Semiconductor companies in East Asia [1] [2] [3] [4] [5] [6] [7] [9] [10] [11], particularly in Taiwan, Hong Kong [1] [8] [10], and Singapore [1] [8] [10], have been targeted by Chinese hackers engaged in cyber espionage [1]. These attacks involve the use of TSMC-themed lures to infect the companies with Cobalt Strike beacons [1].


The threat actors distribute the HyperBro loader to install the Cobalt Strike beacon [1] [10], granting them remote access [10]. The loader employs DLL side-loading and a digitally signed binary from CyberArk’s vfhost [1] [10]. In a separate variant of the attack [1] [10], the hackers utilize a compromised Cobra DocGuard web server to introduce additional malware and load more Cobalt Strike shellcode [1].

EclecticIQ analysts believe that the HyperBro Loader [1], malware downloader [1] [8] [9] [11], and GO backdoor are likely operated and developed by a state-backed threat actor from China [1]. Symantec and ESET have previously reported on China-sponsored APTs using Cobra DocGuard servers for malware delivery [1], further supporting the attribution to Chinese hackers [1].

These cyber espionage activities targeting semiconductor companies in East Asia are believed to be carried out by Chinese state-backed threat groups. The attackers initiate the compromise through spear-phishing emails and distribute the HyperBro loader disguised as a TSMC-themed PDF document. The loader utilizes DLL side-loading and a digitally signed binary to evade antivirus detection [10].

The compromised Cobra DocGuard server also hosts a GO-based backdoor known as “ChargeWeapon,” which allows remote access and collects and transmits host data to a command-and-control (C2) server [8]. The activities are attributed to a People’s Republic of China (PRC)-backed nation-state threat actor based on victimology and infrastructure similarities with previously reported activity clusters [10].

The campaign is attributed to a China-linked threat actor known as Lucky Mouse [2] [3] [5] [6] [7] [9] [11], who exploits a backdoor called HyperBro to deploy attack simulation software and post-exploitation toolkit [2] [3] [4] [5] [7] [11]. Another group called RedHotel [2] [3] [5] [6] [7] [9] [11], which overlaps with a hacking team called Earth Lusca [3], is also involved [3]. Social engineering techniques are used [3] [5] [7] [9] [11], including a TSMC-themed PDF document as a lure [3] [5] [6] [7] [9] [11]. The Cobalt Strike tag disguises the C2 server address as a legitimate jQuery CDN to bypass firewall defenses [3] [5] [6] [7] [9] [10] [11].


These cyber espionage activities by Chinese hackers targeting semiconductor companies in East Asia have significant implications. The use of sophisticated techniques, such as spear-phishing emails and disguised loaders, highlights the need for improved cybersecurity measures in the industry. It is crucial for companies to enhance their defenses against state-backed threat actors and invest in advanced threat detection and prevention systems. Additionally, international cooperation and information sharing among intelligence agencies and cybersecurity organizations are essential to combat these threats effectively. The ongoing efforts of the Belgian intelligence agency and the recognition by the US Department of Defense of China’s cyber espionage threat underscore the importance of addressing this issue promptly and comprehensively.