Malicious TAOTH Operation Capitalizes on Outdated Software for Malware Distribution and Data Theft of Personal Information
In June 2025, a cyber campaign named TAOTH began surfacing in telemetry data across Eastern Asia, marking the start of a sophisticated and stealthy espionage operation. This campaign, according to Trend Micro researchers, exploited an abandoned Chinese input method editor (IME), Sogou Zhuyin, to trigger multiple malware families.
The operation's stealthiness is achieved by abusing native Windows update mechanisms and embedding itself in trusted processes. This evasion tactic helps TAOTH bypass most traditional endpoint defenses, making it challenging to detect and neutralise.
Once the malicious updater launches, it often injects shellcode into the entry point of a legitimate executable using a patching process. The configuration file returned contains URLs, MD5 hashes, and file sizes, enabling the attacker to verify and execute only their crafted binaries.
The compromised IME re-invokes the update routine on each system start, ensuring the malware's persistence. Infected systems download one of four distinct malware families: TOSHIS, DESFY, GTELAM, or C6DOOR.
In the case of C6DOOR, the Go-based backdoor supports HTTP and WebSocket communication and allows operators to execute shellcode, capture screenshots, and transfer files via SFTP. The final backdoor payload is downloaded and decrypted with a hard-coded AES key.
The campaign's sophistication lies in its use of an abandoned software supply chain and multi-stage infection process. Initial intelligence suggests victims downloaded what appeared to be legitimate updates before their systems were compromised.
Over several months, hundreds of high-value individuals, including journalists, technology executives, and activists across Taiwan, Hong Kong, Japan, and overseas Taiwanese communities, fell victim to these silent intrusions. The organization behind this cyberattack is identified as a cybercriminal group conducting an espionage campaign targeting dissidents, journalists, and executives in China, Taiwan, and other countries.
Interestingly, Trend Micro researchers discovered how ZhuyinUp.exe retrieves the malicious update configuration. The loader calculates API function hashes using an Adler-32 algorithm. A surge in malicious activity was identified when the lapsed domain for Sogou Zhuyin began serving a malicious installer in November 2024.
Post-infection telemetry revealed additional reconnaissance activities, such as directory enumeration, environment fingerprinting, and secure tunnel creation via legitimate cloud services. These activities suggest that the attackers are not only interested in installing malware but also in gathering sensitive information from the infected systems.
As the investigation into TAOTH continues, it serves as a reminder of the importance of securing software supply chains and staying vigilant against sophisticated cyber threats.
