Threat Research

Labs have uncovered targeted phishing campaigns in Taiwan that exploit local business workflows. The attacks deliver Winos 4.0 (ValleyRat) and additional malicious plugins through weaponized attachments and embedded links. Lures impersonate official communications, including tax audit notices, tax software installers, and cloud e-invoice downloads....

PlushDaemon is a China-aligned espionage group active since at least 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand....

APT24, a PRC-nexus linked threat actor, has been running a long-term cyber-espionage campaign that spans three years and leverages BADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access in victim networks....

In January 2025, Labs identified a series of Winos 4.0 attacks targeting users in Taiwan. By February, it became evident that the threat actor had transitioned to new malware families and broadened their operations....

A recent intrusion beginning in August 2025 revealed China-nexus threat actors using a technique called log poisoning to deploy a China Chopper web shell on vulnerable web servers. The attackers used AntSword for control and introduced a lesser-known tool, Nezha, to run commands and later deploy Ghost RAT. This marks the first known use of Nezha in web compromises....

UAT-7237 is a Chinese-speaking APT group active since at least 2022, with strong links to UAT-5918. It recently targeted web infrastructure entities in Taiwan, using heavily customized open-source tools to evade detection and maintain long-term persistence in high-value environments....

Gunra ransomware’s Linux variant significantly expands the group’s attack surface, reflecting its intention to move beyond its initial targets. This variant includes key features such as the ability to execute up to 100 encryption threads simultaneously and perform partial encryption....

Between March and June 2025, multiple China-aligned threat actors intensified cyber espionage efforts against Taiwan’s semiconductor industry. Groups such as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp launched phishing campaigns delivering tools like Cobalt Strike, the Voldemort backdoor, and AiTM phishing kits....

In early 2025, a threat group launched a targeted malware campaign against users in Taiwan, distributing the Winos 4.0 malware via phishing emails disguised as official messages from Taiwan's National Taxation Bureau. By March 2025, the campaign expanded to include links reused from previous attacks....

Earth Ammit, a threat actor linked to Chinese-speaking APT groups, conducted two coordinated cyberespionage campaigns—VENOM and TIDRONE—between 2023 and 2024, targeting organizations in Taiwan and South Korea....