Cybersecurity researchers at Proofpoint have uncovered an escalation in cyber espionage activity targeting Taiwan’s semiconductor industry, with multiple China-aligned threat actors launching coordinated phishing campaigns to gather intelligence across the entire supply chain.
Between March and June 2025, at least three distinct threat groups – tracked by Proofpoint as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp – engaged in highly targeted attacks against Taiwanese semiconductor firms. These included chip manufacturers, design houses, test facilities, supply chain partners, and financial analysts covering the sector.
Proofpoint’s latest research revealed:
- Phishing campaigns spanned the entire semiconductor ecosystem, from production and logistics to financial analysis
- Threat actors used employment-themed lures, fake business collaborations, and credential phishing techniques. Some campaigns involved compromised university accounts and custom Adversary-in-the-Middle (AiTM) infrastructure
- Custom malware such as Voldemort and HealthKick was deployed alongside legitimate tools used for persistence and remote access
- Shared infrastructure was identified across campaigns, including the use of Russian VPS providers and SoftEther VPN servers
The firm linked the intensified targeting to China’s strategic goal of achieving semiconductor self-sufficiency amid tightening US and Taiwanese export controls. The activity aligns with a long-observed pattern of China-aligned threat actors adapting their intelligence priorities in response to shifting domestic economic goals.
Mark Kelly, Staff Threat Researcher at Proofpoint noted: “We are continuing to see phishing campaigns targeting Taiwanese semiconductor companies from the threat actors highlighted in the research. Given the ongoing geopolitical significance of semiconductor technologies, we expect these and other China-aligned groups to continue cyberespionage operations against the sector.”
While the campaigns focused primarily on entities within Taiwan, several targeted individuals at international investment firms with expertise in Taiwanese semiconductor markets. Although no attacks on US-based semiconductor companies were observed during the research period, Proofpoint warned that US financial institutions with exposure to Taiwanese semiconductor investments may also be at risk.
The researchers highlighted that the campaigns varied in scope, with some directed at specific individuals and others broadly targeting employees across entire organisations. This suggests an intent to penetrate the organisations themselves rather than to target individual victims.
The findings form part of a broader trend of economic espionage activity by China-aligned actors. Alongside the semiconductor sector, other affected industries include manufacturing, energy, aerospace, defence, and advanced technology. Publicly available sources, including US government indictments, have supported this assessment.
Proofpoint advised organisations operating in or adjacent to the semiconductor supply chain to remain vigilant and train staff to recognise and report phishing attempts, particularly those from untrusted or unusual sources.
You can find the full report here: https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
