China-Aligned Threat Actor UTA0388 Leverages AI for Espionage Against Semiconductor and Finance Sectors

Summary

The China-aligned threat actor UTA0388 (also known as UNK_DropPitch) has integrated Large Language Models (LLMs) such as ChatGPT into its cyber espionage campaigns targeting investment firms, semiconductor companies, and manufacturing sectors across North America, Asia, and Europe.

First observed in March 2025, the group’s operations demonstrate how state-linked actors are weaponizing AI-driven automation to enhance phishing, malware refinement, and campaign scalability. UTA0388 uses multilingual spear-phishing techniques in English, Chinese, and Japanese, employing “rapport-building” tactics to establish trust with victims before delivering malicious archives hosted on legitimate cloud platforms like Netlify and OneDrive.

The campaign ultimately deploys GOVERSHELL, a custom backdoor evolved from the HealthKick malware, through DLL search-order hijacking. The malware provides persistent command-and-control (C2) access for reconnaissance and data exfiltration, underscoring the growing sophistication of AI-enhanced cyber operations.

Attack Details

UTA0388’s operations are characterized by AI-assisted phishing and malware development, significantly improving efficiency and realism in its campaigns.

• Phishing Methodology: Attackers impersonate legitimate organizations using multilingual correspondence and fabricated personas to establish rapport. Once trust is built, victims receive links to malicious archives (.ZIP or .RAR) hosted on legitimate cloud services such as Netlify, OneDrive, and Sync.com.
• Infection Chain: Each archive contains a benign-looking executable alongside a malicious DLL. The actor abuses Windows search-order hijacking, causing the legitimate application to load the DLL and trigger GOVERSHELL installation.
• Malware Capabilities: GOVERSHELL enables remote command execution, data collection, and C2 persistence, supporting long-term espionage against financial and semiconductor targets.
• AI Integration: The group uses LLMs for generating phishing emails, multilingual lures, and refining malware code, making campaigns both faster and harder to detect.

This convergence of AI-driven tooling and state-sponsored espionage represents a significant shift in how advanced persistent threats (APTs) operationalize automation for global intelligence gathering.

Recommendations

• Enhance Email Security: Deploy advanced anti-phishing controls, including sandboxing, URL rewriting, and real-time link scanning. Conduct user awareness training for sectors frequently targeted by espionage, such as finance and semiconductors.
• Implement Strict Access Controls: Enforce least privilege principles, multi-factor authentication (MFA), and network segmentation to prevent lateral movement. Regularly review permissions for privileged accounts.
• Deploy Endpoint Detection and Response (EDR): Utilize EDR solutions to detect DLL side-loading, anomalous shell activity, and unauthorized remote management tools.
• Harden Infrastructure: Maintain up-to-date patching, enable detailed logging, and monitor for unusual file deletions, event log tampering, or privilege escalations.
• Monitor Network Activity: Track outbound traffic for encrypted or abnormal connections to cloud-hosted or foreign domains, using behavioral analytics to detect potential data exfiltration or C2 traffic.

Indicators of Compromise (IoCs)

IPv4:Port

• 80[.]85[.]154[.]48[:]443
• 80[.]85[.]157[.]117[:]443
• 82[.]118[.]16[.]173[:]443

IPv4

• 104[.]194[.]152[.]137
• 104[.]194[.]152[.]152
• 185[.]144[.]28[.]68
• 31[.]192[.]234[.]22
• 45[.]141[.]139[.]222
• 74[.]119[.]193[.]175
• 80[.]85[.]156[.]234
• 80[.]85[.]154[.]48
• 80[.]85[.]157[.]117
• 82[.]118[.]16[.]173

Hostnames

• azure-app[.]store
• twmoc[.]info
• windows-app[.]store
• cdn-apple[.]info
• sliddeshare[.]online
• doccloude[.]info

SHA256 Hashes

• 2ffe1e4f4df34e1aca3b8a8e93eee34bfc4b7876cedd1a0b6ca5d63d89a26301
• 4c041c7c0d5216422d5d22164f83762be1e70f39fb8a791d758a816cdf3779a9
• 53af82811514992241e232e5c04e5258e506f9bc2361b5a5b718b4e4b5690040
• 88782d26f05d82acd084861d6a4b9397d5738e951c722ec5afed8d0f6b07f95e
• 998e314a8babf6db11145687be18dc3b8652a3dd4b36c115778b7ca5f240aae4

URLs

• hxxp[:]//1drv[.]ms/u/c/F703BC98FAB44D61/ER_XG5FDkURHtsmna8vOQrIBRODKiQBKYJVKnI-kGKwX0A
• hxxp[:]//animated-dango-0fa8c8[.]netlify[.]app/file/Taiwan%20Intro[.]zip
• hxxp[:]//vocal-crostata-86ebbf[.]netlify[.]app/files/zip
• wss[:]//api[.]twmoc[.]info/ws
• wss[:]//onedrive[.]azure-app[.]store/ws
• hxxp[:]//app-site-association[.]cdn-apple[.]info[:]443/updates[.]rss.

MITRE ATT&CK TTPs

• TA0001 Initial Access – T1566, T1566.001, T1566.002 (Phishing, Spearphishing Link & Attachment)
• TA0002 Execution – T1059 (Command and Scripting Interpreter), T1203 (Exploitation for Client Execution)
• TA0003 Persistence – T1053, T1053.005 (Scheduled Task/Job)
• TA0005 Defense Evasion – T1027 (Obfuscated Files or Information), T1036 (Masquerading), T1574, T1574.001 (DLL Search Order Hijacking)
• TA0011 Command and Control – T1071, T1071.001, T1071.004 (Application Layer, Web, and DNS Protocols)
• TA0040 Impact – T1486 (Data Encrypted for Impact)
• TA0042 Resource Development – T1588, T1588.007 (Obtain Capabilities, Artificial Intelligence)
• TA0009 Collection – T1598.003 (Data Staged: Phishing for Information).

References

• Volexity – APT Meets GPT: Targeted Operations with Untamed LLMs
• Proofpoint – China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Targeting
• Hive Pro – Taiwan Semiconductor Firms Under Siege by Chinese Cyber Operations