【CyCraft Monthly Intelligence】TAOTH Analysis: Dual Espionage Exploiting Sogou Zhuyin Supply Chain and OAuth Authorization

‍

Threat and Impact

TAOTH is a long-term, organized cyber espionage suspected to be conducted by Chinese-speaking attackers. Attackers compromised "Sogou Zhuyin IME," a Traditional Chinese input method that ceased operations in 2019, exploiting its abandoned software update servers and domains. Combined with targeted spearphishing techniques, they delivered multiple malware families. The attackers re-registered the sogouzhuyin.com domain in October 2024, and malicious updates began appearing from November 2024. Telemetry data indicates at least hundreds have fallen victims, with activities continuing into 2025.

‍

Analyst Perspective

This espionage does not exploit any CVE vulnerabilities. Instead, attackers exploit sole operational weaknesses in software services, such as: abandoned domains, unmaintained update mechanisms, social engineering, DLL sideloading attacks, and OAuth consent abuse. Shared infrastructure, tools, and TTPs (Tactics, Techniques, and Procedures) indicate this activity is linked to previous attack campaigns (including a supply chain abuse case), suggesting an organized, persistent threat actor with repeatable methodologies consistently targeting East Asia.

The TAOTH espionage demonstrates how neglected software and cloud authentication processes can be weaponized into high-impact channels targeting Traditional Chinese users and high-value individuals in East Asia. The media, research, technology, and business sectors now face security threats from email takeovers, prologned reconnaissance, and selective post-compromise intrusions that could escalate into broader organizational breaches.

‍

Incident Description

Through the Sogou Zhuyin channel alone, TAOTH is estimated to have affected hundreds of victims. Malicious updates began in November 2024 and continued into 2025. Before discovery, this activity may have persisted for months, significantly increasing the risk of critical data exfiltration. Primary threats include:‍

• ‍Abuse of EOL Software Supply Chain: Within hours of users installing the legitimate input method, attackers gain control of Sogou Zhuyin's update domain and inform them with malicious "updates." The attackers deliver multiple malware families, including TOSHIS (Xiangoop variant loader), DESFY (spyware), GTELAM (spyware exfiltrating data to Google Drive), and C6DOOR (Golang backdoor). In some cases, Cobalt Strike and Merlin agents are subsequently deployed. Attackers insert malicious download URLs into Traditional Chinese Wikipedia pages, directing victims to their controlled infrastructure to expand their reach among Traditional Chinese users.
• Spearphishing and Account Takeover: Fake cloud storage pages automatically deliver compressed files that perform DLL sideloading attacks through a trusted executable, planting TOSHIS and ultimately deploying Merlin agent malware. Fake login portals redirect victims to legitimate Google/Microsoft OAuth consent screens, tricking them into granting attackers powerful email permissions (e.g., gmail.modify, mail.read, mail.send), allowing continuous email access and abuse without stealing passwords. This phishing process uses an obfuscated intermediary page and sends beacons to a China-based messaging service to target and track victims.
• Stealthy Data Collection and Target Filtering: DESFY and GTELAM collect filenames (including Desktop, Program Files, and Office document types) to profile systems and filter high-value targets. GTELAM hides data exfiltration within normal Google Drive traffic. After successful compromise, attackers operate cautiously with a focus on reconnaissance; in at least one case, attackers establish a Visual Studio Code remote tunnel to maintain persistence.

Analysis of Affected Targets:

• Geographic Distribution: Primarily targeting East Asia, including Taiwan, China, Hong Kong, Japan, and South Korea, TAOTH also extends to overseas Taiwanese communities and a small number of victims in the United States and Norway. Language checks in their tools primarily target zh-TW, zh-CN, and ja-JP systems.
• Victim Profile and Sectors: High-value individuals such as dissidents, journalists, researchers, and technology/business leaders (including C-levels). While attacks are individual-focused, their impact extends to media/journalism, research and academia, technology, and broader business sectors.

Scale and Scope of Impact on Organizations and Industries:

• Strategic Espionage and Surveillance: Attackers targeting dissidents and high-value targets suggests their objective may be intelligence gathering for geopolitical reasons. By collecting filenames and selectively activating backdoors, attackers employ a "low and slow" strategy to collect data, reducing system noise and extending dwell time.
• Email Ecosystem Abuse and Lateral Movement Phishing: Through OAuth-obtained mail access, attackers can read, send, and modify emails. They can leverage these permissions to phish trusted contacts, escalate privileges, and steal sensitive communications and attachments.
• Endpoint Trust and Software Supply Chain Sabotage: By hijacking update channels of EOL software, attackers not only erode user trust in automatic updates but also demonstrate how expired vendor domains can be weaponized at scale. This campaign reused cloud platforms (Google Drive, Amazon S3) to blend into legitimate traffic and evade perimeter defenses.
• Operational, Compliance, and Reputational Risks: Victims are faced with the exfiltration of intellectual property, research data, supplier lists, and confidential communications. For media and civil society organizations, related risks include source exposure and physical safety concerns. For enterprises, other operational risks include executive targeting, phishing attacks against partner ecosystems, and downstream vendor compromise.

‍

Technical Details

TAOTH exploits the update mechanism of the EOL Sogou Zhuyin IME as their channels of supply chain attack while simultaneously conducting spear-phishing attack. The root cause was the expiration of vendor domain, creating vulnerabilities within the trust model of the update program. Even under TLS connection, ZhuyinUp.exe still fully trusted the update manifest (including URL and MD5) from servers re-registered by attackers in October 2024, since it lacked certificate pinning or code signing verification. Starting November 2024, the attacker-controlled update channel delivered a multi-stage toolset: TOSHIS (Xiangoop variant loader), DESFY and GTELAM (spyware for target analysis), and C6DOOR (a Golang backdoor), followed by second-stage C2 agents COBEACON (Cobalt Strike) and Merlin.

In the phishing attack, fake cloud storage pages side-loaded TOSHIS, while fraudulent login pages tricked users into granting OAuth permission for persistent email access. The entire operation emphasizes stealthy reconnaissance, target filtering, heavy abuse of cloud services, and selective post-intrusion activities (e.g., establishing a VS Code tunnel).

Reconnaissance

• Host Analysis Spyware: DESFY collects file names from the Desktop and Program Files, and transmits them to the C2 server via POST requests to assess victim value. GTELAM enumerates Office document file names (.doc/.docx/.xls/.xlsx/.ppt/.pptx), encrypts the list with AES, and uploads it to Google Drive for high-value target filtering.
• Reconnaissance via Backdoor (C6DOOR): InformationCli (IP/OS/Username/Hostname), GetAllProcessNames, ExecuteSendDirList/ExecuteSendDir, ExecuteCommandScan (Port scanning), ExecScreenshot.
• Observed Host Reconnaissance Commands: tasklist /svc, quser, ipconfig /all, net time /domain, net user, hostname, curl cip.cc (to query public IP), and inventorying files in %LOCALAPPDATA%\Microsoft and Office paths.
• Web Beacon during OAuth Phishing : An obfuscated intermediary page sends beacons to sctapi.ftqq.com to log victim interaction behavior.

Resource Development

• Domain Takeover and Infrastructure Distribution: Attackers re-register and hijack sogouzhuyin.com and srv-pc.sogouzhuyin.com (update endpoint: https://srv-pc.sogouzhuyin.com/v1/upgrade/version). In March 2025, dl.sogouzhuyin.com was added to the Wikipedia Traditional Chinese page to lure users into installing this "official" installer.
• Infrastructure Phishing: Fake cloud storage/download websites (e.g., malicious payload hosted on Amazon S3 at practicalpublishing.s3.dualstack.us-east-1.amazonaws.com). OAuth consent stealing applications and redirection domains: www.auth-web.com and auth.onedrive365-jp.com.
• C2/Host Infrastructure: Shared IP addresses observed throughout the campaign: 45.32.117.177, 64.176.50.181, 154.90.62.210, 38.60.203.134, 192.124.176.51.

Initial Access

• Supply Chain/Update Hijack: Hours after victims install the unmodified Sogou Zhuyin IME, ZhuyinUp.exe fetches an update manifest from the attacker's domain and executes the downloaded "update program," installing TOSHIS, DESFY, GTELAM, or C6DOOR. This could abuse vulnerabilities include: verification without code signature, integrity check relying solely on server-provided MD5, and no TLS certificate pinning. Attacks succeed only when the overtaken domains are trusted.
• Spear-Phishing Path 1 (Fake Cloud Storage): Automatic download of material.zip, containing a corrupt PDF and an executable named PDFreader.exe (actually the legitimate McOds.exe). The TOSHIS attack chain is loaded via a DLL side-loading attack (McOds.exe → McVsoCfg.dll), which also implants a Merlin agent.
• Spear-Phishing Path 2 (Fake Login Page): Victims are redirected from a beacon page to the legitimate Google/Microsoft OAuth consent screen, granting the attacker's application with high-privilege email access (gmail.modify, mail.read, mail.send, offline_access).

Execution

• Triggered by Updater: ZhuyinUp.exe obtains the update URL and MD5 from https://srv-pc.sogouzhuyin.com/v1/upgrade/version and executes the downloaded installer, launching TOSHIS/DESFY/GTELAM/C6DOOR.
• Loader/Multi-Staged Attack Behavior (TOSHIS, Xiangoop variant): Threat actors would patch the entry point of legitimate executables (PEs), observed targets include SunloginDesktopAgent.exe, SearchIndexer.exe, Procmon.exe, to execute injected shellcode. The shellcode uses Adler-32 for API hashing, and the final payload is decrypted with the key qazxswedcvfrtgbn, delivering the COBEACON (Cobalt Strike) and Merlin agent malware. Execution is limited via language gating to systems with zh-TW (0x404), zh-CN (0x804), and ja-JP (0x411).
• DLL Side-loading Attack Chain: PDFreader.exe (McOds.exe) is executed to side-load McVsoCfg.dll, which fetches a decoy file and malicious shellcode, ultimately implanting a Merlin agent.
• Backdoor/Agent Code Execution: C6DOOR executes arbitrary OS commands (ExecuteCommandHandler), SSH commands (ExecuteCommandSsh), and injects AES-decrypted shellcode (Executeshellcode).
• Observed Operator Commands: tasklist.exe /svc, quser.exe, ipconfig.exe /all, net.exe time /domain, net.exe user, curl.exe cip.cc, code.exe tunnel …, and file preparation via tar/del.

Persistence

• Service-based Persistence: A persistent Visual Studio Code Tunnel service, code.exe tunnel service install, is implemented.
• Token/API Persistence: OAuth authorization with offline access allows the attacker to persistently access Gmail/Microsoft mailboxes via API.
• Hijacking Binaries for Re-execution: The entry-point patching of legitimate executables (at boot-time or as service startup) also serves to extend persistence.

Privilege Escalation

• Service Installation: If code.exe tunnel service install is executed with sufficient rights, it grants service-level authorization.
• Process Hijack/Injection: The DLL side-loading attack (McOds.exe → McVsoCfg.dll) and entry-point patching techniques gain the rights of the victim’s process. C6DOOR's Executeshellcode function can inject code into target processes, potentially escalating privileges by compromising a higher-privileged user.

Defense Evasion

• Trusted Updater Abuse: The legitimate Sogou Zhuyin updater and the hijacked vendor domain are manipulated to blend malicious updates into normal software behavior.
• Masquerading and Side-loading: McOds.exe masquerades as a PDF reader to load McVsoCfg.dll. Attackers also patch the entry points of well-known binaries (like SearchIndexer.exe) to hide their activities.
• Cloud Abuse and Encryption: GTELAM uses Google Drive for covert data exfiltration.  C6DOOR uses HTTP/WebSocket for communication. Phishing pages are obfuscated with http://obfuscator.io. Data exchange uses AES encryption. TOSHIS uses API hashing.
• Blending with Legitimate Tools: VS Code Tunnel is utilized and victims are redirected to authentic Google/Microsoft OAuth pages to mimic normal activity.

Discovery

• Spyware Enumeration: DESFY collects file names from the Desktop and Program Files. GTELAM enumerates Office document file names.
• C6DOOR Discovery: C6DOOR is capable of system information gathering, process listing, directory listing, PWD, and network port scanning.
• Operator Commands: Commands such as tasklist, quser, ipconfig /all, net time/user, hostname, echo %localappdata%, and dir on Microsoft and Office paths are operated.
• Phishing Beacon: The intermediary page sends a beacon to sctapi.ftqq.com to log victim interaction.

Lateral Movement

• Remote Access Tunnel: VS Code Tunnel establishes an intermediary, persistent remote connection for lateral movement.
• Backdoor Remote Access: C6DOOR supports SSH command execution and SFTP file transfer.
• C2 Agents: Attackers use COBEACON and Merlin for control and lateral movement.
• Lateral Phishing via OAuth: With acquired mailbox access (read/send), the attacker can launch lateral phishing attacks against the victim's contacts.

Collection

• File and Metadata Collection: DESFY and GTELAM collect file names. GTELAM encrypts the list with AES before upload.
• Collection via Backdoor: C6DOOR has the following functions: ExecScreenshot (screenshot), ExecuteCat (read file content), and ExecuteSendDir/List (collect directory metadata).
• Mailbox Data Collection: OAuth-granted permissions allow reading and modifying emails in Gmail/Exchange.

Command and Control (C2)

• Multi-Channel C2: TOSHIS fetches additional payloads from its C2 server. C6DOOR uses HTTP/WebSocket and COBEACON/Merlin beacons to shared infrastructure (e.g., 45.32.117.177).
• Cloud Drive/Proxy C2: GTELAM leverages Google Drive as a data or C2 exfiltration channel. Phishing activities beacon to sctapi.ftqq.com.
• Remote Tunnel: VS Code Tunnel (code.exe) provides interactive control via HTTPS.

Exfiltration

• HTTP Cloud Channel: DESFY sends file name lists to C2 via POST requests. GTELAM uploads AES-encrypted document file name lists to Google Drive.
• File Transfer via Backdoor: C6DOOR supports file upload via Downloadfileserver and SFTP (ExecuteCommandSftp) and sends directory information (ExecuteSendDir/ExecuteSendDirList).
• Mail-based Data Exfiltration: With OAuth mailbox access (gmail.modify, mail.read, mail.send), the attacker can access mail content and covertly transfer data via email.

‍

Mitigation

The recommended measures focus on the two main initial access vectors: the hijack of the EOL Sogou Zhuyin software updates and the OAuth authorization phishing.

1. Remove EOS Software

• Inventory and remove all instances of the Sogou Zhuyin IME from Windows endpoints, replacing it with supported alternatives.
• Block the remaining installer's update executable and related traffic:
  • Process: ZhuyinUp.exe
  • Domains/URLs: sogouzhuyin.com, srv-pc.sogouzhuyin.com, https://srv-pc.sogouzhuyin.com/v1/upgrade/version, dl.sogouzhuyin.com

2. Block and Investigate Known Infrastructure

• Block the following on web proxies, DNS filters, and egress firewalls:
  • Domains: www.auth-web.com, auth.onedrive365-jp.com, sctapi.ftqq.com, practicalpublishing.s3.dualstack.us-east-1.amazonaws.com.
  • IP Addresses: 45.32.117.177, 64.176.50.181, 154.90.62.210, 38.60.203.134, 192.124.176.51.
• Note: Blocking the Amazon S3 endpoint may impact business operations. If necessary, regulate exceptions with caution.

3. Revoke Malicious OAuth Access

• Google Workspace
  • Navigate to Security > API Controls > App access control: Block OAuth Client ID 715259374054-mst41mfku1h8l7ga5vbtrv8cm48h9nde.apps.googleusercontent.com and redirect URL https://www.auth-web.com/gm-oauth2-callback.
  • Revoke existing tokens of affected users and force re-authentication. Investigate whether gmail.modify authorization, mailbox rule modification, email forwarding, and suspicious sending activities exist.
• Microsoft Entra ID
  • Navigate to Enterprise Applications: Locate App ID e707daa3-579f-4bae-bb7d-89a73d52ffa1 and disable or remove its service host. Revoke user consents, refresh tokens, and force user logouts.
  • Block the redirect domain https://auth.onedrive365-jp.com/getauthtoken on the proxy and add it to the domain/URL block list.

4. Investigate and Remediate Hosts

• Isolate hosts that have connected to the blocked infrastructure or executed ZhuyinUp.exe.
• Track and remediate the malware families and their remnants:
  • Malware Families: TOSHIS, DESFY, GTELAM, C6DOOR
  • Patched Binaries: SunloginDesktopAgent.exe, SearchIndexer.exe, Procmon.exe
  • Fake Cloud Attack Chain: material.zip, PDFreader.exe (McOds.exe), McVsoCfg.dll
• If VS Code Tunnel persistence exists, remove it:
  • Investigate the installation of the VS Code Tunnel service, residual z.txt files, and recent downloads from code.visualstudio.com.

5. Remove EOS Applications

• Periodically audit and remove software that no longer receives security updates.
• If temporary exceptions are needed, block their external network connections and disable auto-updates.

6. Enforce Strong Authentication and Conditional Access

• Require phishing-resistant MFA for all users.
• Implement conditional access policies that mandate device compliance and block unapproved client applications.

7. Endpoint Detection and Response (EDR) Analytics Rules

• Alert on the following behaviors:
  • Entry-point patching of signed binaries.
  • Execution of DLL side-loading patterns when files are extracted from archives or triggered by a fake reader/installer.
  • Use of the VS Code Command Line Interface (CLI) on non-developer hosts, specifically code.exe tunnel user login and code.exe tunnel service install. Known reconnaissance command sequences are tasklist /svc, quser, ipconfig /all, net user, net time /domain, and curl cip.cc.

Reference

1. TAOTH Campaign Exploits End-of-Support Software toTarget Traditional Chinese Users and Dissidents
2. New TAOTH Campaign Exploits End-of-Support Softwareto Distribute Malware and Collect Sensitive Data
3. TOATH Campaign Exploits End-of-Support Software toTarget Traditional Chinese Users and Dissidents
4. Thumbing through the DNS Trail of theTAOTH Campaign
5. Abandoned Sogou Zhuyin Update ServerHijacked, Weaponized in Taiwan Espionage Campaign

‍

IoCs (Indicator of Compromise)

Domain

URL