A China-aligned threat actor codenamed UTA0388 has been attributed to a series of spear-phishing campaigns targeting North America, Asia, and Europe that are designed to deliver a Go-based implant known as GOVERSHELL.
"The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations," Volexity said in a Wednesday report. "The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload."
Since then, the threat actor behind the attacks is said to have leveraged different lures and fictional identities, spanning several languages, including English, Chinese, Japanese, French, and German.
Early iterations of the campaigns have been found to embed links to phishing content either hosted on a cloud-based service or their own infrastructure, in some cases, which led to the deployment of malware. However, the follow-on waves have been described as "highly tailored," in which the threat actors resort to building trust with recipients over time before sending the link – a technique called rapport-building phishing.
Irrespective of the approach used, the links lead to a ZIP or RAR archive that includes a rogue DLL payload that's launched using DLL side-loading. The payload is an actively developed backdoor called GOVERSHELL. It's worth noting that the activity overlaps with a cluster tracked by Proofpoint under the name UNK_DropPitch, with Volexity characterizing GOVERSHELL as a successor to a C++ malware family referred to as HealthKick.
As many as five distinct variants of GOVERSHELL have been identified to date -
- HealthKick (First observed in April 2025), which is equipped to run commands using cmd.exe
- TE32 (First observed in June 2025), which is equipped to execute commands directly via a PowerShell reverse shell
- TE64 (First observed in early July 2025), which is equipped to run native and dynamic commands using PowerShell to get system information, current system time, run command via powershell.exe, and poll an external server for new instructions
- WebSocket (First observed in mid-July 2025), which is equipped to run a PowerShell command via powershell.exe and an unimplemented "update" sub-command as part of the system command
- Beacon (First observed in September 2025), which is equipped to run native and dynamic commands using PowerShell to set a base polling interval, randomize it, or execute a PowerShell command via powershell.exe
Some of the legitimate services abused to stage the archive files include Netlify, Sync, and OneDrive, whereas the email messages have been identified as sent from Proton Mail, Microsoft Outlook, and Gmail.
A noteworthy aspect of UTA0388's tradecraft is its use of OpenAI ChatGPT to generate content for phishing campaigns in English, Chinese, and Japanese; assist with malicious workflows; and search for information related to installing open-source tools like nuclei and fscan, as revealed by the AI company earlier this week. The ChatGPT accounts used by the threat actor have since been banned.
The use of a large language model (LLM) to augment its operations is evidenced in the fabrications prevalent in the phishing emails, ranging from the personas used to send the message to the general lack of coherence in the message content itself, Volexity said.
"The targeting profile of the campaign is consistent with a threat actor interested in Asian geopolitical issues, with a special focus on Taiwan," the company added. "The emails and files used in this campaign leads Volexity to assess with medium confidence that UTA0388 made use of automation, LLM or otherwise, that generated and sent this content to targets with little to no human oversight in some cases."
The disclosure comes as StrikeReady Labs said a suspected China-linked cyber espionage campaign has targeted a Serbian government department related to aviation, as well as other European institutions in Hungary, Belgium, Italy, and the Netherlands.
The campaign, observed in late September, involves sending phishing emails containing a link that, when clicked, directs the victim to a fake Cloudflare CAPTCHA verification page that leads to the download a ZIP archive, within which there exists a Windows shortcut (LNK) file that executes PowerShell responsible for opening a decoy document and stealthily launching PlugX using DLL side-loading.
