MalwareUsed by 3 actors

Voldemort

Voldemort is a custom backdoor observed in China-aligned espionage campaigns. Reporting in the provided content links its use to TA415, a cluster overlapping with APT41 / Brass Typhoon / Wicked Panda, and also to a distinct China-aligned cluster tracked by Proofpoint as UNK_FistBump. It was delivered in phishing campaigns, including employment-themed lures targeting Taiwan’s semiconductor ecosystem and earlier campaigns against other sectors. In Proofpoint reporting, campaigns initially delivered Cobalt Strike Beacon and later shifted to Voldemort, including activity in August 2024 and a renewed shift to Voldemort in late May 2025.

A defining characteristic of Voldemort is its use of Google Sheets, via the Google Sheets API, for command and control. Proofpoint noted variants that exfiltrated host information to Google Sheets, including one May 2025 variant that sent host data in plaintext and a later variant that Base64-encoded and RC4-encrypted values using CiscoCollabHost.exe as the RC4 key. The malware was delivered through DLL sideloading chains; one documented chain executed CiscoCollabHost.exe to load CiscoSparkLauncher.dll and install the backdoor. Separate reporting also references China-aligned activity abusing the NVDA component nvdaHelperRemote.dll in campaigns associated with Voldemort-related activity.

The malware has been used against semiconductor design, packaging, manufacturing, testing, and supply-chain organizations in Taiwan, as well as HR and recruiting personnel at those firms. Proofpoint assessed the broader campaigns as espionage-motivated and tied to China’s strategic interest in semiconductor intelligence and self-sufficiency. High-confidence associations in the content include phishing delivery, DLL sideloading, Google Sheets-based C2, overlap with TA415/APT41-linked tradecraft, and use by UNK_FistBump in campaigns that also deployed Cobalt Strike.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT41

Following multiple phishing campaigns resulting in the delivery of the Voldemort backdoor in August 2024, Proofpoint observed TA415 shift tactics, techniques and procedures (TTPs) and adopt the use of VS Code Remote Tunnels.

via proofpoint threat insight blogproofpoint.com

APT17

via proofpoint threat insight blogproofpoint.com

UNK_FistBump

...shifted to delivery of the custom Voldemort backdoor in late May 2025... executes ... CiscoCollabHost.exe ... loads ... CiscoSparkLauncher.dll... delivery of the custom Voldemort backdoor, which uses Google Sheets for command and control (C2).

via proofpoint threat insight blogproofpoint.com

MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566.001Spearphishing AttachmentEvidence2

TacticInitial Access

Chinese state-aligned hackers have ramped up espionage efforts against Taiwan's semiconductor ecosystem through spear-phishing campaigns... UNK_FistBump used job-themed lures, posing as graduate students applying for positions. The attackers sent phishing emails from compromised Taiwanese university email accounts to HR and recruiting teams at semiconductor companies. Attached documents led to malware-laced ZIP or PDF files hosted on file-sharing platforms such as Zendesk and Filemail.

T1566.002Spearphishing LinkEvidence2

TacticInitial Access

Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China economic-themed lures.

Execution

3 techniques

T1059.005Visual BasicEvidence1

TacticExecution

“...runs a VBS script Store.vbs…” / “Execution… runs another VBS file also called Store.vbs…”

T1204User ExecutionEvidence1

TacticExecution

“Execution of the… LNK file… runs a VBS script… [and] opens a decoy document…” / “Upon execution… scheduled task… created…”

T1204.002Malicious FileEvidence1

TacticExecution

“These infection chains were initially triggered by distinct Microsoft Shortcut (LNK) files.” / “... [PDF] Introduction Document-2025.4.25.lnk”

Stealth

1 technique

T1140Deobfuscate/Decode Files or InformationEvidence1

TacticStealth

“...decrypts the RC4-encrypted Cobalt Strike Beacon payload from the rc4.log file using the key qwxsfvdtv…” / “...Base64-encoded and RC4-encrypted… using… CiscoCollabHost.exe as the RC4 key…” / “...payload which is XOR encoded with the key mysecretkey.”

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence1

TacticCommand and Control

The malware used DLL sideloading techniques and, in some cases, Google Sheets as a command-and-control channel... The malware communicated with C2 servers over TCP port 465 using FakeTLS and XOR encryption.

T1071.001Web ProtocolsEvidence2

TacticCommand and Control

The malware used DLL sideloading techniques and, in some cases, Google Sheets as a command-and-control channel.

T1090.002External ProxyEvidence1

TacticCommand and Control

The malware used DLL sideloading techniques and, in some cases, Google Sheets as a command-and-control channel.

INDICATORS OF COMPROMISE

IOCs tracked for this family

14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

12 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app11 months ago

hash.sha256●●●●●●●●●●●●View more in app11 months ago

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

the hacker newsNews

Mar 12, 2026

ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More

Backdoor referenced as previously seen in Chinese-nexus campaigns (mentioned as historical context).

dark readingNews

Mar 11, 2026

Chinese Nexus Actors Shift Focus to Qatar Amid Iranian Conflict

Backdoor referenced as previously delivered in China-aligned campaigns (no additional functional details provided in the content).

proofpoint threat insight blogNews

Sep 16, 2025

Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels

Custom backdoor previously delivered by TA415 in phishing campaigns before the group shifted to using VS Code Remote Tunnels.

dark readingNews

Jul 18, 2025

4 Chinese APTs Attack Taiwan's Semiconductor Industry

Voldemort is a custom backdoor malware that uses Google Sheets as a command and control (C2) channel, allowing attackers to communicate with infected hosts in a stealthy manner.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching14

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.