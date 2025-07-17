This surge, observed between March and June 2025, highlights a concerted campaign aimed at infiltrating and extracting intelligence from an industry pivotal to global technology supply chains and geopolitical security.

Proofpoint’s latest research identifies at least three distinct state-sponsored groups: UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp launching sophisticated phishing attacks against a broad spectrum of Taiwanese semiconductor entities.

The targets span manufacturers, designers, testing facilities, supply chain partners, and even financial analysts specialising in semiconductor market investments.

Mark Kelly, staff threat researcher at Proofpoint explained the breadth of the campaign: “We observed targeting across the entire semiconductor ecosystem, not just production but also financial analysts who influence investment decisions. This indicates a comprehensive intelligence gathering mandate from these threat actors.”

The cyberattacks employed a variety of advanced tactics to deceive victims, including employment-themed lures, fake collaboration proposals, and credential phishing.

Notably, attackers often exploited compromised university accounts and deployed custom Adversary-in-the-Middle (AiTM) frameworks to intercept credentials with high precision.

Kelly added: “The use of compromised academic accounts shows a willingness to leverage trusted sources to gain access. Alongside that, deployment of custom backdoors like Voldemort and HealthKick, combined with legitimate tools for persistence, highlights the adaptability and sophistication of these groups.”

Further technical analysis revealed shared infrastructure patterns that hint at the operational security measures used by these groups. This included reliance on Russian Virtual Private Server (VPS) providers and SoftEther VPN servers, reflecting a complex, multinational approach to obfuscation.

The heightened cyber activity appears aligned with China’s longstanding strategic objective of achieving semiconductor self-sufficiency.

This is particularly pertinent in light of recent US and Taiwanese export controls aimed at restricting China’s access to advanced semiconductor technologies. Proofpoint’s research underscores how economic and political priorities directly influence cyber espionage targeting.

“China’s economic priorities consistently drive the focus of its cyber espionage efforts,” Kelly noted.

“We see a clear pattern of targeting evolving in response to geopolitical shifts and economic policies. The semiconductor industry, with its critical role in global supply chains and national security, is naturally a prime target right now.”

Beyond Taiwan, Proofpoint’s findings also highlight targeting of international financial firms involved in Taiwanese semiconductor investments, signalling that related financial institutions outside Taiwan, particularly in the US, may face similar threats. However, no direct attacks on US-based semiconductor companies have been detected so far.

The campaigns ranged from focused attacks on specific individuals, such as investment analysts, to broad campaigns targeting numerous employees within organisations. This dual approach likely reflects both strategic targeting and opportunistic access attempts.

Beijing has repeatedly denied any involvement in state-sponsored cyberattacks. A spokesperson for the Chinese embassy in Washington told Reuters that China “firmly opposes and combats all forms of cyberattacks and cybercrime.” This mirrors past responses to similar claims of cyber espionage against state-linked actors.

Meanwhile, the Taiwanese government has previously rejected cyberattack accusations from China, accusing Beijing of spreading disinformation and highlighting that Taiwan itself is subject to frequent, large-scale cyberattacks from China-aligned actors.

Kelly advised caution: “Users should remain vigilant to phishing attempts from unfamiliar sources and promptly report suspicious activity to their security teams. Given the stakes, ongoing awareness and proactive defence are essential.”

