Sogou Zhuyin Update Server Hijacked for Malware Deployment
What happened
Security researchers at Trend Micro disclosed in August 2025 that attackers had hijacked the update mechanism of Sogou Zhuyin, a Chinese-language input method editor (typing app) once popular among users in Taiwan, to deliver malware in an espionage campaign. The software had not been maintained since 2019, and its update domain was left unregistered. According to Trend Micro, the threat actors registered the lapsed domain and used the abandoned update server to push malicious updates beginning in late 2024.
Trend Micro tracks the operation as TAOTH and reports that the poisoned updates, combined with spear-phishing and fake login or cloud-storage pages, delivered several malware families. These included TOSHIS, a loader used to fetch further payloads, the Go-based backdoor C6DOOR, and the data-collection tools GTELAM and DESFY, which profiled victims and exfiltrated file information, in one case routing stolen data through attacker-controlled cloud accounts.
The campaign was identified in June 2025, with the malicious update activity dating back to October and November 2024. Trend Micro assessed that the targeting concentrated on Eastern Asia, with Taiwan accounting for roughly half of observed victims, alongside users in China, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. The victim profile emphasized dissidents, journalists, researchers, and technology and business figures, consistent with an intelligence-collection objective rather than financially motivated crime.
Assessment
Trend Micro attributes the activity to a suspected China-nexus espionage actor, citing Simplified Chinese artifacts in the malware and infrastructure overlap with previously documented threat activity. This is an analytic assessment by security researchers, not an official government finding, and should be treated as such. The case illustrates the supply-chain risk of abandoned software whose lapsed update domains can be reclaimed and weaponized. The focus on dissidents, journalists, and Taiwanese technology figures fits a broader pattern of espionage pressure on Taiwan and Chinese-speaking civil society.
This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.