- A China-aligned group identified as UTA0388 conducted spear-phishing attacks targeting North America, Asia, and Europe using a Malware implant called GOVERSHELL.
- These campaigns used fake personas and organizations in multiple languages to trick victims into opening malicious links hosted on cloud services or attacker infrastructure.
- GOVERSHELL is a backdoor malware deployed through a method called DLL side-loading and has five known variants with different command execution capabilities.
- The threat actor used OpenAI’s ChatGPT to create phishing content and assist with malicious tasks before their accounts were removed.
- Separate related attacks targeted European government institutions using similar phishing techniques involving fake CAPTCHA pages and the PlugX malware.
A threat group aligned with China, known as UTA0388, has executed spear-phishing campaigns since April 2025 to deliver a Go-language implant called GOVERSHELL. The attacks targeted regions including North America, Asia, and Europe to gain unauthorized system access. The campaigns aimed to socially engineer targets into clicking links leading to malicious archives containing the backdoor payload.
Volexity reported that the phishing messages pretended to come from senior researchers in fabricated organizations and were crafted in several languages such as English, Chinese, Japanese, French, and German. These messages contained links hosted sometimes on cloud platforms like Netlify, Sync, and OneDrive or on attacker-owned servers. Recipients who followed the links downloaded ZIP or RAR archives that included a rogue DLL file triggered by a known technique called DLL side-loading.
The malware, GOVERSHELL, has five distinct types identified so far: HealthKick (April 2025), TE32 (June 2025), TE64 (July 2025), WebSocket (mid-July 2025), and Beacon (September 2025). Each variant features different functions for running commands or polling for instructions, mostly using PowerShell, a Windows command-line tool. Volexity notes that GOVERSHELL is linked to an earlier malware family called HealthKick and overlaps with activity tracked by Proofpoint as UNK_DropPitch.
An evolving aspect of the attacks involves the group’s use of OpenAI’s ChatGPT to generate phishing content in multiple languages and help automate malicious workflows. “The emails and files used in this campaign leads Volexity to assess with medium confidence that UTA0388 made use of automation, LLM or otherwise, that generated and sent this content to targets with little to no human oversight in some cases,” the report stated. The ChatGPT accounts used by the Hackers have been banned.
In a related report by StrikeReady Labs, similar China-linked espionage efforts targeted government departments involved in aviation and other European institutions in Hungary, Belgium, Italy, and the Netherlands. These attacks used phishing emails directing victims to a fake Cloudflare CAPTCHA page, which then led to downloading a ZIP archive containing a Windows shortcut file. This file launched a PowerShell script that opened a decoy document and stealthily installed the PlugX backdoor via DLL side-loading.
The campaigns highlight ongoing cyber espionage efforts focusing on geopolitical interests in Asia, particularly Taiwan. The attackers exploited cloud platforms and email services like Proton Mail, Microsoft Outlook, and Gmail to conduct these operations.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Alphabet Stock Slips as Google Unveils Gemini Enterprise AI Platform
- Tesla Registers Model Y+ Long-Range Variant in China: Reuters Reports
- Gold Hits $4,000, Investors Eye Bitcoin as Dollar Crashes
- Bybit Becomes First Exchange with Full SCA License in UAE
- Ethereum Foundation Unveils Kohaku Wallet Amid Rising Privacy Concerns
