UNK_DropPitch
UNK_DropPitch is a China-aligned threat actor tracked by Proofpoint, with overlapping activity tracked by Volexity as UTA0388. The actor conducted targeted phishing campaigns in 2025 against financial investment professionals and analysts at major investment firms specializing in Taiwan’s semiconductor and technology sectors, and was also reported as part of broader targeting related to Taiwan’s semiconductor industry. In reported activity, the actor impersonated fictitious investment firms and used phishing emails to deliver malicious ZIP or RAR archives containing vulnerable executables and malicious DLLs for DLL sideloading. Payloads included the custom backdoor HealthKick, described by Volexity as overlapping with or preceding the Go-based GOVERSHELL family, as well as a simple raw TCP reverse shell. Proofpoint reported HealthKick communicating over TCP port 465 using FakeTLS and XOR encoding, and later activity using a raw TCP reverse shell; Proofpoint also observed deployment of Intel Endpoint Management Assistant (EMA) after initial enumeration when targets were of interest. Volexity reported that overlapping UTA0388 activity used tailored and rapport-building phishing, fabricated personas, and lures in multiple languages including English, Chinese, Japanese, French, and German, while abusing legitimate services such as Netlify, Sync, OneDrive, Proton Mail, Outlook, and Gmail. OpenAI reported that accounts associated with UNK_DropPitch/UTA0388 used ChatGPT to generate phishing content in English, Chinese, and Japanese and to assist malicious workflows; those accounts were banned. Reported targeting also included US academia, US think tanks, and organizations representing Chinese minorities. Known alias: UTA0388.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Financial Services
- Software & Services
Where they target
Geographies tied to known operations.
- 🇹🇼 Taiwan
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
17 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Observables
39 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Actor observed by Proofpoint targeting Taiwan semiconductor entities with phishing emails delivering the HealthKick backdoor, apparently in parallel with GLITTER CARP activity.
UNK_DropPitch is a Chinese threat actor group known for leveraging AI tools to generate phishing content, automate routine attack tasks, and facilitate remote execution and traffic protection.
UNK_DROPPITCH is a Chinese state-sponsored threat actor using AI services to craft spear-phishing emails targeting high-value sectors and organizations.
An activity cluster (per Proofpoint) overlapping with the UTA0388 campaign activity delivering GOVERSHELL/HealthKick via phishing and DLL side-loading.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.