In a sophisticated and long-running cyber espionage campaign, a Chinese-aligned threat actor has been found to have hijacked an abandoned update server for the Sogou Zhuyin input method editor (IME), using it as a vector to infect users primarily in Taiwan with multiple forms of malware. The operation, which has been active since at least late 2024, highlights a growing trend of attackers leveraging end-of-life software to bypass traditional security measures and conduct covert intelligence gathering.
The Sogou Zhuyin IME, a popular tool for traditional Chinese users, was officially discontinued in 2019. However, cybersecurity researchers discovered that a threat actor had registered the lapsed domain name, sogouzhuyin[.]com, and weaponized it to distribute malicious updates. The attack chain begins when an unsuspecting user downloads the official, and seemingly harmless, Sogou Zhuyin installer from a compromised third-party site, such as a modified Wikipedia page. A few hours after installation, the software’s automatic update process is triggered, fetching a malicious payload from the attacker-controlled server.
This method allowed the attackers to deploy several distinct malware families, including GTELAM, C6DOOR, DESFY, and TOSHIS. These malware strains have different purposes, from providing remote access and backdoor functionality to stealing sensitive information from infected systems. The campaign, which researchers have codenamed TAOTH, appears to be in a reconnaissance phase, with the attackers seeking to identify and profile high-value targets. This indicates a focus on espionage rather than broad-scale financial crime.
According to telemetry data, several hundred victims have been impacted, with a significant concentration in Taiwan. The targeting appears to be focused on dissidents, journalists, researchers, and technology or business leaders. The use of an unmaintained but legitimate software’s update mechanism demonstrates a new level of ingenuity in supply chain attacks, making it difficult for users to detect the compromise. This incident is a stark reminder for both individuals and organizations to exercise extreme caution with unsupported software and to maintain rigorous security practices, including proactive patching and log monitoring.
