On July 16th, Proofpoint reported that China-linked groups have increased phishing attacks on Taiwan’s semiconductor sector, driven by Beijing’s focus on chip independence amid export controls. Between March and June 2025, Proofpoint tracked several campaigns. UNK_FistBump targeted chip companies with job-themed lures, UNK_DropPitch focused on financial analysts covering the sector, and UNK_SparkyCarp used credential phishing through custom adversary-in-the-middle kits. These activities reveal intelligence-gathering efforts that extend beyond technical firms to include financial players connected to the industry.
A Growing Trend
Although UNK_FistBump shares some characteristics with TA415, targeting Taiwan’s semiconductor sector and utilizing Voldemort malware, Proofpoint identified differences in tools and command-and-control methods that suggest separate groups. UNK_FistBump relies on simpler loaders and direct IP connections, unlike TA415’s more complex approaches. Given these differences and the known sharing of malware among Chinese espionage groups, Proofpoint currently treats UNK_FistBump as a distinct cluster.
In 2024 and 2025, other China-linked actors also targeted Taiwan’s semiconductor industry. UNK_SparkyCarp used fake login warnings and a custom adversary-in-the-middle kit to steal credentials from a specific company. UNK_ColtCentury, linked to TAG-100, sent casual emails to legal staff at another firm, likely to set up SparkRAT infections. These efforts follow earlier targeting trends and reflect ongoing interest in accessing different roles within the sector.
Traditional targets, such as government and defense, remain in focus; however, newer groups have emerged, relying more on phishing than on technical exploits. These groups operate in line with Chinese state interests and employ tools and techniques commonly used in earlier Chinese cyberespionage campaigns.
What Did Augur Know and When?
Augur identified infrastructure used in this campaign in August and September 2024, which would have prevented C2 communications and intelligence collections from APT groups.
Table 1 below shows the infrastructure identified by Augur several months in advance, both for infrastructure owned by Chelyabinsk-Signal and for infrastructure owned by Green Floid LLC (previously known as ITL).
Table 2 shows the uses of the identified infrastructure in these campaigns and the value Augur brings to our clients.
Recommendations
1. Adopt Preemptive Cybersecurity Measures
- Automatically identifies spear-phishing campaigns and preemptively blocks malicious email patterns before users are compromised.
- Combining AI-driven monitoring, threat intelligence, Augur could have detected malicious campaigns early, potentially preventing exfiltration of sensitive intellectual property and credential theft.
- Works with SIEM, EDR, and email security platforms to enforce automated responses or isolate compromised systems.
- Provides dashboards and reports for both operational teams and executive leadership.
2. Strengthen Email Security & User Awareness
- Enable advanced email filtering: block ZIP/LNK attachments, scanning for resume-themed content and known malicious payload hashes (e.g., those listed in Proofpoint’s indicators).
- Train HR and Recruitment staff on targeted spear-phishing methods, especially fake recruitment or job-lure tactics.
3. Enhance Endpoint & Threat Hunting
- The Threat Hunt team should develop behavioral hunting rules and deploy detection tools to identify activity related to Cobalt Strike, HealthKick, Voldemort, and Spark.
- Monitor detections of PDFs, LNKs, side-loaded DLLs, or Google Sheets / Filemail URLs linked to campaigns.
4. Strengthen Credential Security & Monitoring
- Require multi-factor authentication (MFA) on all corporate accounts, particularly for financial analysts or roles related to semiconductors.
- Monitor for suspicious logins and unusual access patterns, especially following email campaigns.
5. Incident Response Readiness
- Prepare playbooks for phishing-based intrusion, including:
- Email origin tracing (e.g. spoofed university accounts)
Containment of C2 domains/IPs - Analysis of suspicious LNK or DLL artifacts by hash (per Proofpoint’s published indicators).
- Email origin tracing (e.g. spoofed university accounts)
References
