TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents

Key takeaways

• The TAOTH campaign leveraged an abandoned Sogou Zhuyin IME update server and spear-phishing operations to deliver multiple malware families—including TOSHIS, C6DOOR, DESFY, and GTELAM—primarily targeting users across Eastern Asia.
• Attackers employed sophisticated infection chains, such as hijacked software updates and fake cloud storage or login pages, to distribute malware and collect sensitive information.
• The campaign’s victimology and decoy documents reveal a focus on high-value targets, including dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities.
• Infrastructure and tool analysis link TAOTH to previously documented threat activity, showing shared C&C infrastructure, malware variants, and tactics indicative of a single, persistent attacker group with a focus on reconnaissance, espionage, and email abuse.
• Trend Vision One™ detects and blocks the indicators of compromise (IOCs) outlined in this blog, and provides customers with tailored hunting queries, threat insights, and intelligence updates. 

Introduction

In June, we identified and investigated an unusual security incident involving the installation of two malware families, C6DOOR and GTELAM, on a victim’s host. Our investigation determined that the malware was delivered through a legitimate input method editor (IME) software, Sogou Zhuyin. As brief explanation, an IME is a tool that interprets sequences of keystrokes into complex characters for languages not suited to a standard QWERTY keyboard (like many East Asian languages).

The software had stopped receiving updates in 2019; in October 2024 attackers took over the lapsed domain name and used it to distribute malicious payloads. Telemetry data indicates that at least several hundred victims were affected, with infections leading to additional post-exploitation activities.

Through infrastructure tracking, we observed that the same threat actor is also targeting high-value individuals primarily located in Eastern Asia. In this article, in addition to the attacks abusing Sogou Zhuyin, we will also examine a related spear-phishing campaign targeting Japan, Korea, China, and Taiwan.

Operation 1: Sogou Zhuyin

Sogou Zhuyin is an IME software developed by a Chinese technology company named Sogou. It provides 2 IME software for different phonetic systems: Sogou Pinyin and Sogou Zhuyin (also known as Bopomofo, which is the main phonetic system for Chinese Mandarin in Taiwan). Sogou Zhuyin was originally released for users in Taiwan, but has not been maintained since 2019.

Our analysis shows that the attacker took over the abandoned update server and, after registering it, used the domain to host malicious updates since October 2024. Through this channel, multiple malware families have been deployed, including GTELAM, C6DOOR, DESFY, and TOSHIS.

Infection chain

According to an archived version of its Wikipedia page, the Sogou Zhuyin service was terminated and discontinued in June 2019. However, starting in October 2024, the attacker hijacked the abandoned official update domain (sogouzhuyin[.]com) and, by 2025, was distributing the official installer through it. With the update server under attacker control, the Sogou Zhuyin application began delivering malicious updates since November 2024.

Based on our telemetry, the threat actor deployed four distinct malware families in this operation: TOSHIS, DESFY, GTELAM, and C6DOOR. The deployed malware families serve different purposes, including remote access (RAT), information theft, and backdoor functionality. To evade detection, the threat actors also leveraged third-party cloud services to conceal their network activities across the attack chain.

The full infection chain is as follows:

Read More HERE