A malware analysis report published on Monday by the U.S. Department of Defense, the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI officially attributes a piece of malware named Taidoor to threat actors sponsored by the Chinese government.
Taidoor, also tracked by some as Taurus RAT, has been around since at least 2008. In 2012, Trend Micro reported that the malware had been used in targeted attacks aimed at government organizations in Taiwan. Taidoor was used at the time by threat actors to operate a shell on compromised devices, and download and upload files.
In 2013, FireEye published a report on Taidoor being used in cyber espionage campaigns aimed at government agencies, think tanks and companies, particularly ones with an interest in Taiwan.
While there was some evidence at the time suggesting that China was behind the attacks involving Taidoor, the U.S. government has now officially said that the malware, which it describes as a remote access trojan (RAT), is “used by Chinese government cyber actors.”
“FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation,” the report reads.
The United States Cyber Command has uploaded four Taidoor samples to Google’s VirusTotal service. While two of the samples are currently detected by over 30 of the 59 anti-malware engines on VirusTotal, two of them are only detected by 9 engines.
The report published by the U.S. agencies includes technical details on how the malware works, as well as information that can be used by organizations to identify and block attacks involving Taidoor.
USCYBERCOM started sharing malware samples with the cybersecurity industry in November 2018. A majority of the samples it has shared to date have been linked to North Korean threat actors, and some have been attributed to Russian and Iranian hacking groups. It appears that the Taidoor samples are the first Chinese malware samples shared by the agency.
Related: U.S. Government Details ELECTRICFISH Malware Used by North Korea
Related: U.S. Government Shares Details of FALLCHILL Malware Used by North Korea

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
Latest News
- Microsoft Puts ChatGPT to Work on Automating Cybersecurity
- Video: How to Build Resilience Against Emerging Cyber Threats
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- SecurityScorecard Guarantees Accuracy of Its Security Ratings
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- Webinar Today: Understanding Hidden Third-Party Identity Access Risks
