In a recent cyber espionage campaign, threat actors have exploited an abandoned update server associated with the Sogou Zhuyin Input Method Editor (IME) to distribute multiple malware families, including C6DOOR and GTELAM. This operation primarily targets users across East Asia, with a significant focus on Taiwan.
Background on Sogou Zhuyin IME
Sogou Zhuyin is a Traditional Chinese input method developed by Sogou Inc., widely used in Taiwan and other regions for typing Chinese characters. The software ceased receiving updates in June 2019, leaving its update infrastructure dormant.
The Hijacking of the Update Server
In October 2024, cyber attackers took control of the lapsed domain sogouzhuyin[.]com, previously used by Sogou Zhuyin for software updates. By November 2024, they began distributing malicious payloads through this channel, affecting several hundred users.
Malware Deployment and Functionality
The attackers utilized the hijacked update server to deploy various malware strains, each serving distinct purposes:
– TOSHIS (Detected December 2024): A loader designed to fetch next-stage payloads, such as Cobalt Strike or Merlin agents, from external servers. It is a variant of Xiangoop, previously linked to the Tropic Trooper group.
– DESFY (Detected May 2025): Spyware that collects filenames from the Desktop and Program Files directories.
– GTELAM (Detected May 2025): Spyware that targets files with specific extensions (e.g., PDF, DOC, XLS) and exfiltrates their details to Google Drive.
– C6DOOR: A custom Go-based backdoor utilizing HTTP and WebSocket protocols for command-and-control communications, enabling remote access and data exfiltration.
Attack Methodology
The infection chain begins when users download the official Sogou Zhuyin installer from the internet. Notably, in March 2025, the Traditional Chinese Wikipedia page for Sogou Zhuyin was altered to direct users to the malicious domain dl[.]sogouzhuyin[.]com. While the installer itself is benign, the automatic update process, triggered hours after installation, fetches a tampered update configuration file from srv-pc.sogouzhuyin[.]com/v1/upgrade/version, leading to the deployment of the aforementioned malware.
Target Demographics
The campaign, identified in June 2025 and codenamed TAOTH by Trend Micro researchers, primarily targets dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. Taiwan accounts for 49% of the targets, followed by Cambodia (11%) and the U.S. (7%).
Implications and Recommendations
This incident underscores the risks associated with abandoned software infrastructure. Users are advised to:
– Verify Software Sources: Ensure downloads are from official and secure sources.
– Monitor for Unauthorized Changes: Be vigilant about alterations to trusted information sources, such as Wikipedia pages.
– Update Security Measures: Regularly update security protocols to detect and prevent such sophisticated attacks.
Organizations should also implement robust monitoring of their software supply chains to prevent similar exploitation.
