Threat actors have hijacked an abandoned update server tied to the Sogou Zhuyin input method editor (IME) to deliver multiple malware strains to high-value targets across East Asia and beyond.
The operation, dubbed TAOTH, was first spotted in June 2025 and involves an abandoned domain once linked to Sogou Zhuyin, a legitimate IME tool that ceased receiving updates in 2019. The attackers re-registered the domain sogouzhuyin[.]com in October 2024 and began using it the following month to serve malicious payloads through fake software updates.
Victims primarily include dissidents, journalists, researchers, and tech and business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities.
According to Trend Micro, the attackers used tampered update mechanisms, phishing websites, and cloud-based infrastructure to deploy malware and exfiltrate sensitive data. Malware families identified in the campaign include the C6DOOR backdoor, GTELAM and DESFY (both are designed to scan for sensitive document files and exfiltrate file names to Google Drive), and the TOSHIS loader used to download post-exploitation tools like Cobalt Strike or Merlin agents. Linked to the Tropic Trooper APT group, the latter is distributed through spear-phishing emails and malicious cloud storage pages.
The infection chain starts with users unknowingly download a legitimate Sogou Zhuyin installer from compromised sources such as Wikipedia, only to have the program later connect to a malicious update server. A few hours after installation, the updater (ZhuyinUp.exe) triggers a silent download of malware via a manipulated configuration file.
Phishing techniques used in the campaign include fake login portals and fraudulent cloud services impersonating Tencent Cloud, luring victims with coupon offers or software downloads. The tactics are designed to either infect devices or hijack user mailboxes by gaining OAuth access.
Trend Micro’s report notes that TAOTH shares infrastructure with past activity linked to the ITOCHU threat group.