Phish and Chips: China-Aligned Actors Target Taiwan Semiconductor Industry

Between March and June 2025, Proofpoint Threat Research identified three distinct China-aligned threat actors simultaneously targeting Taiwan’s semiconductor industry in espionage-driven campaigns. This activity reflects Beijing’s strategic priority to achieve semiconductor self-sufficiency amid U.S. and Taiwanese export controls, consistent with successive Five-Year Plans. Targeting intensity exceeded historical norms, with multiple previously untracked clusters entering the phishing landscape.

UNK_FistBump, exhibiting similarities to TA415 (APT41/Brass Typhoon), conducted spearphishing campaigns in May–June 2025. The actor impersonated a graduate student seeking employment to target HR and recruitment personnel across semiconductor manufacturing, packaging, testing, and supply chain organizations. It leveraged DLL side-loading to deploy Cobalt Strike and the Voldemort backdoor, establishing persistence in compromised networks. UNK_DropPitch, which shares infrastructure with TA415, operated in April–May 2025, targeting financial analysts covering Taiwan’s semiconductor and technology sectors at major investment banks. The actor sent phishing emails from attacker-controlled accounts, posing as a fictitious investment firm to solicit collaboration from targets. In June 2025, the actor expanded targeting to U.S. academic and think tank organizations. UNK_SparkyCarp conducted adversary-in-the-middle (AiTM) credential phishing in March 2025, targeting a Taiwanese semiconductor company previously targeted in November 2024. UNK_ColtCentury (overlapping with TAG-100 and Storm-2077) sent benign conversation-starter emails to legal personnel at a Taiwanese semiconductor firm in October 2024, likely as pre-positioning for SparkRAT deployment.

The convergence of multiple China-aligned clusters on a narrowly defined sector indicates coordinated intelligence collection priorities rather than opportunistic activity.