Spear-phishing campaigns that target North America, Asia, and Europe have been linked to a threat actor with ties to China. The attacks are intended to deliver GOVERSHELL, a Go-based implant. According to reports, the threat actor responsible for the attacks used a variety of lures and made-up identities in a number of languages, including English, Chinese, Japanese, French, and German.

While the email messages have been identified as coming from Proton Mail, Microsoft Outlook, and Gmail, some legitimate services, such as Netlify, Sync, and OneDrive, have been abused to stage the archive files. The fabrications common in phishing emails, from the personas used to send the message to the overall lack of coherence in the message content itself, demonstrate the use of a large language model (LLM) to augment its operations, according to Volexity. According to StrikeReady Labs, a Serbian government agency involved in aviation has been the target of a suspected cyberespionage campaign with ties to China.

Sending phishing emails with a link that, when clicked, takes the recipient to a phony Cloudflare CAPTCHA verification page is the campaign, which was discovered in late September. The ZIP file contains a Windows shortcut (LNK) file that uses DLL side-loading to launch PlugX covertly while executing a fake document. In a blog post on Monday, StrikeReady Labs stated, "The emails and files used in this campaign leads Volexity to assess with medium confidence that UTA0388 made use of automation, LLM or otherwise, that generated and sent this content to targets with little to no human oversight in some cases." The revelation coincides with several European institutions in Hungary, Belgium, Italy, and the Netherlands being the target of a suspected Chinese cyber espionage campaign.