The abandoned update server associated with the Input Method Editor (IME) software Sogou Zhuyin was primarily used by threat actors as part of a spy campaign that provided several malware families, including C6DOOR and GTELAM, mainly targeting users in East Asia.
“Attackers used sophisticated infection chains such as hijacked software updates and fake cloud storage and login pages to distribute malware and collect sensitive information.”
The campaign identified in June 2025 is codenamed dock By cybersecurity companies. Targets for the activities include primarily opposition, journalists, researchers, and technology/business leaders from Taiwan communities in China, Taiwan, Hong Kong, Japan, Korea and overseas. Taiwan accounts for 49% of all targets, followed by Cambodia (11%) and the US (7%).
The attacker is said to have controlled the revocation domain name (“Sogouzhuyin(.)com”) in October 2024, associated with Sogou Zhuyin, a legitimate IME service that stopped receiving updates in June 2019. It is estimated that hundreds of victims have been affected.
“The attacker took over an abandoned update server and registered it, then used the domain to host malicious updates since October 2024,” the researchers said. “Through this channel, multiple malware families are being deployed, including Gtelam, C6Door, Desfy, and Toshis.”
The deployed malware family serves a variety of purposes, including remote access (rat), information theft, and backdoor functions. To avoid detection, threat actors leveraged third-party cloud services to hide network activity across the attack chain.
These malware stocks allow remote access, information theft and backdoor functions. Attackers can also use legitimate cloud storage services, such as Google Drive, as data exfiltration points to hide malicious network traffic.
The attack chain begins when unsuspecting users download the official Sogou Zhuyin installer from the internet. For example, the traditional Chinese Wikipedia page entry for Sogou Zhuyin, which was changed in March 2025 to point to the malicious domain dl(.)Sogouzhuyin(.)com.
The installer is completely harmless, but when the automatic update process is triggered a few hours after installation, a malicious activity will start, and the updater binary “Zhuyinup.exe” will retrieve the update configuration file from the embedded URL.
Tampered with Desfy, Gtelam, C6Door and Toshis, this update process has the ultimate goal of profiling and collecting data from high value targets –
- Tosis (first detected in December 2024), loader designed to obtain the next stage payload (Merlin agent for cobalt strike or mythical framework) from an external server. It is also a variant of Xiangoop and is attributed to the Tropic Trooper, and has been used in the past to provide cobalt strikes or backdoors called EntryShell.
- Decky (First detected in May 2025), spyware collects file names from two locations: desktop and program files
- Jeram (first detected in May 2025), another spyware that collects file names matching a specific set of extensions (PDF, DOC, DOCX, XLS, XLSX, PPT, and PPTX), and remove details on Google Drive
- c6doorCustom-made GO-based backdoor using the WebSocket protocol for commands and controls to collect system information, execute any command, perform file operations, upload/download files, capture/download screenshots, list the processes to run, enumerate directories, and receive instructions to insert shellcode into target processes
Further analysis of C6DOOR reveals the presence of simplified kanji embedded within the sample, suggesting that the threat actors behind the artifacts may be proficient in Chinese.
“The attackers were still in the reconnaissance phase and were primarily looking for high-value targets,” Trend Micro said. “As a result, in most of the victim system, no further post-exposure activity was observed. When analyzed, the attacker inspected the victim’s environment and used visual studio codes to establish the tunnel.”
Interestingly, there is evidence that Toshis was distributed to targets using phishing websites. Perhaps in relation to spear phishing campaigns targeting East Asia, it has been observed that phishing attacks employ two broad approaches in Norway and the US.
- Provide fake login pages using free coupons or lures related to PDF readers.
- Provides fake cloud storage pages that mimic Tencent Cloud Cloud Streamlink for downloading malicious zip archives containing Toshis
These phishing emails include booby-trapped URLs and decoy documents in which recipients trick the interaction with malicious content. Finally, activate a multi-stage attack sequence designed to drop Toshis using sideloads of DLLs.
Trend Micro said Taoth will share his infrastructure and tools and paint pictures of previously documented threat activities by itochu and enduring threat actors focusing on reconnaissance, espionage and email abuse.
To combat these threats, organizations recommend routinely auditing their environment for end-of-support software and quickly removing or replacing such applications. It is recommended that users check the permissions requested by the cloud application before granting access.
“In the Sogou Zhuyin operation, the threat actors maintained a low profile and conducted reconnaissance to identify valuable targets among the victims,” the company said. “On the other hand, during the ongoing spear phishing operation, the attackers distributed malicious emails to the targets, further exploitation.”
