TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents

    Friday, August 29, 2025 In: Threat Research Print

    Date: 08/29/2025

    Severity: High

    Summary

    The TAOTH campaign exploited an abandoned Sogou Zhuyin IME update server and spear-phishing to deliver malware like TOSHIS, C6DOOR, DESFY, and GTELAM. Targeting users across Eastern Asia—especially Traditional Chinese speakers—it focused on high-value individuals such as dissidents, journalists, and tech leaders. Attackers used hijacked updates and fake login pages for espionage, with infrastructure linking the campaign to a persistent threat group known for reconnaissance and email abuse.

    Indicators of Compromise (IOC) List

    URL/Domain

    www.sogouzhuyin.com

    dl.sogouzhuyin.com

    srv-pc.sogouzhuyin.com

    practicalpublishing.s3.dualstack.us-east-1.amazonaws.com

    www.auth-web.com

    auth.onedrive365-jp.com

    https://nagoyais.com/upload/Sign/ufolder/qh_notice.php

    https://nagoyais.com/upload/Sign/birthday1.php

    https://nagoyais.com/upload/Sign/notic.php

    https://nagoyais.com/upload/Sign/save_email.php

    https://nagoyais.com/upload/Sign/birthday2.php

    https://nagoyais.com/upload/address.php 

    https://nagoyais.com/upload/Sign/ufolder/vc_notice.php

    https://nagoyais.com/upload/Sign/server3.php

    https://nagoyais.com/upload/Sign/ufolder/tgdown_notice.php

    https://nagoyais.com/upload/Sign/ufolder/yupoki_notice.php

    https://nagoyais.com/upload/Sign/ufolder/download_notice.php

    https://nagoyais.com/upload/Sign/ufolder/gmail.php

    https://nagoyais.com/upload/Sign/server1.php

    https://nagoyais.com/upload/Sign/server2.php

    https://nagoyais.com/upload/Sign/tgserver1.php

    https://nagoyais.com/upload/Sign/tgserver.php

    https://nagoyais.com/upload/Sign/ufolder/signal.php

    https://nagoyais.com/upload/Sign/hotmail/notic.php

    https://nagoyais.com/upload/Sign/hotmail/hotemail.php

    IP Address

    45.32.117.177

    64.176.50.181

    154.90.62.210

    38.60.203.134

    192.124.176.51

    Hash

    f8845b4957fdad691e2826aeb770103345e80375a67cc13772c48ca02e1812fc

    79ce1bb062f6dcdaf01cc33125f68dc2d030da2390255c4fb39d362a22032da1

    587e1fa9d32f2a7134c158d965a32751b58ce5ad3a07533436472105be46a481

    0384733cfcdd32b008642391da7e439c390e7ce8d16e6d9d3bdcbc720b330b84

    90a9be7cf4b7a1786697d5adfff781d9b6ed8db06da33ebef9438dee5a181106

    4c172211a462cc6e95d9537ecd917ca7c456512006474b4105c1342f0b138dfe

    c9e539a64275814e198db6830939f0d6c335574f7016696d3ee1cae42b97f838

    3bdac367a7aeab050b8b57c4303110d4db043b939a8f721f3052416c1c3b9fdc

    a53c96108d171392a29f221614086d8311e25af521c6b4da3e4af019370164cf

    c36c2657a9a5fa31227631c440450ec42a8c5b274cc4bfd9a500e92ab357b736

    c88d5256d85024ffd628becc631df5deab6a1daf16d8fab24d2366aaa3fd7fc5

    0abf0972d8a7e87c4749e142009c1bb7e826055c3bc8d742055cf209a11ee540

    99eee95b1d5d16ea7f8d515d2333221a2308eb41640978617c6477928d0a5d75

    484c886221136ce94a8ca3ea78980f434f3fcddeaf54beaa873cf285009e337a

    33c137aca85d7026e143c6da3eddb15825bf174dd788e02169b6bac4f7cb9de0

    1774066df2121e28a6c71b41bbec1804384d7b3106f3d49b8c3eb6d45d081cf5

    0685dbb345160fcbcad33548cb3c747a46f3a11c6a243ab445fd20a71f4b3de7

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "https://nagoyais.com/upload/Sign/tgserver.php" or siteurl like "https://nagoyais.com/upload/Sign/tgserver.php" or url like "https://nagoyais.com/upload/Sign/tgserver.php" or domainname like "srv-pc.sogouzhuyin.com" or siteurl like "srv-pc.sogouzhuyin.com" or url like "srv-pc.sogouzhuyin.com" or domainname like "dl.sogouzhuyin.com" or siteurl like "dl.sogouzhuyin.com" or url like "dl.sogouzhuyin.com" or domainname like "https://nagoyais.com/upload/Sign/birthday1.php" or siteurl like "https://nagoyais.com/upload/Sign/birthday1.php" or url like "https://nagoyais.com/upload/Sign/birthday1.php" or domainname like "https://nagoyais.com/upload/Sign/save_email.php" or siteurl like "https://nagoyais.com/upload/Sign/save_email.php" or url like "https://nagoyais.com/upload/Sign/save_email.php" or domainname like "https://nagoyais.com/upload/Sign/ufolder/qh_notice.php" or siteurl like "https://nagoyais.com/upload/Sign/ufolder/qh_notice.php" or url like "https://nagoyais.com/upload/Sign/ufolder/qh_notice.php" or domainname like "https://nagoyais.com/upload/address.php" or siteurl like "https://nagoyais.com/upload/address.php" or url like "https://nagoyais.com/upload/address.php" or domainname like "https://nagoyais.com/upload/Sign/ufolder/download_notice.php" or siteurl like "https://nagoyais.com/upload/Sign/ufolder/download_notice.php" or url like "https://nagoyais.com/upload/Sign/ufolder/download_notice.php" or domainname like "https://nagoyais.com/upload/Sign/birthday2.php" or siteurl like "https://nagoyais.com/upload/Sign/birthday2.php" or url like "https://nagoyais.com/upload/Sign/birthday2.php" or domainname like "practicalpublishing.s3.dualstack.us-east-1.amazonaws.com" or siteurl like "practicalpublishing.s3.dualstack.us-east-1.amazonaws.com" or url like "practicalpublishing.s3.dualstack.us-east-1.amazonaws.com" or domainname like "https://nagoyais.com/upload/Sign/tgserver1.php" or siteurl like "https://nagoyais.com/upload/Sign/tgserver1.php" or url like "https://nagoyais.com/upload/Sign/tgserver1.php"

    Detection Query 2 :

    domainname like "auth.onedrive365-jp.com" or siteurl like "auth.onedrive365-jp.com" or url like "auth.onedrive365-jp.com" or domainname like "https://nagoyais.com/upload/Sign/ufolder/tgdown_notice.php" or siteurl like "https://nagoyais.com/upload/Sign/ufolder/tgdown_notice.php" or url like "https://nagoyais.com/upload/Sign/ufolder/tgdown_notice.php" or domainname like "https://nagoyais.com/upload/Sign/server3.php" or siteurl like "https://nagoyais.com/upload/Sign/server3.php" or url like "https://nagoyais.com/upload/Sign/server3.php" or domainname like "https://nagoyais.com/upload/Sign/ufolder/yupoki_notice.php" or siteurl like "https://nagoyais.com/upload/Sign/ufolder/yupoki_notice.php" or url like "https://nagoyais.com/upload/Sign/ufolder/yupoki_notice.php" or domainname like "https://nagoyais.com/upload/Sign/server2.php" or siteurl like "https://nagoyais.com/upload/Sign/server2.php" or url like "https://nagoyais.com/upload/Sign/server2.php" or domainname like "https://nagoyais.com/upload/Sign/hotmail/notic.php" or siteurl like "https://nagoyais.com/upload/Sign/hotmail/notic.php" or url like "https://nagoyais.com/upload/Sign/hotmail/notic.php" or domainname like "https://nagoyais.com/upload/Sign/ufolder/signal.php" or siteurl like "https://nagoyais.com/upload/Sign/ufolder/signal.php" or url like "https://nagoyais.com/upload/Sign/ufolder/signal.php" or domainname like "https://nagoyais.com/upload/Sign/ufolder/vc_notice.php" or siteurl like "https://nagoyais.com/upload/Sign/ufolder/vc_notice.php" or url like "https://nagoyais.com/upload/Sign/ufolder/vc_notice.php" or domainname like "https://nagoyais.com/upload/Sign/ufolder/gmail.php" or siteurl like "https://nagoyais.com/upload/Sign/ufolder/gmail.php" or url like "https://nagoyais.com/upload/Sign/ufolder/gmail.php" or domainname like "https://nagoyais.com/upload/Sign/server1.php" or siteurl like "https://nagoyais.com/upload/Sign/server1.php" or url like "https://nagoyais.com/upload/Sign/server1.php" or domainname like "https://nagoyais.com/upload/Sign/hotmail/hotemail.php" or siteurl like "https://nagoyais.com/upload/Sign/hotmail/hotemail.php" or url like "https://nagoyais.com/upload/Sign/hotmail/hotemail.php" or domainname like "www.auth-web.com" or siteurl like "www.auth-web.com" or url like "www.auth-web.com" or domainname like "www.sogouzhuyin.com" or siteurl like "www.sogouzhuyin.com" or url like "www.sogouzhuyin.com" or domainname like "https://nagoyais.com/upload/Sign/notic.php" or siteurl like "https://nagoyais.com/upload/Sign/notic.php" or url like "https://nagoyais.com/upload/Sign/notic.php"

    Detection Query 3 :

    dstipaddress IN ("45.32.117.177","64.176.50.181","154.90.62.210","38.60.203.134","192.124.176.51") or srcipaddress IN ("45.32.117.177","64.176.50.181","154.90.62.210","38.60.203.134","192.124.176.51")

    Detection Query 4 :

    sha256hash IN ("f8845b4957fdad691e2826aeb770103345e80375a67cc13772c48ca02e1812fc","a53c96108d171392a29f221614086d8311e25af521c6b4da3e4af019370164cf","3bdac367a7aeab050b8b57c4303110d4db043b939a8f721f3052416c1c3b9fdc","4c172211a462cc6e95d9537ecd917ca7c456512006474b4105c1342f0b138dfe","0685dbb345160fcbcad33548cb3c747a46f3a11c6a243ab445fd20a71f4b3de7","90a9be7cf4b7a1786697d5adfff781d9b6ed8db06da33ebef9438dee5a181106","79ce1bb062f6dcdaf01cc33125f68dc2d030da2390255c4fb39d362a22032da1","587e1fa9d32f2a7134c158d965a32751b58ce5ad3a07533436472105be46a481","0384733cfcdd32b008642391da7e439c390e7ce8d16e6d9d3bdcbc720b330b84","c9e539a64275814e198db6830939f0d6c335574f7016696d3ee1cae42b97f838","c36c2657a9a5fa31227631c440450ec42a8c5b274cc4bfd9a500e92ab357b736","c88d5256d85024ffd628becc631df5deab6a1daf16d8fab24d2366aaa3fd7fc5","0abf0972d8a7e87c4749e142009c1bb7e826055c3bc8d742055cf209a11ee540","99eee95b1d5d16ea7f8d515d2333221a2308eb41640978617c6477928d0a5d75","484c886221136ce94a8ca3ea78980f434f3fcddeaf54beaa873cf285009e337a","33c137aca85d7026e143c6da3eddb15825bf174dd788e02169b6bac4f7cb9de0","1774066df2121e28a6c71b41bbec1804384d7b3106f3d49b8c3eb6d45d081cf5")

    Reference:    

    https://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html


    Tags

    MalwareThreat ActorTAOTHTOSHISC6DOORDESFYGTELAMEastern AsiaExploitChina

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.