A sophisticated Chinese state-sponsored cyber espionage campaign has emerged targeting Taiwan\u2019s critical semiconductor industry, employing weaponized Cobalt Strike beacons and advanced social engineering tactics.<\/p>\n
Between March and June 2025, multiple threat actors launched coordinated attacks against semiconductor manufacturing, design, and supply chain organizations, reflecting China\u2019s strategic imperative to achieve technological self-sufficiency in this vital sector.<\/p>\n
The campaign represents a significant escalation in Chinese cyber operations<\/a> against Taiwan\u2019s semiconductor ecosystem, with attackers leveraging employment-themed phishing emails to deliver malicious payloads.<\/p>\n The timing of these operations coincides with heightened geopolitical tensions and ongoing export controls that have intensified China\u2019s focus on acquiring semiconductor<\/a> technologies and intelligence through cyber means.<\/p>\n The primary threat actor, designated UNK_FistBump, orchestrated the most technically sophisticated attacks during May and June 2025, specifically targeting Taiwan-based semiconductor manufacturers and their supply chain partners.<\/p>\n These operations utilized compromised Taiwanese university email accounts to enhance credibility and bypass initial security screening mechanisms.<\/p>\n Proofpoint analysts identified<\/a> that UNK_FistBump employed a dual-payload strategy, delivering both Cobalt Strike Beacon implants and a custom backdoor called Voldemort through carefully crafted spearphishing campaigns.<\/p>\n The attackers posed as graduate students seeking employment opportunities, using subject lines such as \u201cProduct Engineering (Material Analysis\/Process Optimization) \u2013 National Taiwan University\u201d to lure human resources personnel and recruitment staff.<\/p>\n The malware\u2019s infection mechanism demonstrates remarkable technical sophistication, beginning with password-protected RAR archives containing malicious LNK files.<\/p>\n Upon execution, the LNK file The script copies four essential files to the The attack chain leverages DLL sideloading<\/a> techniques against the legitimate This DLL serves as a sophisticated loader that decrypts an RC4-encrypted Cobalt Strike Beacon payload stored in the The decryption process can be represented as:-<\/p>\n The malware establishes persistence<\/a> through registry modification, creating an entry at The Cobalt Strike<\/a> Beacon subsequently establishes command and control communications with the server This campaign underscores the evolving threat landscape facing Taiwan\u2019s semiconductor industry, where state-sponsored actors are increasingly deploying sophisticated multi-stage malware delivery systems to compromise critical infrastructure and intellectual property.<\/p>\n Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->\u00a0Try ANY.RUN Now<\/a><\/strong><\/p>\n The post Chinese State-Sponsored Hackers Attacking Semiconductor Industry with Weaponized Cobalt Strike<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\u5d17\u4f4d\u5339\u914d\u5ea6\u8aaa\u660e.pdf.lnk<\/code> triggers a VBS script named Store.vbs<\/code> that performs several critical operations.<\/p>\nC:UsersPublicVideos<\/code> directory: javaw.exe<\/code>, jli.dll<\/code>, rc4.log<\/code>, and a decoy PDF document to maintain operational security.<\/p>\nAdvanced DLL Sideloading and Persistence Mechanisms<\/strong><\/h2>\n
javaw.exe<\/code> executable, which loads the malicious jli.dll<\/code> library.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjyglNZf8gsHrwHYlI1CKJN-7Y-k1OI_1sDFHjdjIhWVdu5V1EgTQ0jhYXbxJZr_RU2d0fHbWEdVwVI1wcINxZQOlST6p0AoJXYgyUbKzyPEiBvW1_X5MRKrNtgCWhp1QgdQ6y0AgxLN39CFw373P4NVjaSI72R1RP0S1sGqYOfKkXzqBmxEgiR_kfIrVo\/s16000\/Infection%2520chains%2520%28Source%2520-%2520Proofpoint%29.webp?ssl=1\")
rc4.log<\/code> file using the hardcoded key qwxsfvdtv<\/code>.<\/p>\nRC4_Decrypt(rc4.log, \"qwxsfvdtv\") \u2192 Cobalt Strike Beacon<\/code><\/pre>\nHKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun<\/code> that ensures the malicious javaw.exe<\/code> executable launches during system startup.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjfs19VA9toRxDRqWOcd-aSvVCUIPavamIW6akqcxW22D3uWAkB3pC9zcQ8xsCqMSvBtcfbcgF6YnO80KgawIkv8V3BwwEebd9vZvU16iDH5ZXPxIodlBmxiWEv7CwOKYhVyo9xQWMoZRJKGZBud_bSMsT-pjxQeiWimbch73kUuADXY5PeAYEEKF6Ps6M\/s16000\/UNK_DropPitch%2520infection%2520chain%2520%28Source%2520-%2520Proofpoint%29.webp?ssl=1\")
166.88.61[.]35<\/code> over TCP port 443, utilizing a customized GoToMeeting malleable C2 profile to blend network traffic with legitimate collaboration software communications.<\/p>\n