Chinese APT Groups Target Taiwanese Semiconductor Industry in Coordinated Phishing Campaigns Post

Between March and June 2025, three Chinese state-sponsored threat actors launched a wave of spear-phishing attacks targeting Taiwan’s vital semiconductor sector, according to a report by Proofpoint. These campaigns reflect Beijing's strategic interest in achieving semiconductor self-sufficiency amid growing geopolitical tensions and technology export restrictions.

Who Was Targeted?

The attackers focused on a wide range of entities, including:

• Semiconductor manufacturers and designers

• Integrated circuit testing companies

• Supply chain vendors

• Financial analysts specializing in the Taiwanese semiconductor industry

Threat Actor Clusters and Tactics

1. UNK_FistBump

This group impersonated job-seeking graduate students and targeted HR and recruitment staff with employment-themed phishing emails. The attached file—disguised as a resume—was a malicious .lnk shortcut triggering the deployment of:

• Cobalt Strike (a penetration testing tool often misused by attackers)

• Voldemort: A custom backdoor attributed to Chinese group TA415 (also known as APT41/Brass Typhoon)

Despite similarities to TA415, Proofpoint believes this activity is separate due to differences in malware delivery and infrastructure.

2. UNK_DropPitch

Focused on investment analysts in major financial firms, this campaign used malicious PDFs that downloaded ZIP archives containing a DLL payload. The attack chain included:

• DLL side-loading to run a backdoor named HealthKick

• TCP reverse shells for follow-up activity, including reconnaissance

• Deployment of Intel EMA for persistent remote access

Infrastructure linked to DropPitch included SoftEther VPN servers and TLS certificates previously tied to MoonBounce and SideWalk (ScrambleCross) malware—tools commonly associated with Chinese espionage groups.

3. UNK_SparkyCarp

This campaign used credential phishing via an adversary-in-the-middle (AitM) technique. Emails mimicked account security alerts, directing recipients to a fake login portal (accshieldportal[.]com) designed to harvest credentials.

A tracking beacon embedded in the emails (acesportal[.]com) suggests that victim activity was being monitored, possibly for follow-up compromise. This group previously targeted the same company in November 2024.

4. Additional Actor: UNK_ColtCentury (TAG-100 / Storm-2077)

While not directly involved in the main attacks, this group used benign emails to build rapport with legal personnel before attempting to deliver Spark RAT, a remote access trojan.

Strategic Implications

Proofpoint notes that these activities align with China’s broader objective to reduce dependency on foreign semiconductor supply chains. The targeting of non-obvious roles like analysts and legal teams shows a deep, coordinated intelligence strategy beyond traditional industrial espionage.