UTA0388

UTA0388 is a China-aligned threat actor tracked by Volexity and linked to the Proofpoint cluster UNK_DropPitch. Reporting attributes to UTA0388 a series of spear-phishing campaigns active from at least June through September 2025 targeting organizations and individuals in North America, Europe, and Asia, with targeting described as consistent with Chinese cyberespionage interests and a particular focus on Asian geopolitical issues, including Taiwan. Reported targets included Taiwan’s semiconductor industry, U.S. academia, U.S. think tanks, and organizations representing Chinese minorities. UTA0388 used tailored, multilingual phishing lures in English, Chinese, Japanese, French, and German, often impersonating fabricated senior researchers and analysts. Later campaigns used rapport-building phishing, delaying delivery of malicious links until after email exchanges with targets. The actor used ChatGPT to generate spear-phishing content and assist malicious workflows, including information gathering on installing tools such as nuclei and fscan; OpenAI reported banning associated accounts. Volexity assessed with high confidence that UTA0388 used LLMs in support of phishing, and with medium confidence that some content generation and sending may have been automated with little human oversight. The campaigns delivered GOVERSHELL, a Go-based backdoor family that Volexity assessed is actively developed and used exclusively by UTA0388. GOVERSHELL was delivered via links to ZIP or RAR archives staged on legitimate services including Netlify, Sync, and OneDrive, as well as actor-controlled infrastructure. Phishing emails were sent via Proton Mail, Outlook, and Gmail. The archives typically contained a benign executable and a malicious DLL that was executed through DLL side-loading or DLL search-order hijacking, often using Tablacus Explorer. Persistence was achieved via scheduled tasks, and the malware enabled remote command execution, largely through PowerShell. Volexity identified five GOVERSHELL variants: HealthKick, TE32, TE64, WebSocket, and Beacon. HealthKick, first observed in April 2025, is described as the earliest observed GOVERSHELL variant and a predecessor/successor overlap with a prior C++ family also referred to as HealthKick. TE32 used a PowerShell reverse shell; TE64 used HTTPS JSON-based polling and PowerShell commands for system information gathering and task execution; WebSocket used AES-GCM-encrypted WebSocket communications and included an unimplemented update sub-command; Beacon, observed in September 2025, supported polling interval randomization and PowerShell command execution. Reporting also noted Simplified Chinese developer artifacts, Chinese-language log statements in at least one variant, and actor infrastructure registered behind Cloudflare, including domains referencing Taiwan or impersonating legitimate services. Known aliases and linked designations directly mentioned in the reporting are UTA0388 and UNK_DropPitch.