TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents Indicators of Compromise SHA256 Malware f8845b4957fdad691e2826aeb770103345e80375a67cc13772c48ca02e1812fc Trojan.Win64.TOSHIS.ZTMH 79ce1bb062f6dcdaf01cc33125f68dc2d030da2390255c4fb39d362a22032da1 Trojan.Win64.TOSHIS.ZTMH 587e1fa9d32f2a7134c158d965a32751b58ce5ad3a07533436472105be46a481 Trojan.Win64.TOSHIS.ZTMH 0384733cfcdd32b008642391da7e439c390e7ce8d16e6d9d3bdcbc720b330b84 Trojan.Win64.TOSHIS.ZTMH 90a9be7cf4b7a1786697d5adfff781d9b6ed8db06da33ebef9438dee5a181106 TrojanSpy.Win64.DESFY.ZTMH 4c172211a462cc6e95d9537ecd917ca7c456512006474b4105c1342f0b138dfe TrojanSpy.Win64.DESFY.ZYMH c9e539a64275814e198db6830939f0d6c335574f7016696d3ee1cae42b97f838 TrojanSpy.MSIL.GTELAM.ZTMH 3bdac367a7aeab050b8b57c4303110d4db043b939a8f721f3052416c1c3b9fdc TrojanSpy.MSIL.GTELAM.ZTMH a53c96108d171392a29f221614086d8311e25af521c6b4da3e4af019370164cf TrojanSpy.MSIL.GTELAM.ZTMH c36c2657a9a5fa31227631c440450ec42a8c5b274cc4bfd9a500e92ab357b736 Backdoor.Win64.C6DOOR.ZTMG c88d5256d85024ffd628becc631df5deab6a1daf16d8fab24d2366aaa3fd7fc5 TOSHIS Archive 0abf0972d8a7e87c4749e142009c1bb7e826055c3bc8d742055cf209a11ee540 TOSHIS Archive 99eee95b1d5d16ea7f8d515d2333221a2308eb41640978617c6477928d0a5d75 TOSHIS Archive 484c886221136ce94a8ca3ea78980f434f3fcddeaf54beaa873cf285009e337a TOSHIS Archive 33c137aca85d7026e143c6da3eddb15825bf174dd788e02169b6bac4f7cb9de0 TOSHIS Archive 1774066df2121e28a6c71b41bbec1804384d7b3106f3d49b8c3eb6d45d081cf5 Trojan.Win64.TOSHIS.ZCMH 0685dbb345160fcbcad33548cb3c747a46f3a11c6a243ab445fd20a71f4b3de7 Trojan.Win64.TOSHIS.ZCMH Domain/IP Description www[.]sogouzhuyin[.]com Compromised phishing site dl[.]sogouzhuyin[.]com Compromised phishing site srv-pc[.]sogouzhuyin[.]com Compromised update site 45[.]32[.]117[.]177 TOSHIS staging site 64[.]176[.]50[.]181 C6DOOR C&C 154[.]90[.]62[.]210 TOSHIS C&C 38[.]60[.]203[.]134 TOSHIS C&C 192[.]124[.]176[.]51 DESFY C&C practicalpublishing[.]s3[.]dualstack[.]us-east-1[.]amazonaws.com Phishing site www[.]auth-web[.]com Google OAuth consent callback auth[.]onedrive365-jp[.]com Microsoft OAuth consent callback URL Description https[:]//nagoyais[.]com/upload/Sign/ufolder/qh_notice[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/birthday1[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/notic[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/save_email[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/birthday2[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/address[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/ufolder/vc_notice[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/server3[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/ufolder/tgdown_notice[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/ufolder/yupoki_notice[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/ufolder/download_notice[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/ufolder/gmail[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/server1[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/server2[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/tgserver1[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/tgserver[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/ufolder/signal[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/hotmail/notic[.]php Compromised site for information theft https[:]//nagoyais[.]com/upload/Sign/hotmail/hotemail[.]php Compromised site for information theft