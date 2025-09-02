Vulnerability Management, Threat Intelligence

Mostly East Asian-targeted cyberespionage exploits derelict update server

Multiple illicit payloads have been spread by threat actors through the exploitation of a neglected Sogou Zhuyin input method editor update server in attacks primarily aimed at journalists, technology and business leaders, researchers, and dissidents in Taiwan, China, Japan, Hong Kong, and South Korea as part of the TAOTH campaign initially discovered in June, according to The Hacker News.

Despite being mainly targeted at East Asia, the TAOTH campaign had mostly impacted individuals in Cambodia and the U.S., after Taiwan, a report from Trend Micro revealed. Hijacking Sogou Zhuyin's abandoned domain allowed the hosting of illicit updates since October, with the download of the IME service's installer facilitating the deployment of the Cobalt Strike-retrieving TOSHIS loader, the DESFY and GTELAM spyware, and the C6DOOR backdoor.

"It appears that the attacker was still in the reconnaissance phase, primarily seeking high-value targets. As a result, no further post-exploitation activities were observed in the majority of victim systems," said Trend Micro researchers.

