DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

Increased Attacks on Taiwanese Semiconductor Industry

16 July 2025 · Taiwan
Satellite Imagery © Esri

What happened

In a report published on 16 July 2025, the cybersecurity firm Proofpoint said China-aligned threat actors had intensified cyber-espionage campaigns against Taiwan's semiconductor industry. Between March and June 2025, Proofpoint Threat Research observed at least three distinct China-aligned activity clusters, which it tracks as UNK_FistBump, UNK_DropPitch and UNK_SparkyCarp, conducting targeted phishing campaigns against the sector. The targeting spanned semiconductor manufacturing, design, packaging, testing and supply-chain organizations, as well as financial analysts who specialize in the Taiwanese chip industry at major investment firms.

According to Proofpoint, the spear-phishing operations used varied techniques. UNK_FistBump posed as job applicants, in some cases sending emails from compromised Taiwanese university accounts, and delivered the Cobalt Strike Beacon or a custom backdoor known as Voldemort. UNK_DropPitch masqueraded as a fictitious investment firm and deployed a backdoor Proofpoint calls HealthKick. UNK_SparkyCarp ran credential-phishing activity using a custom adversary-in-the-middle (AiTM) kit. Proofpoint assessed the activity as consistent with intellectual-property theft and intelligence collection, and linked it to China's strategic priority of achieving semiconductor self-sufficiency amid tightening US and Taiwanese export controls. Proofpoint reported no confirmed compromises at the time of publication.

Assessment

The reporting points to a coordinated, persistent espionage interest in Taiwan's chip ecosystem, a sector central to global supply chains and to the technology rivalry between the United States and China. Proofpoint's attribution to China-aligned actors is an analytic assessment based on tradecraft, infrastructure and targeting, rather than formal government attribution, and should be treated as such. The use of multiple separate clusters and tailored lures, including targeting of analysts as well as manufacturers, suggests a broad collection effort spanning both technical intellectual property and market intelligence.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.