Taiwan’s semiconductor chip industry has been the focus of a coordinated cyber espionage campaign conducted by three Chinese state-aligned hacking groups, according to a recent threat intelligence report. These attacks, spanning from March to June 2025, targeted various segments of the semiconductor supply chain—including design, manufacturing, testing, and financial analysis functions.
The threat actors, tracked under the identifiers UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp, employed advanced spear-phishing techniques, backdoors, and command-and-control infrastructure. Their goal: gather intelligence and potentially disrupt operations in Taiwan’s globally critical chip sector.
Cobalt Strike, custom malware, and AitM kits used in attacks
UNK_FistBump used employment-themed phishing emails to target HR personnel, delivering malware such as Cobalt Strike and a custom backdoor named “Voldemort.” The messages often appeared to be job applications, with LNK files disguised as resumes. Once opened, victims triggered a multi-stage payload while simultaneously being shown a decoy document.
Also read: CBI Busts ₹Scam Ring Posing as Microsoft Support
UNK_DropPitch focused on investment analysts and decision-makers within the semiconductor domain. Their attacks involved malicious PDF links that delivered DLL-based payloads like “HealthKick,” capable of executing commands and exfiltrating data. In some instances, the attackers established TCP reverse shells to maintain long-term access.
The third cluster, UNK_SparkyCarp, deployed adversary-in-the-middle (AitM) phishing kits to harvest credentials from a targeted Taiwanese chip company. This campaign mimicked security alerts and led users to spoofed login portals. Supporting infrastructure linked the actors to previous operations attributed to China-based cyber units.
Espionage campaign linked to China’s semiconductor self-sufficiency drive
The report suggests these attacks are part of China’s broader goal to achieve semiconductor independence amid increasing export restrictions and geopolitical tensions. Some attack infrastructure was found to use SoftEther VPN servers and shared TLS certificates previously linked to Chinese malware families.
The coordinated nature and technical sophistication of the attacks indicate a strategic, long-term campaign to extract sensitive intellectual property and economic intelligence. Security researchers have emphasized the growing risk posed to high-value industries, especially those at the centre of global technology supply chains.
