4 Chinese APTs Attack Taiwan's Semiconductor Industry - Dark Reading

CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE ICS/OT SECURITY CYBER RISK NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific 4 Chinese APTs Attack Taiwan's Semiconductor Industry Chinese threat actors have turned to cyberattacks as a way to undermine and destabilize Taiwan's most important industrial sector. Nate Nelson,Contributing Writer July 17, 2025 3 Min Read SOURCE: DAN74 VIA ALAMY STOCK PHOTO New Chinese threat actors have been trying to use phishing as a means of breaching Taiwan's famed semiconductor industry. Taiwan's semiconductor industry is one of the most geopolitically significant on the planet. Far beyond just earning income, it is a unique and presently irreplaceable supply chain cog to various global technologies. That makes Taiwan's prosperity — and by extension, the Chinese Communist Party's (CCP) aims to take over the island — of critical importance to countries besides itself, most notably the US. More than ever before, China is now using cyberattacks as a weapon to undermine Taiwan's semiconductors and, by extension, Taiwan's national defense. Proofpoint researchers have identified three as yet unclassified advanced persistent threats (APT) targeting its chip industry in only the past few months, in addition to a fourth spotted late last year. "Some of them are a little bit more novice, but we do see them develop over time," notes Proofpoint staff threat researcher Mark Kelly. Others, he says, have more specialized, custom capabilities. Related:Chinese Police Use ChatGPT to Smear Japan PM Takaichi Four Previously Undocumented APTs In May and June, Taiwanese companies involved in semiconductor manufacturing, packaging, testing, and supply chain organizations received an email from a "graduate student." Using a Taiwanese university email address, the student was reaching out to recruitment and human resources (HR) personnel to ask for a job. Source: Proofpoint The emails contained either a PDF or a password-protected archive. Early on, the files concealed Cobalt Strike, then graduated to carry the Voldemort backdoor. Voldemort is a custom tool characterized by its odd way of using Google Sheets for command and control (C2). Though in the past it has only been used by APT41 (aka TA415, Double Dragon, Brass Typhoon), Proofpoint tracks this latest threat cluster as distinct from APT41, temporarily referring to it as "UNK_FistBump." While UNK_FistBump was playing the role of grad student, in April and May, a threat actor referred to as "UNK_DropPitch" was masquerading as an imaginary investment firm. These attacks — which dropped a simple, custom backdoor called "HealthKick" — were aimed not at semiconductor companies themselves but at large investment banks. The motive behind the emails wasn't financial. Instead, they targeted individuals involved in investment analysis for the semiconductor and broader technology sectors. Kelly hypothesizes, "It's possible they're interested in newly emerging information around this market — what particular companies are doing, if they have particularly interesting or new product lines, or new kinds of businesses that may change the landscape of competition within the global semiconductor supply chain." Related:Singapore & Its 4 Major Telcos Fend Off Chinese Hackers Before either FistBump or DropPitch, in March, "UNK_SparkyCarp" was sending out emails masked as Microsoft account login security notices. It was the second time they'd targeted Taiwan's semiconductor industry, after a previous run in November 2024. Additionally, in October 2024, a fourth threat group called "UNK_ColtCentury" was sending cold emails to legal personnel at Taiwanese semiconductor organizations. Proofpoint estimates that those emails would have led to SparkRAT backdoor infections. Semiconductor Attacks Rev Up It's generally believed that Chinese APTs have been targeting Taiwan's semiconductor industry for some time now. But actual evidence has been lacking. For years, Kelly had only seen it sporadically, "over the past five years, maybe kind of once or twice a year. Even then, we might see maybe one organization targeted." In comparison, he says, "the volume has been a lot higher this year, for sure." Exactly what might have precipitated this shift is unclear, but plenty has been happening in the industry lately that might have sparked extra interest. Earlier this year, the Trump administration was considering tariffs on foreign semiconductors. Meanwhile, Taiwan's government has been taking steps to limit its business ties with China and investigating Chinese tech companies for allegedly illegally poaching employees of Taiwanese companies. Related:Senegalese Data Breaches Expose Lack of Security Maturity "It's definitely interesting to us to see the increase [in cyberattacks] that we have seen," Kelly says. "But I don't think we have a clear-cut answer as to why now." Read more about: DR Global Asia Pacific About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Cyberattackers Target LastPass, Top Password Managers by Nate Nelson, Contributing Writer OCT 16, 2025 CYBERATTACKS & DATA BREACHES Zscaler, Palo Alto Networks Breached via Salesloft Drift by Alexander Culafi SEP 02, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERATTACKS & DATA BREACHES Critical Fortinet Vuln Draws Fresh Attention by Jai Vijayan, Contributing Writer MAR 19, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE