UNK_FistBump
UNK_FistBump is a China-aligned threat actor cluster tracked by Proofpoint as distinct from APT41/TA415, although Proofpoint noted overlap in tooling through use of the custom Voldemort backdoor. Between March and June 2025, the actor targeted Taiwan’s semiconductor ecosystem, including semiconductor design, manufacturing, packaging, testing, and supply chain organizations, and specifically targeted HR and recruiting personnel. Proofpoint assessed the activity as espionage-motivated. The actor used employment-themed spearphishing, often posing as graduate students or job applicants and sending emails from compromised Taiwanese university accounts. Campaigns used password-protected archives or PDF attachments linking to archives hosted on Zendesk or Filemail. Malware delivery involved DLL sideloading chains. Proofpoint reported delivery of both Cobalt Strike Beacon and the custom C-based Voldemort backdoor. In late May 2025, UNK_FistBump used two distinct infection chains from the same password-protected archive, one leading to Cobalt Strike and the other to Voldemort. Reported tradecraft includes use of LNK-triggered execution, VBS scripts, javaw.exe-based DLL sideloading, RC4-encrypted payload decryption, persistence via a Run registry key, and use of CiscoCollabHost.exe to sideload CiscoSparkLauncher.dll for Voldemort delivery. Voldemort used Google Sheets / the Google Sheets API for command and control. Proofpoint stated that Voldemort had previously been associated with TA415/APT41, but assessed UNK_FistBump as a separate cluster due to notable TTP differences.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Software & Services
- Financial Services
Where they target
Geographies tied to known operations.
- 🇹🇼 Taiwan
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
13 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Observables
17 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
UNK_FistBump is a newly identified Chinese APT targeting Taiwan's semiconductor industry using phishing emails that impersonate graduate students. The group initially delivered Cobalt Strike and later the custom Voldemort backdoor, which uses Google Sheets for C2.
UNK_FistBump is a suspected Chinese espionage group targeting Taiwan's semiconductor industry.
UNK_FistBump is a China-aligned espionage group targeting Taiwan's semiconductor industry with phishing campaigns and custom malware, including a backdoor leveraging Google Sheets for C2.
Targeting Taiwanese semiconductor industry organizations with spear-phishing campaigns delivering Cobalt Strike or Voldemort backdoor.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.