Codenames for threat actors aligned with China dad 0388 It is believed to be the result of a series of spear phishing campaigns targeting North America, Asia, and Europe aimed at delivering a Go-based implant known as . Gabashel.
“The campaign initially observed was tailored to targets, with messages purportedly sent by senior researchers and analysts at the organization that sounded legitimate and were completely fabricated,” Volexity said in a report on Wednesday. “The goal of these spear-phishing campaigns was to socially engineer targets into clicking on a link that directed them to a remotely hosted archive containing a malicious payload.”
Since then, the attackers behind the attack are said to be using a variety of lures and fictitious identities across multiple languages, including English, Chinese, Japanese, French, and German.
Early campaigns were found to include embedded links to phishing content hosted on cloud-based services or proprietary infrastructure, which in some cases led to the deployment of malware. However, subsequent waves are said to be “highly orchestrated”, with attackers relying on taking time to build trust with recipients before sending the link. This is a technique called trust-building phishing.
Regardless of the approach used, the link leads to a ZIP or RAR archive containing a malicious DLL payload that is launched using DLL sideloading. The payload is an actively developed backdoor called GOVERSHELL. Notably, this activity overlaps with a cluster tracked by Proofpoint under the name UNK_DropPitch. Volexity characterizes GOVERSHELL as a successor to the C++ malware family. health kick.
To date, five different variants of GOVERSHELL have been identified.
- health kick (first seen in April 2025), has the ability to run commands using cmd.exe.
- TE32 (first observed in June 2025), provides the ability to directly execute commands via a PowerShell reverse shell.
- TE64 (First seen in early July 2025). It has the ability to run native and dynamic commands using PowerShell to retrieve system information, current system time, run commands via powershell.exe, and poll external servers for new instructions.
- web socket (first observed in mid-July 2025), it has the ability to run PowerShell commands via powershell.exe and an “update” subcommand that is not implemented as part of the system commands.
- beacon (First seen in September 2025). It includes the ability to run native and dynamic commands using PowerShell, set basic polling intervals, randomize them, and run PowerShell commands via powershell.exe.
Legitimate services exploited to stage archive files include Netlify, Sync, and OneDrive, but the email messages were identified as coming from Proton Mail, Microsoft Outlook, and Gmail.
What’s notable about UTA0388’s trade craft is that it uses OpenAI ChatGPT to generate content for English, Chinese, and Japanese phishing campaigns. Facilitate malicious workflows. Find information related to installing open source tools like nuclei and fscan revealed by AI companies earlier this week. The ChatGPT account used by the threat actor was subsequently banned.
According to Volexity, the use of large-scale language models (LLMs) to enhance operations is evidenced by the pervasive fabrications in phishing emails, from the persona used to send the message to the overall lack of consistency in the message content itself.
“The targeting of this campaign is consistent with threat actors interested in geopolitical issues in Asia, with a particular focus on Taiwan,” the company added. “From the emails and files used in this campaign, Volexity assesses with medium confidence that UTA0388 utilized automation (such as LLM) to generate and send this content to its targets, in some cases with little or no human oversight.”
The disclosure comes amid StrikeReady Labs’ announcement that a suspected China-linked cyber espionage operation is targeting the aviation sector of the Serbian government, as well as other European institutions in Hungary, Belgium, Italy and the Netherlands.
The campaign, identified in late September, sends phishing emails containing links that, when clicked, redirect victims to a fake Cloudflare CAPTCHA verification page and download a ZIP archive. Inside is a Windows Shortcut (LNK) file that runs a PowerShell that opens a decoy document and secretly launches PlugX using DLL sideloading.
