Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting

    Thursday, July 17, 2025 In: Threat Research Print

    Date: 07/17/2025

    Severity: Medium

    Summary

    Between March and June 2025, multiple China-aligned threat actors intensified cyber espionage efforts against Taiwan’s semiconductor industry. Groups such as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp launched phishing campaigns delivering tools like Cobalt Strike, the Voldemort backdoor, and AiTM phishing kits. These attacks align with China’s strategic focus on semiconductor self-reliance, targeting not only manufacturers but also investment analysts and broader supply chain entities.

    Indicators of Compromise (IOC) List  

    Url/Domain

    moctw.info

    ema.moctw.info

    www.twmoc.info

    accshieldportal.com

    acesportal.com

    https://sheets.googleapis.com:443/v4/spreadsheets/1z8ykHVYh9DF-b_BFDA9c4Q2ojfrgl-fq1v797Y5576Y

    https://sheets.googleapis.com:443/v4/spreadsheets/14H0Gm6xgc2p3gpIB5saDyzSDqpVMKGBKIdkVGh2y1bo

    https://3008.filemail.com/api/file/get?filekey=DeHjMusPPgDt5EsWxOcgYCfRh5yI6MIIg7vvwn9yFEzh93Cts5UxrfXMYEPiMWffVCp36UCsVgYSlC47WGdjHZ7m9bAw0QWcgqQZcg&pk_vid=007318ac7ca53d8717482475404ed5a2

    https://api.moctw.info/Intro.pdf

    https://api.moctw.info/Document-2025.4.25.pdf

    https://api.moctw.info/Install.zip

    https://brilliant-bubblegum-137cfe.netlify.app/files/Introduction%20Document.zip

    https://ttot.accshieldportal.com/v3/ls/click/?c=b5c64761

    https://aqrm.accshieldportal.com/v2/account/validate/?vid=35f46f46

    https://acesportal.com/T/bfzWhb

    https://acesportal.com/T/KRfzAH

    IP Address

    166.88.61.35

    80.85.156.234

    82.118.16.72

    45.141.139.222

    80.85.156.237

    80.85.154.48

    Hash

    1a2530010ecb11f0ce562c0db0380416a10106e924335258ccbba0071a19c852

    084b92365a25e6cd5fc43efe522e5678a2f1e307bf69dd9a61eb37f81f304cc6

    85e4809e80e20d9a532267b22d7f898009e74ed0dbf7093bfa9a8d2d5403f3f9

    338f072cc1e08f1ed094d88aa398472e3f04a8841be2ff70f1c7a2e4476d8ef7

    13fad7c6d0accb9e0211a7b26849cf96c333cf6dfa21b40b65a7582b79110e4b

    d783c40c0e15b73b62f28d611f7990793b7e5ba2436e203000a22161e0a00d0e

    1016ba708fb21385b12183b3430b64df10a8a1af8355b27dd523d99ca878ffbb

    13fad7c6d0accb9e0211a7b26849cf96c333cf6dfa21b40b65a7582b79110e4b

    1016ba708fb21385b12183b3430b64df10a8a1af8355b27dd523d99ca878ffbb

    bab8618bc6fc3fdfa7870b5fe0f52b570fabf0243d066f410a7e76ebeed0088c

    0d992762c69d624a1f14a8a230f8a7d36d190b49e787fd146e9010e943c5ef78

    ec5fef700d1ed06285af1f2d01fa3db5ea924de3c2da2f0e6b7a534f69d8409c

    82ecfe0ada6f7c0cea78bca2e8234241f1a1b8670b5b970df5e2ee255c3a56ef

    cd009ea4c682b61963210cee16ed663eee20c91dd56483d456e03726e09c89a7

    bbdad59db64c48f0a9eb3e8f2600314b0e3ebd200e72fa96bf5a84dd29d64ac5

    fc8f7185a90af4bf44332e85872aa7c190949e3ec70055a38af57690b6604e3c

    7bffd21315e324ef7d6c4401d1bf955817370b65ae57736b20ced2c5c08b9814

    9b2cbcf2e0124d79130c4049f7b502246510ab681a3a84224b78613ef322bc79

    4ee77f1261bb3ad1d9d7114474a8809929f4a0e7f9672b19048e1b6ac7acb15c

    d3a71c6b7f4be856e0cd66b7c67ca0c8eef250bc737a648032d9d67c2c37d911

    366d7de8a941daa6a303dc3e39af60b2ffacaa61d5c1fb84dd1595a636439737

    d51c195b698c411353b10d5b1795cbc06040b663318e220a2d121727c0bb4e43

    ffd69146c5b02305ac74c514cab28d5211a473a6c28d7366732fdc4797425288

    Mail

    amelia_w_chavez@proton.me

    lisan_0818@outlook.com

    john.doe89e@gmail.com

    menglunwuluegg226@proton.me

    lonelyboymaoxcz231@proton.me

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "moctw.info" or siteurl like "moctw.info" or url like "moctw.info" or domainname like "https://api.moctw.info/Document-2025.4.25.pdf" or siteurl like "https://api.moctw.info/Document-2025.4.25.pdf" or url like "https://api.moctw.info/Document-2025.4.25.pdf" or domainname like "https://api.moctw.info/Install.zip" or siteurl like "https://api.moctw.info/Install.zip" or url like "https://api.moctw.info/Install.zip" or domainname like "accshieldportal.com" or siteurl like "accshieldportal.com" or url like "accshieldportal.com" or domainname like "ema.moctw.info" or siteurl like "ema.moctw.info" or url like "ema.moctw.info" or domainname like "www.twmoc.info" or siteurl like "www.twmoc.info" or url like "www.twmoc.info" or domainname like "acesportal.com" or siteurl like "acesportal.com" or url like "acesportal.com" or domainname like "https://sheets.googleapis.com:443/v4/spreadsheets/1z8ykHVYh9DF-b_BFDA9c4Q2ojfrgl-fq1v797Y5576Y" or siteurl like "https://sheets.googleapis.com:443/v4/spreadsheets/1z8ykHVYh9DF-b_BFDA9c4Q2ojfrgl-fq1v797Y5576Y" or url like "https://sheets.googleapis.com:443/v4/spreadsheets/1z8ykHVYh9DF-b_BFDA9c4Q2ojfrgl-fq1v797Y5576Y" or domainname like "https://sheets.googleapis.com:443/v4/spreadsheets/14H0Gm6xgc2p3gpIB5saDyzSDqpVMKGBKIdkVGh2y1bo" or siteurl like "https://sheets.googleapis.com:443/v4/spreadsheets/14H0Gm6xgc2p3gpIB5saDyzSDqpVMKGBKIdkVGh2y1bo" or url like "https://sheets.googleapis.com:443/v4/spreadsheets/14H0Gm6xgc2p3gpIB5saDyzSDqpVMKGBKIdkVGh2y1bo" or domainname like "https://3008.filemail.com/api/file/get?filekey=DeHjMusPPgDt5EsWxOcgYCfRh5yI6MIIg7vvwn9yFEzh93Cts5UxrfXMYEPiMWffVCp36UCsVgYSlC47WGdjHZ7m9bAw0QWcgqQZcg&pk_vid=007318ac7ca53d8717482475404ed5a2" or siteurl like "https://3008.filemail.com/api/file/get?filekey=DeHjMusPPgDt5EsWxOcgYCfRh5yI6MIIg7vvwn9yFEzh93Cts5UxrfXMYEPiMWffVCp36UCsVgYSlC47WGdjHZ7m9bAw0QWcgqQZcg&pk_vid=007318ac7ca53d8717482475404ed5a2" or url like "https://3008.filemail.com/api/file/get?filekey=DeHjMusPPgDt5EsWxOcgYCfRh5yI6MIIg7vvwn9yFEzh93Cts5UxrfXMYEPiMWffVCp36UCsVgYSlC47WGdjHZ7m9bAw0QWcgqQZcg&pk_vid=007318ac7ca53d8717482475404ed5a2" or domainname like "https://api.moctw.info/Intro.pdf" or siteurl like "https://api.moctw.info/Intro.pdf" or url like "https://api.moctw.info/Intro.pdf" or domainname like "https://brilliant-bubblegum-137cfe.netlify.app/files/Introduction%20Document.zip" or siteurl like "https://brilliant-bubblegum-137cfe.netlify.app/files/Introduction%20Document.zip" or url like "https://brilliant-bubblegum-137cfe.netlify.app/files/Introduction%20Document.zip" or domainname like "https://ttot.accshieldportal.com/v3/ls/click/?c=b5c64761" or siteurl like "https://ttot.accshieldportal.com/v3/ls/click/?c=b5c64761" or url like "https://ttot.accshieldportal.com/v3/ls/click/?c=b5c64761" or domainname like "https://aqrm.accshieldportal.com/v2/account/validate/?vid=35f46f46" or siteurl like "https://aqrm.accshieldportal.com/v2/account/validate/?vid=35f46f46" or url like "https://aqrm.accshieldportal.com/v2/account/validate/?vid=35f46f46" or domainname like "https://acesportal.com/T/bfzWhb" or siteurl like "https://acesportal.com/T/bfzWhb" or url like "https://acesportal.com/T/bfzWhb" or domainname like "https://acesportal.com/T/KRfzAH" or siteurl like "https://acesportal.com/T/KRfzAH" or url like "https://acesportal.com/T/KRfzAH"

    Detection Query 2 : 

    dstipaddress IN ("166.88.61.35","80.85.156.234","82.118.16.72","45.141.139.222","80.85.156.237","80.85.154.48") or srcipaddress IN ("166.88.61.35","80.85.156.234","82.118.16.72","45.141.139.222","80.85.156.237","80.85.154.48")

    Detection Query 3 : 

    sha256hash IN ("7bffd21315e324ef7d6c4401d1bf955817370b65ae57736b20ced2c5c08b9814","d3a71c6b7f4be856e0cd66b7c67ca0c8eef250bc737a648032d9d67c2c37d911","1016ba708fb21385b12183b3430b64df10a8a1af8355b27dd523d99ca878ffbb","366d7de8a941daa6a303dc3e39af60b2ffacaa61d5c1fb84dd1595a636439737","ffd69146c5b02305ac74c514cab28d5211a473a6c28d7366732fdc4797425288","ec5fef700d1ed06285af1f2d01fa3db5ea924de3c2da2f0e6b7a534f69d8409c","d51c195b698c411353b10d5b1795cbc06040b663318e220a2d121727c0bb4e43","9b2cbcf2e0124d79130c4049f7b502246510ab681a3a84224b78613ef322bc79","1a2530010ecb11f0ce562c0db0380416a10106e924335258ccbba0071a19c852","084b92365a25e6cd5fc43efe522e5678a2f1e307bf69dd9a61eb37f81f304cc6","85e4809e80e20d9a532267b22d7f898009e74ed0dbf7093bfa9a8d2d5403f3f9","338f072cc1e08f1ed094d88aa398472e3f04a8841be2ff70f1c7a2e4476d8ef7","13fad7c6d0accb9e0211a7b26849cf96c333cf6dfa21b40b65a7582b79110e4b","d783c40c0e15b73b62f28d611f7990793b7e5ba2436e203000a22161e0a00d0e","1016ba708fb21385b12183b3430b64df10a8a1af8355b27dd523d99ca878ffbb","13fad7c6d0accb9e0211a7b26849cf96c333cf6dfa21b40b65a7582b79110e4b","bab8618bc6fc3fdfa7870b5fe0f52b570fabf0243d066f410a7e76ebeed0088c","0d992762c69d624a1f14a8a230f8a7d36d190b49e787fd146e9010e943c5ef78","82ecfe0ada6f7c0cea78bca2e8234241f1a1b8670b5b970df5e2ee255c3a56ef","cd009ea4c682b61963210cee16ed663eee20c91dd56483d456e03726e09c89a7","bbdad59db64c48f0a9eb3e8f2600314b0e3ebd200e72fa96bf5a84dd29d64ac5","fc8f7185a90af4bf44332e85872aa7c190949e3ec70055a38af57690b6604e3c","4ee77f1261bb3ad1d9d7114474a8809929f4a0e7f9672b19048e1b6ac7acb15c")

    Detection Query 4 :

    sender IN ("amelia_w_chavez@proton.me","lisan_0818@outlook.com","john.doe89e@gmail.com","menglunwuluegg226@proton.me","lonelyboymaoxcz231@proton.me") or senderdomain IN ("amelia_w_chavez@proton.me","lisan_0818@outlook.com","john.doe89e@gmail.com","menglunwuluegg226@proton.me","lonelyboymaoxcz231@proton.me") or recipients IN ("amelia_w_chavez@proton.me","lisan_0818@outlook.com","john.doe89e@gmail.com","menglunwuluegg226@proton.me","lonelyboymaoxcz231@proton.me") or recipientdomain IN ("amelia_w_chavez@proton.me","lisan_0818@outlook.com","john.doe89e@gmail.com","menglunwuluegg226@proton.me","lonelyboymaoxcz231@proton.me")

    Reference:    

    https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting


    Tags

    MalwareThreat ActorChinaCyber EspionageTaiwanCobalt StrikeVoldemortBackdoorAiTM phishing kitsPhishingUNK_FistBumpUNK_DropPitchUNK_SparkyCarp

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.