Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

FBI Issues Alert on Use of Chinese Tax Software

The Federal Bureau of Investigation has issued an alert to inform organizations in the United States of the risk associated with the use of Chinese tax software.

The Federal Bureau of Investigation has issued an alert to inform organizations in the United States of the risk associated with the use of Chinese tax software.

In late June, security researchers at Trustwave published a report on a piece of malware that was dropped into the environment of an organization doing businesses in China through tax software that is mandatory in the country.

The threat, which Trustwave named GoldenSpy, was delivered to an organization via software from the Golden Tax Department of Aisino Corporation, and it appears to have been in use since 2016. Once installed, it provides SYSTEM-level backdoor access to the network.

Within days after the initial report was published, an uninstaller was delivered to compromised organizations through the update service of the tax software, and all traces of GoldenSpy were erased.

Weeks later, Trustwave published information on another piece of malware deployed through mandatory tax software onto the networks of organizations doing business in China. Referred to as GoldenHelper and dated prior to GoldenSpy, this malware family was dropped by software from Baiwang.

Last week, the FBI issued an alert to warn healthcare, chemical, and finance organizations in the United States of “potential targeting activity by the Chinese government against their business and operational components based in China.”

The alert points out that tax software provided by Chinese banks to at least two Western organizations doing business in the country would install a backdoor supposedly allowing “cyber actors to preposition to conduct remote code execution and exfiltration activities on the victim’s network.”

The FBI notes that all foreign companies in China might be at risk, and that the US healthcare and chemical industries have long been targeted by Chinese cyber spies.

“Pharmaceutical companies form a critical interdependency between the manufacturing components of the chemical sector and the supply chain of the Healthcare and Public Health Sector. Compromise of the pharmaceutical supply chain provides malicious actors opportunities for theft of US intellectual property, while public disclosure can cause cascading effects including loss of public trust in both chemical and healthcare institutions,” the alert reads.

The FBI underlines that the use of software from Baiwang and Aisino, the only tax software service providers authorized to operate the value added tax (VAT) system in China, represents a risk to US organizations, especially in the light of Trustwave’s discoveries.

The alert also contains indicators of compromise (IoC) and recommendations on how organizations can mitigate such intrusions. The FBI plans on publishing a more detailed technical analysis at a later date.

Related: Researchers Find More Malware Delivered via Chinese Tax Software

Related: ‘GoldenSpy’ Malware Hidden In Chinese Tax Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.