A series of spear phishing operations targeting organizations across North America, Asia and Europe has been linked to a China-aligned group known as UTA0388.
The campaigns, initially detected by Volexity from June to August 2025, used tailored messages impersonating senior researchers from fabricated institutions to trick recipients into downloading malware-laden archive files.
New Techniques and Malware Evolution
Volexity identified that UTA0388 shifted from simple phishing links to “rapport-building phishing,” where attackers engaged in extended conversations with targets before delivering malicious files.
The malware distributed through these campaigns (tracked by Volexity as “GOVERSHELL”) was found in five evolving variants, capable of executing remote commands, gathering system data and maintaining persistence on infected systems.
Each attack typically involved an archive file containing a legitimate-looking executable and a hidden malicious dynamic link library (DLL). When opened, the DLL is loaded via search order hijacking, granting the attacker remote access.
The GOVERSHELL malware demonstrated a progression from basic command-line shells to advanced variants using encrypted WebSocket and HTTPS communication channels.
Read more on cyber-threats leveraging artificial intelligence: 2025 to be a Year of Reckoning for AI in Cybersecurity
Signs of AI-Generated Phishing
Volexity’s report, published on Sunday, presents strong evidence that UTA0388 used large language models (LLMs) to craft emails and even aid malware development.
Indicators include fabricated institutions, unrealistic personas and linguistic inconsistencies across multiple languages. Some phishing emails combined English, Mandarin and German in a single message.
Odd file inclusions in malware archives, such as pornographic videos, nonsensical text and Buddhist chants, also point to automated or LLM-generated outputs.
“This campaign consistently lacked coherence in a way that is more suggestive of context-unaware automation,” Volexity explained.
Attribution and Implications
Technical analysis linked GOVERSHELL’s development environment to systems using Simplified Chinese, reinforcing the assessment that UTA0388 operates in China’s interests, particularly in relation to Asian geopolitical issues.
The group’s infrastructure mirrored that of earlier campaigns tracked by Proofpoint under the name “UNK_DropPitch,” which distributed a related malware known as “HealthKick.”
Key indicators from Volexity’s findings for this campaign include:
-
Use of cloud hosting services like Netlify and OneDrive to deliver payloads
-
Domain names impersonating major firms such as Microsoft and Apple
-
Rapid campaign tempo, with up to 26 phishing emails sent within three days
Volexity concludes that while no single artifact proves LLM use, the collective evidence strongly supports it.
“[We do] not have sufficient data to be able to say whether UTA0388’s foray into LLM-powered campaigns has been a success,” the firm explained.
“But the volume of tailored phishing output (even if sometimes in the wrong language) will yield a significant number of opportunities to successfully gain access to targets.”
