Semiconductor Industry Under Siege – Chinese Hackers Use Weaponized Cobalt Strike in State-Sponsored Attacks

Between March and June 2025, cybersecurity researchers at Proofpoint documented an alarming escalation in Chinese state-sponsored cyber espionage targeting Taiwan’s critical semiconductor industry.

Three distinct threat actors launched sophisticated phishing campaigns against manufacturers, designers, and financial analysts specializing in semiconductor technologies, marking a significant intensification of China’s cyber intelligence operations in this strategically vital sector.

Multi-Vector Attack Campaign Targets Industry Leadership

The most prominent of these operations involved UNK_FistBump, a Chinese threat actor that conducted elaborate employment-themed phishing campaigns in May and June 2025.

Masquerading as graduate students from prestigious Taiwanese universities, the attackers sent weaponized job applications to recruitment and HR personnel at major semiconductor companies.

The emails contained subject lines in Traditional Chinese, such as “Product Engineering (Material Analysis/Process Optimization) – National Taiwan University.” They included password-protected archives or PDF attachments linking to malicious payloads.

In an unprecedented tactical evolution, UNK_FistBump deployed dual infection chains within a single campaign, delivering both Cobalt Strike Beacon payloads and a custom backdoor called Voldemort.

The Cobalt Strike variant utilized a customized GoToMeeting malleable command-and-control profile, communicating with infrastructure at IP address 166.88.61.35 over port 443.

Meanwhile, the Voldemort backdoor employed Google Sheets for covert command-and-control operations, demonstrating the attackers’ sophisticated understanding of legitimate cloud services for malicious purposes.

Technical Sophistication Reveals Advanced Capabilities

The technical implementation of these attacks showcased remarkable sophistication. UNK_FistBump employed DLL sideloading techniques using legitimate signed executables, including javaw.exe and CiscoCollabHost.exe, to load malicious libraries that decrypt and execute their payloads.

The RC4-encrypted Cobalt Strike payload utilized the key “qwxsfvdtv” and established persistence by modifying the Windows Registry.

Concurrently, UNK_DropPitch targeted investment analysts specializing in Taiwanese semiconductor markets, deploying a custom backdoor called HealthKick through fake investment collaboration emails.

This malware employed a FakeTLS protocol requiring duplicate headers due to apparent coding errors, communicating with C2 servers using XOR encryption with the key “mysecretkey.”

Strategic Implications for Global Supply Chain Security

The timing and scope of these operations align with China’s strategic priority to achieve semiconductor self-sufficiency amid intensifying U.S. export controls and technology restrictions.

The targeting extended beyond traditional manufacturing entities to include supply chain partners and financial analysts, indicating comprehensive intelligence collection efforts spanning the entire semiconductor ecosystem.

Proofpoint researchers noted that established Chinese threat actors have increasingly shifted toward exploiting edge devices and alternative access vectors.

At the same time, newer groups, such as those documented in this campaign, continue to employ traditional phishing methodologies.

The emergence of multiple threat actors simultaneously targeting the same sector suggests coordinated state-level prioritization of semiconductor intelligence collection, potentially foreshadowing expanded operations against this critical industry worldwide.

Indicators of compromise

UNK_FistBump Network Indicators
Indicator	Type	Description	First Seen
166.88.61[.]35	IP address	Cobalt Strike C2	May 2025
hxxps://sheets[.]googleapis[.]com:443/v4/spreadsheets/1z8ykHVYh9DF-b_BFDA9c4Q2ojfrgl-fq1v797Y5576Y	URL	Voldemort Google Sheets C2	May 2025
hxxps://sheets[.]googleapis[.]com:443/v4/spreadsheets/14H0Gm6xgc2p3gpIB5saDyzSDqpVMKGBKIdkVGh2y1bo	URL	Voldemort Google Sheets C2	June 2025
john.doe89e@gmail[.]com	Email	Malware delivery	May 2025