Cyber Ninjas Unleashed: TSMC Love Letters Hide a Dark Secret!

“Chinese State-Backed Cyber Espionage is in full swing, and it’s got a sense of humor. Chinese-speaking semiconductor companies are being pranked with a fake TSMC love letter that’s not delivering chocolates or roses, but a Cobalt Strike beacon. A cyber surprise that definitely does not pair well with your morning coffee.”

Hot Take:

When it comes to espionage, forget James Bond. It’s all about cyber spies now, especially the ones with a penchant for semiconductors, Cobalt Strike beacons, and a knack for language. These digital ninjas are targeting Chinese-speaking semiconductor companies with a fake love letter from TSMC (Taiwan Semiconductor Manufacturing Company). But instead of chocolates and roses, the recipients get a nasty Cobalt Strike beacon. Not exactly the kind of surprise you’d like with your morning coffee.

Key Points:

  • The cyber espionage campaign is targeting Chinese-speaking semiconductor companies with TSMC-themed lures that install Cobalt Strike beacons.
  • Firms based in Taiwan, Hong Kong, and Singapore are the main targets, with tactics reminiscent of previous activities linked to Chinese state-backed cyber threat groups.
  • The attack uses a PDF pretending to be from TSMC, a HyperBro loader, and a Cobalt Strike beacon to compromise the device and gain remote access.
  • A second variant of the attack uses a compromised Cobra DocGuard web server and a new Go-based backdoor named ‘ChargeWeapon.’
  • EclecticIQ attributes the campaign to a Chinese-backed nation-state threat actor due to extensive similarities with other Chinese threat group operations.

Need to know more?

Code name: Cobalt Strike

The attackers' modus operandi is as sleek as a Bond movie. They use a PDF disguised as a TSMC document—because who wouldn’t trust a document from the world’s largest semiconductor contract manufacturing firm? This enables a stealthier compromise, and when mixed with a HyperBro loader, results in a perfect cocktail of cyber chaos. A Cobalt Strike beacon is then launched, giving the attackers remote access. Just like that, your device is compromised without you even noticing it.

Meet ChargeWeapon: The new kid on the block

Just when you thought it couldn't get worse, enter 'ChargeWeapon.' This Go-based backdoor is the hackers' latest toy. It gathers and transmits host data, uses TCP over HTTP for C2 communications, and employs simple malware evasion methods. Think of it as the annoying younger sibling who keeps snooping around your room.

China: The Puppet Master

Finally, our detectives at EclecticIQ have traced the breadcrumbs back to the doorstep of a familiar foe. The similarities between this campaign and previous activities linked to Chinese state-backed threat groups point to a likely Chinese origin. So, it appears that the dragon has once again unfurled its cyber wings.
Tags: ChargeWeapon Backdoor, Chinese hackers, Cobalt Strike Beacon, Cyber Espionage, HyperBro Loader, Semiconductor Companies, Spear-phishing