An espionage operation codenamed TAOTH has exploited an abandoned update server tied to the Sogou Zhuyin input method editor (IME) to distribute multiple malware families, researchers report. The activity, identified in June 2025, targeted dissidents, journalists, researchers and tech leaders across China, Taiwan, Hong Kong, Japan, South Korea and overseas Taiwanese communities, with Taiwan accounting for nearly half of all targets.
In describing the campaign, Trend Micro researchers Nick Dai and Pierre Lee noted that attackers deployed sophisticated infection chains, including hijacked software updates and fake cloud storage or login pages, to deliver malware and harvest sensitive information. The TAOTH designation is their naming for this campaign after an exhaustive Trend Micro analysis.
According to investigators, the attackers gained control of the lapsed domain sogouzhuyin[.]com – the domain previously associated with Sogou Zhuyin that stopped updates in 2019 – and began hosting malicious updates as early as October 2024. Trend Micro estimated that several hundred victims were affected across the target regions.
In the TAOTH campaign, the attackers used four malware families to achieve remote access, information theft and backdoor functionality: TOSHIS, a loader designed to fetch next-stage payloads; DESFY, a spyware module that collects file names from Desktop and Program Files; GTELAM, a spyware that enumerates file names with common document extensions and exfiltrates data to Google Drive; and C6DOOR, a Go-based backdoor that uses HTTP and WebSocket for command-and-control.
Security researchers observed embedded Simplified Chinese characters within some C6DOOR samples, suggesting the threat actor behind the artifact has Chinese language proficiency. The attacker’s use of legitimate cloud storage services, including Google Drive, facilitated data exfiltration and helped obscure malicious traffic along the attack chain.
The malware deployment sequence began when users downloaded the official Sogou Zhuyin installer from the Internet. Hours after installation, the updater, ZhuyinUp.exe, retrieved an update configuration file from srv-pc.sogouzhuyin[.]com/v1/upgrade/version, kicking off the multi-stage infection process. The campaign also appears to have included phishing components, including a two-pronged approach with fake login pages and fake cloud-storage pages designed to harvest credentials or prompt OAuth permissions for attacker-controlled apps, potentially giving attackers access to targeted users’ accounts.
Trend Micro notes that TAOTH shares infrastructure and tooling with previously documented activity attributed to ITOCHU, pointing to a persistent threat actor focused on reconnaissance, espionage and email abuse. One analyzed case indicated the attacker was surveying the victim’s environment and even establishing a tunnel through Visual Studio Code, underscoring the breadth of post-exploitation techniques observed.
In some cases, attackers distributed the toolset via phishing websites linked to spear-phishing campaigns targeting Eastern Asia, with limited reach into Norway and the United States. The phishing content included booby-trapped URLs and decoy documents designed to trigger a multi-stage drop of TOSHIS using DLL side-loading or to gain unauthorized access to the victim’s Google or Microsoft mailboxes via OAuth prompts.
Trend Micro urged organizations to audit end-of-support software and promptly remove or replace such applications, and to review cloud app permissions before granting access. The firm said the Sogou Zhuyin operation demonstrated a low-profile reconnaissance phase aimed at identifying high-value targets before any post-exploitation activity, a pattern that underscores the need for vigilant security hygiene across enterprise environments.