Anti-Phishing, DMARC,
Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
State-Sponsored Groups Target Semiconductor Sector with Spear-Phishing Attacks
Chinese state-aligned hackers are intensifying their espionage operations against Taiwan’s semiconductor industry, employing spear-phishing campaigns as their primary method of infiltration. Reports indicate that from March to June 2025, three distinct threat actors—identified as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp—have focused their attacks on various entities within the semiconductor supply chain, including chip manufacturers, testing facilities, equipment suppliers, and even financial analysts tracking the sector.
A recent report by Proofpoint elaborated on the techniques these groups have utilized, highlighting that their campaigns were likely motivated by espionage objectives. Targets included organizations involved in manufacturing, design, and testing of semiconductors, as well as financial analysts specializing in Taiwanese markets. UNK_FistBump, for instance, leveraged job-related lures, posing as students applying for internships, and delivered phishing emails from compromised Taiwanese university accounts to HR teams in the semiconductor realm. These emails contained malicious attachments that led to malware deployments.
The malware primarily utilized includes the well-known Cobalt Strike Beacon and a custom backdoor termed Voldemort. The attackers employed techniques such as DLL sideloading for infection and, at times, utilized Google Sheets for command-and-control operations. A unique instance involved parallel infection chains stemming from a single password-protected archive that redirected to both Cobalt Strike and Voldemort, suggesting sophisticated operational planning by UNK_FistBump.
Another group, UNK_DropPitch, directed its focus toward financial professionals involved in the semiconductor and technology markets. This group impersonated fictitious investment firms, sending malicious ZIP files that contained vulnerable executables and DLLs. Similar to their counterparts, they executed campaigns against leading investment banks, delivering backdoors that facilitated further intrusion.
UNK_SparkyCarp adopted a different strategy by using an adversary-in-the-middle phishing framework to extract credentials from Taiwanese chip companies. Disguising themselves as login security alerts, their emails linked victims to fraudulent login pages on attacker-controlled domains. These tactics mirror similar efforts identified by the group in the previous year, demonstrating a targeted approach to exploiting vulnerabilities within the semiconductor sector.
The escalation in these coordinated attacks is largely attributed to China’s strategic aim of semiconductor self-sufficiency, reducing reliance on international supply chains. Proofpoint notes that this trend aligns with broader economic strategies outlined in China’s Five-Year Plans, alongside pressures resulting from global export controls. As established Chinese threat actors adapt their methodologies, there is a noticeable emergence of new groups within the phishing landscape, particularly targeting Taiwan’s semiconductor industry.
In light of these events, the Taiwanese semiconductor sector finds itself increasingly vulnerable to cyber-espionage activities. The industry’s pivotal role in the global chip supply chain and its technological leadership make it a prime target for state-sponsored actors. Observing these incidents through the lens of the MITRE ATT&CK framework, tactics such as initial access and credential harvesting become evident as central components of these attacks. Business leaders in this domain must remain vigilant as the landscape evolves, acknowledging the necessity for robust cybersecurity defenses to mitigate potential risks.
