An abandoned update server associated with input method editor (IME) software Sogou Zhuyin was leveraged by threat actors as part of an espionage campaign to deliver several malware families, including C6DOOR and GTELAM, in attacks primarily targeting users across Eastern Asia.
“Attackers employed sophisticated infection chains, such as hijacked software updates and fake cloud storage or login pages, to distribute malware and collect sensitive information,” Trend Micro researchers Nick Dai and Pierre Lee said in an exhaustive report.
The campaign, identified in June 2025, has been codenamed TAOTH by the cybersecurity company. Targets of the activity mainly include dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. Taiwan accounts for 49% of all targets, followed by Cambodia (11%) and the U.S. (7%).
It’s said the attackers, in October 2024, took control of the lapsed domain name (“sogouzhuyin[.]com”) associated with Sogou Zhuyin, a legitimate IME service that stopped receiving updates in June 2019, to disseminate malicious payloads a month later. It’s estimated that several hundred victims were impacted.
“The attacker took over the abandoned update server and, after registering it, used the domain to host malicious updates since October 2024,” the researchers said. “Through this channel, multiple malware families have been deployed, including GTELAM, C6DOOR, DESFY, and TOSHIS.”
The deployed malware families serve different purposes, including remote access (RAT), information theft, and backdoor functionality. To evade detection, the threat actors also leveraged third-party cloud services to conceal their network activities across the attack chain.
These malware strains enable remote access, information theft, and backdoor functionality, with the attackers also using legitimate cloud storage services like Google Drive as a data exfiltration point and to conceal the malicious network traffic.
The attack chain begins when unsuspecting users download the official installer for Sogou Zhuyin from the Internet, such as the Traditional Chinese Wikipedia page entry for Sogou Zhuyin, which, in March 2025, was modified to point users to the malicious domain dl[.]sogouzhuyin[.]com.
While the installer is completely innocuous, the malicious activity kicks in when the automatic update process is triggered a couple of hours after installation, causing the updater binary, “ZhuyinUp.exe,” to fetch an update configuration file from an embedded URL: “srv-pc.sogouzhuyin[.]com/v1/upgrade/version.”
It’s this update process that has been tampered with to DESFY, GTELAM, C6DOOR, and TOSHIS with the ultimate goal of profiling and gathering data from high-value targets –
- TOSHIS (First detected December 2024), a loader designed to fetch next-stage payloads (Cobalt Strike or Merlin agent for Mythic framework) from an external server. It’s also a variant of Xiangoop, which has been attributed to Tropic Trooper and has been used to deliver Cobalt Strike or a backdoor called EntryShell in the past.
- DESFY (First detected May 2025), a spyware that collects file names from two locations: Desktop and Program Files
- GTELAM (First detected May 2025), another spyware that collects file names matching a specific set of extensions (PDF, DOC, DOCX, XLS, XLSX, PPT, and PPTX), and exfiltrates the details to Google Drive
- C6DOOR, a bespoke Go-based backdoor that uses HTTP and WebSocket protocols for command-and-control so as to receive instructions to gather system information, run arbitrary commands, perform file operations, upload/download files, capture screenshots, list running processes, enumerate directories, and inject shellcode into a targeted process
Further analysis of C6DOOR has uncovered the presence of embedded Simplified Chinese characters within the sample, suggesting that the threat actor behind the artifact may be proficient in Chinese.
“It appears that the attacker was still in the reconnaissance phase, primarily seeking high-value targets,” Trend Micro said. “As a result, no further post-exploitation activities were observed in the majority of victim systems. In one of the cases we analyzed, the attacker was inspecting the victim’s environment and establishing a tunnel using Visual Studio Code.”
Interestingly, there is evidence that TOSHIS was also distributed to targets using a phishing website, likely in connection with a spear-phishing campaign targeting Eastern Asia and, to a lesser extent, Norway and the U.S. The phishing attacks have also been observed adopting a two-pronged approach –
- Serving fake login pages with lures related to free coupons or PDF readers that redirect and grant OAuth consent to attacker-controlled apps, or
- Serving fake cloud storage pages that mimic Tencent Cloud StreamLink to download malicious ZIP archives containing TOSHIS
These phishing emails include a booby-trapped URL and a decoy document that tricks the recipient into interacting with the malicious content, ultimately activating a multi-stage attack sequence designed to drop TOSHIS using DLL side-loading or obtain unauthorized access and control over their Google or Microsoft mailboxes through an OAuth permission prompt.
Trend Micro said the TAOTH shares infrastructure and tooling overlap with previously documented threat activity by ITOCHU, painting the picture of a persistent threat actor with a focus on reconnaissance, espionage, and email abuse.
To combat these threats, organizations are recommended to routinely audit their environments for any end-of-support software and promptly remove or replace such applications. Users are urged to review the permissions requested by cloud applications before granting access.
“In the Sogou Zhuyin operation, the threat actor maintained a low profile, conducting reconnaissance to identify valuable targets among victims,” the company said. “Meanwhile, in the ongoing spear-phishing operations, the attacker distributed malicious emails to the targets for further exploitation.”
