China-Backed Hackers Intensify Attacks on Taiwan Chipmakers

Chinese state-aligned hackers have ramped up espionage efforts against Taiwan’s semiconductor ecosystem through spear-phishing campaigns.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Between March and June, three distinct threat actors – UNK_FistBump, UNK_DropPitch and UNK_SparkyCarp – targeted chipmakers, packaging and testing firms, equipment suppliers and even financial analysts tracking the semiconductor sector, with espionage as the likely motive, according to a report by Proofpoint.

“Targets of these campaigns ranged from organizations involved in the manufacturing, design,= and testing of semiconductors and integrated circuits, wider equipment and services supply chain entities within this sector, as well as financial investment analysts specializing in the Taiwanese semiconductor market,” Proofpoint said.

UNK_FistBump used job-themed lures, posing as graduate students applying for positions. The attackers sent phishing emails from compromised Taiwanese university email accounts to HR and recruiting teams at semiconductor companies. Attached documents led to malware-laced ZIP or PDF files hosted on file-sharing platforms such as Zendesk and Filemail.

The campaigns delivered either the well-known Cobalt Strike Beacon payload or a custom backdoor known as Voldemort. The malware used DLL sideloading techniques and, in some cases, Google Sheets as a command-and-control channel. “In an unusual campaign in late May 2025, UNK_FistBump included two distinct infection chains beginning with the same password-protected archive,” the report said. One led to Cobalt Strike, the other to Voldemort.

While Voldemort was previously associated with TA415 or APT41, Proofpoint analysts said the differing techniques suggest UNK_FistBump is a distinct group. “Due to these and other divergences, coupled with the wider propensity of custom capability sharing across Chinese cyberespionage threat actors, Proofpoint is tracking UNK_FistBump activity as distinct to TA415 at this time.”

UNK_DropPitch, meanwhile, focused on financial investment professionals specializing in Taiwan’s semiconductor and technology sectors. The attackers impersonated fictitious investment firms and sent malicious ZIP files containing vulnerable executables and DLLs, resulting in the delivery of backdoors such as HealthKick or a simple raw TCP reverse shell. The malware communicated with C2 servers over TCP port 465 using FakeTLS and XOR encryption.

“In April and May, Proofpoint observed another China-aligned threat actor tracked as UNK_DropPitch conducting targeted phishing campaigns against multiple large investment banks,” the report said. “The HealthKick backdoor then attempts to create a web socket to the actor-controlled IP address 82.118.16[.]72 over TCP port 465.”

Proofpoint said UNK_SparkyCarp used an adversary-in-the-middle phishing framework to harvest credentials from Taiwanese chip companies. In one campaign, emails disguised as login security alerts directed victims to fake login portals hosted on attacker-controlled domains such as accshieldportal[.]com. The group has previously targeted the same sector in 2024 using similar tactics.

“Since March 2025, this shifted to sightings of multiple campaigns from different China-aligned groups specifically targeting this sector, with a particular emphasis on Taiwanese entities,” the researchers said.

Proofpoint attributes this intensified targeting to China’s strategic goal of achieving semiconductor self-sufficiency. “This activity likely reflects China’s strategic priority to achieve semiconductor self-sufficiency and decrease reliance on international supply chains and technologies,” the report said, referencing economic initiatives like China’s Five-Year Plans and pressures from global export controls.

“As many well-established China-aligned threat actors have shifted tactics, techniques and procedures towards exploitation of edge devices and other initial access vectors, Proofpoint has observed an influx of new China-aligned clusters to the phishing threat landscape,” the researchers said.

The report warns that the Taiwanese semiconductor industry now sits squarely in the crosshairs of China’s cyberespionage machine, not only for its technical leadership but also its role in the global chip supply chain and financial markets.