Cybersecurity Risks Related to Sogou Zhuyin
Overview of the Espionage Campaign
A recently uncovered espionage campaign has highlighted the vulnerabilities associated with an abandoned update server linked to the input method editor (IME) software Sogou Zhuyin. Threat actors have exploited this neglected domain to distribute various forms of malware, significantly targeting users in Eastern Asia. Research by Trend Micro, conducted by analysts Nick Dai and Pierre Lee, delves into the operational strategies employed by these attackers.
Reconnaissance and Target Selection
Identified in June 2025, this campaign, codenamed TAOTH, predominantly targets dissidents, journalists, researchers, and business leaders in regions like China, Taiwan, Hong Kong, Japan, South Korea, and Taiwanese communities abroad. Alarmingly, Taiwan constitutes nearly half (49%) of all identified targets, with Cambodia and the United States following at 11% and 7%, respectively. The attackers took control of the domain "sogouzhuyin[.]com" in October 2024, which had been inactive since June 2019, enabling them to disseminate malicious updates.
Malware Distribution Techniques
The compromised server has been manipulated to host harmful updates, effectively allowing the attackers to target several hundred victims. This malware deployment includes families such as GTELAM, C6DOOR, DESFY, and TOSHIS. Trend Micro explains that these sophisticated infection methods often utilize hijacked software updates alongside fake cloud storage or login pages. These techniques not only distribute malware but also enable the collection of sensitive user data.
Mechanics of the Attack Chain
The initial phase of this attack chain begins with unsuspecting users downloading what appears to be a legitimate installer for Sogou Zhuyin. This installer can be found on trusted sources, like the Traditional Chinese Wikipedia page, which has been quietly altered to redirect to the malicious domain "dl[.]sogouzhuyin[.]com."
Once downloaded, the seemingly benign software conducts an automatic update process hours later, calling upon a malicious updater binary named "ZhuyinUp.exe." This binary fetches an update configuration file from an embedded URL that has been compromised to deliver malicious payloads.
Key Malware Families and Their Functions
TOSHIS
First detected in December 2024, TOSHIS functions primarily as a loader responsible for fetching subsequent payloads—such as Cobalt Strike or a Merlin agent— from external servers. This strain is a variant of Xiangoop, previously linked to other cybercriminal activity.
DESFY
Emerging in May 2025, DESFY is a spyware variant designed to collect file names from specific directories, including Desktop and Program Files.
GTELAM
Also first seen in May 2025, GTELAM specializes in gathering file names with certain extensions (like PDF, DOCX, and PPTX) and subsequently exfiltrating this data to Google Drive.
C6DOOR
C6DOOR, a bespoke backdoor written in Go, utilizes HTTP and WebSocket for command and control. Its capabilities include gathering system information, executing arbitrary commands, and managing file operations. Noteworthy is its embedded use of Simplified Chinese characters, hinting at the attackers’ probable language proficiency.
Current Activities and Future Implications
Trend Micro indicates that the attackers are largely in a reconnaissance phase, concentrating on identifying high-value targets, without engaging in extensive post-exploitation activities. There is evidence suggesting that TOSHIS has been circulated through phishing sites, further complicating the cybersecurity landscape in Eastern Asia and beyond.
Phishing Tactics
The campaign employs a two-tiered phishing approach, where fake websites mimic credible services related to free offers or cloud storage. These sites lure victims into providing OAuth consent for apps controlled by attackers, allowing unauthorized access to secure accounts.
Recommendations for Enhanced Security
To mitigate the risks associated with threats like those posed by TAOTH, organizations should conduct regular audits of their software environments, specifically targeting end-of-support applications. Users are advised to scrutinize the permissions requested by cloud services before granting access.
Trend Micro emphasizes that the TAOTH operation displays a deliberate low-profile tactic focused on reconnaissance and identification of valuable targets, underlining the importance of vigilance in cyber defense strategies.
