Widespread Cyberattacks Target Geopolitical Interests

A cybercrime group, identified as UTA0388, has launched a series of cyberattacks using a new type of malware called GOVERSHELL. This group, which has ties to China, is targeting a wide range of organizations across North America, Asia, and Europe. The primary method of attack is through spear-phishing campaigns, where they send personalized, malicious emails to trick victims into downloading the malware.

In an initial report, cybersecurity firm Volexity revealed that these attacks began with highly customized emails. The messages were crafted to look like they came from credible sources, like senior researchers or analysts from made-up organizations. The attackers’ goal was to entice recipients into clicking a link that would download a malicious file. This file, a compressed archive, contained the GOVERSHELL malware.

Since these early attacks, the group has adapted its methods, using various deceptive techniques and fictional identities. The emails are written in multiple languages, including English, Chinese, Japanese, French, and German, to appeal to a broader range of targets. While some early campaigns used simple links to a malicious file hosted on a cloud service, the more recent attacks have become much more advanced. The attackers now engage in rapport-building phishing, a technique where they build a relationship and gain a victim’s trust over time before sending the malicious link.

The Evolution of GOVERSHELL Malware

Regardless of the initial approach, the end goal is always the same: to get the victim to download a ZIP or RAR archive. Inside this archive is a malicious DLL file that uses a technique called DLL side-loading to execute the GOVERSHELL backdoor. Volexity and another cybersecurity company, Proofpoint, have connected these attacks to a campaign known as UNK_DropPitch. They believe that GOVERSHELL is a more advanced version of a previous C++-based malware called HealthKick.

To date, cybersecurity experts have identified at least five different versions of GOVERSHELL, showing that the malware is being continuously developed and improved. The first version, HealthKick, appeared in April 2025 and was designed to run commands using the Windows command prompt (cmd.exe). The next version, TE32, was observed in June 2025 and could execute commands directly through a PowerShell reverse shell. A month later, in early July 2025, TE64 emerged. This version was more powerful, capable of running native and dynamic commands using PowerShell to gather system information, get the current system time, and receive instructions from a remote server. In mid-July, the WebSocket variant appeared. It had the ability to run PowerShell commands and included an “update” sub-command that wasn’t yet active. The latest version, Beacon, was found in September 2025. It can run native and dynamic PowerShell commands, set a polling interval to check for new instructions, and even randomize that interval to avoid detection.

The attackers have been using legitimate cloud services like Netlify, Sync, and OneDrive to host their malicious files and sending emails from popular providers such as Proton Mail, Microsoft Outlook, and Gmail. This makes their attacks harder to block.

A recent discovery by OpenAI revealed a concerning new detail about UTA0388’s methods: they are using OpenAI’s ChatGPT to create content for their phishing campaigns. The attackers used the AI to generate email content in English, Chinese, and Japanese, and also to research how to install open-source hacking tools. The accounts used by the group have since been shut down. Volexity noted that the use of an AI like ChatGPT explains some of the strange and inconsistent content in the phishing emails, suggesting that some attacks might have been automated with little to no human supervision. The firm believes the attackers are primarily interested in topics related to Asian geopolitical issues, with a specific focus on Taiwan.

Geopolitical Cyber-Espionage on the Rise

This report coincides with another warning from StrikeReady Labs about a separate, suspected Chinese cyber-espionage campaign. This campaign, which was active in late September, targeted a Serbian government department related to aviation, as well as other organizations in Hungary, Belgium, Italy, and the Netherlands. The attackers used a different method: phishing emails with a link that led to a fake Cloudflare CAPTCHA page. After completing the “verification,” the victim would download a ZIP archive containing a Windows shortcut file. This file would then silently run PowerShell commands to open a fake decoy document while also deploying the notorious PlugX malware using DLL side-loading. The increase in these targeted, geopolitical cyber-espionage campaigns highlights a growing threat to global security.