Chinese-linked hackers have intensified cyber-espionage efforts against Taiwan’s semiconductor industry and financial analysts, conducting coordinated attacks between March and June 2025, with some operations still ongoing. Reuters reports that cybersecurity firm Proofpoint has attributed the activity to at least three previously undocumented China-aligned groups—UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp—while a fourth group, UNK_ColtCentury (also tracked as TAG-100 or Storm-2077), attempted to build trust with its targets before deploying a remote access trojan (RAT) known as Spark.
These attacks are believed to be part of Beijing’s long-term push for semiconductor self-sufficiency, driven by U.S. export restrictions and Taiwan’s dominance in advanced chip manufacturing. The hackers have focused on organizations involved in semiconductor design, manufacturing, testing, and supply chains, as well as investment analysts tracking Taiwan’s semiconductor sector.
Proofpoint estimates that 15 to 20 organizations were targeted, ranging from medium-sized businesses to major global enterprises, along with analysts at at least one U.S.-headquartered international bank. While Taiwan’s major chipmakers, including TSMC, MediaTek, UMC, Nanya, and RealTek, declined or did not respond to comment, Reuters has been unable to confirm which firms were breached or whether any of the attacks succeeded. The group says that in all cases, the motive “was most likely espionage.”
The campaigns relied on varied tactics. UNK_FistBump launched spear-phishing attacks from compromised Taiwanese university email accounts, posing as job seekers and attaching malicious files disguised as PDF resumes. Opening these files triggered the deployment of Cobalt Strike beacons or a custom C-based backdoor known as Voldemort, previously linked to attacks on over 70 organizations worldwide. UNK_DropPitch, on the other hand, focused on financial analysts at major investment firms, masquerading as staff from a fake investment company and delivering malicious PDF links that downloaded ZIP archives carrying DLL-based payloads.
These malicious DLL files, when run using a side-loading trick, installed the HealthKick backdoor or opened a reverse connection to hacker-controlled servers like 45.141.139[.]222. In contrast, UNK_SparkyCarp used a different tactic, sending fake account security emails that led victims to phishing sites such as accshieldportal[.]com, using a custom tool to intercept and steal login credentials. The oldest trick in the book.
TeamT5, a Taiwanese cybersecurity firm, has reported an uptick in email-based threats aimed at Taiwan’s semiconductor industry. According to Reuters, the firm has noted that attackers often exploit weaker defenses in smaller suppliers and related industries to gain a foothold. In June, for example, a China-linked group known as Amoeba launched a phishing campaign against a chemical company critical to the semiconductor supply chain. This strategy of targeting peripheral (secondary) sectors—such as raw materials, logistics, or consulting—underscores a broader effort to compromise the supply chain by exploiting its less-protected edges.
The scope and scale of these campaigns underscore the growing geopolitical tension around Taiwan’s semiconductor dominance. Proofpoint researchers, including threat expert Mark Kelly, have warned that entities not previously on the radar are now being singled out. In late 2023, it was discovered that the Chimera group breached Europe’s NXP—the continent’s largest chipmaker—remaining undetected for over two years and stole sensitive chip design IP. Kelly noted that attackers sometimes sent just one or two highly targeted emails, while other campaigns involved as many as 80 emails to infiltrate entire organizations.
China’s embassy in Washington responded to the reports by reiterating that cyberattacks are a global issue and that China “firmly opposes and combats all forms of cybercrime”. Earlier this year, it was reported that the U.S. Treasury was broken into, and the government discovered Chinese hackers targeting Guam’s critical infrastructure. As such, these operations show clear alignment with Chinese state interests, as the targeting, tools, and tactics bear the hallmarks of China-linked cyber-espionage groups. With the Taiwanese semiconductor industry sitting at the heart of the global chip supply chain—and with ongoing export control measures from the U.S.—the sector remains one of the most valuable intelligence targets in the world.
About the Author
