Threat Research

APT Meets GPT: Targeted Operations with Untamed LLMs

Volexity
APT Meets GPT: Targeted Operations with Untamed LLMs

Volexity tracked a China-aligned threat actor dubbed UTA0388 conducting widespread, multilingual spear phishing campaigns from June–September 2025 that delivered archives containing benign executables which loaded a malicious GOVERSHELL DLL via search-order hijacking. Analysis of campaign artifacts, development paths (including Simplified Chinese strings), campaign incoherence, and evidence linking to Proofpoint’s UNK_DropPitch support the assessment that UTA0388 used LLMs (including OpenAI ChatGPT) to assist in phishing content and malware development. #UTA0388 #GOVERSHELL

Keypoints

  • UTA0388 ran dozens of targeted spear phishing campaigns across North America, Asia, and Europe between June and September 2025, often impersonating fabricated senior researchers and organizations.
  • Phishing emails led to remotely hosted ZIP/RAR archives (hosted on Netlify, Sync, OneDrive, and actor domains) containing a benign executable and a malicious GOVERSHELL DLL loaded via search order hijacking.
  • Volexity identified five distinct GOVERSHELL variants (Early/HealthKick, TE32, TE64, WebSocket, Beacon) with differing C2 methods, persistence via scheduled tasks, and remote command execution capabilities.
  • UTA0388 adopted “rapport-building phishing” later in the campaign—initial benign conversation followed by malicious links only after engagement—to reduce exposure of infrastructure and malware.
  • Technical artifacts (developer paths with Simplified Chinese, Chinese log strings, and python-docx metadata), campaign incoherence, fabrications, and overlap with Proofpoint’s UNK_DropPitch/HealthKick support Volexity’s high-confidence assessment of LLM usage and China-aligned intent.
  • Infrastructure evolved from direct-to-IP C2 to DNS/domain-based C2 with domains impersonating services or referencing Taiwan; actor-hosted domains were consistently proxied via Cloudflare.
  • Volexity recommends using listed IOCs and detection rules to identify UTA0388 activity and notes GOVERSHELL remains actively developed and deployed by the actor.

MITRE Techniques

  • [T1566] Phishing – UTA0388 used tailored spear phishing emails with clickable images linking to archives: “…an image that was hyperlinked to the following URL: https://aesthetic-donut-1af43s2.netlify[.]app/file/rar”
  • [T1204] User Execution – Victims were tricked into running a benign-looking executable inside archives which then loaded a malicious DLL via search order hijacking: “…Inside this file would be a legitimate executable … When executed, this legitimate executable would load a malicious payload in an included Dynamic Link Library (DLL) …”
  • [T1574] Hijack Execution Flow (search order hijacking) – The malware used search order hijacking to load malicious DLLs placed adjacent to legitimate binaries: “…search order hijacking which provided operators with the ability to remotely execute commands on infected devices.”
  • [T1053] Scheduled Task/Job – GOVERSHELL established persistence using scheduled tasks created on first run (e.g., SystemHealthMonitor, MyGoTask): “A scheduled task named SystemHealthMonitor is created … MyGoTask … is created through Windows’s COM interface.”
  • [T1105] Ingress Tool Transfer – Archives were hosted on cloud services (Netlify, OneDrive, Sync) and downloaded by targets: “…phishing content hosted on a cloud-based service that would lead to malware … made use of Netlify … then diversified to use Sync, OneDrive, and their own domains.”
  • [T1041] Exfiltration Over C2 Channel (C2 communications) – GOVERSHELL variants communicated with C2 over fake TLS, HTTPS, WebSocket, and encoded GET/POST mechanisms to receive commands and send results: “…Fake TLS … HTTPS POST … WebSocket’s, AES … HTTPS GET, B64 encoded, Jitter, Sleep.”
  • [T1112] Modify Registry or Scheduled Task for Persistence – Use of scheduled tasks with specific command-line flags for persistence setup and execution logic: “…includes a command-line flag in that persistence execution, which is required to execute the logic that includes C2 communication.”
  • [T1604] Compromise Accounts – Email accounts on webmail providers (ProtonMail, Outlook, Gmail) were used to send phishing messages: “Phishing emails sent by UTA0388 … have all been sent from webmail providers that include ProtonMail, Outlook, and Gmail.”

Indicators of Compromise

  • [Domain ] phishing hosting and C2 – aesthetic-donut-1af43s2.netlify.app, moctw[.]info (actor domains registered, Cloudflare-proxied)
  • [File name ] archive and DLL structure – example archive path: A_Introduction_Docs_v00546823.rar; malicious DLL: libte64.dll (and te32.dll), benign executables named like “2025 Important Documents and Materials.exe”
  • [Malware family ] malware attribution – GOVERSHELL (five variants: Early/HealthKick, TE32, TE64, WebSocket, Beacon)
  • [Email providers ] phishing senders – ProtonMail, Outlook, Gmail (used to send spear phishing emails)
  • [Domain ] impersonation and actor domains – cdn-apple[.]info, azure-app[.]store, doccloude[.]info, sliddeshare[.]online, windows-app[.]store (and Taiwan-referencing: moctw[.]info, twmoc[.]info)

Read more: https://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/