dissidents, journalists, researchers, and technology and business leaders across China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]