Abandoned Sogou Zhuyin update server compromised and repurposed for Taiwan espionage operation

An abandoned update server linked to the Input Method Editor (IME) software Sogou Zhuyin was exploited by threat actors in an espionage campaign that delivered various malware families, including C6DOOR and GTELAM. This campaign, identified in June 2025 and codenamed TAOTH by Trend Micro researchers Nick Dai and Pierre Lee, primarily targeted users in Eastern Asia. The victims included dissidents, journalists, researchers, and technology and business leaders from China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. Taiwan represented 49% of the targets, followed by Cambodia at 11% and the United States at 7%.

In October 2024, attackers seized control of the lapsed domain name “sogouzhuyin[.]com,” which had been associated with the legitimate IME service that ceased updates in June 2019. They began disseminating malicious payloads a month later, impacting several hundred victims. The attackers utilised sophisticated infection chains, including hijacked software updates and fake cloud storage or login pages, to distribute malware and gather sensitive information. The malware families deployed served various purposes, such as remote access, information theft, and backdoor functionality. To evade detection, the threat actors leveraged third-party cloud services to obscure their network activities throughout the attack chain.

HiddenGh0st, Winos, and kkRAT using SEO strategies and GitHub pages

Chinese agents reportedly posed as US congressman to transmit malware

Investigators have identified XZ Utils backdoor embedded in Docker Hub images

Apple releases fix for CVE-2025-43300 zero-day vulnerability

Microsoft Windows vulnerability used to distribute PipeMagic RansomExx malware

Share this:

Similar Posts