China-Aligned APT UTA0388 Uses ChatGPT to Craft Spear-Phishing Emails and Develop Malware
Volexity reveals that China-aligned threat actor UTA0388 has been using OpenAI's ChatGPT to assist in spear-phishing campaigns and malware development, targeting organizations across North America, Asia, and Europe since June 2025.
Starting in June 2025, Volexity detected a series of spear-phishing campaigns targeting organizations in North America, Asia, and Europe. The threat actor, tracked as UTA0388, used tailored emails purporting to be from senior researchers at fabricated organizations to socially engineer victims into downloading malicious payloads. Over three months, Volexity observed dozens of campaigns with themes and fictional identities, expanding to emails in English, Chinese, Japanese, French, and German.
The initial emails often contained a link to phishing content hosted on cloud services, leading to a ZIP or RAR archive. Inside was a legitimate executable that, when run, loaded a malicious DLL via search order hijacking, deploying the GOVERSHELL malware. Volexity has identified five distinct variants of GOVERSHELL, which is used exclusively by UTA0388 and remains under active development.
In a shift starting August 2025, UTA0388 adopted "rapport-building phishing." Instead of sending malware immediately, they engaged targets in conversation over several emails before delivering the malicious link. This technique allowed them to build trust and increase the likelihood of infection.
Volexity assesses with high confidence that UTA0388 employed Large Language Models (LLMs), including OpenAI's ChatGPT, to assist with spear-phishing and malware development. This assessment is based on nonsensical decisions in campaigns, the high tempo of operations, and the variety of themes. OpenAI's October 2025 report confirmed that UTA0388 leveraged ChatGPT for these purposes.
UTA0388 is the same actor Proofpoint tracks as UNK_DropPitch, described in a July 2025 blog post. Proofpoint reported a malware family called HealthKick, which Volexity identifies as the earliest GOVERSHELL variant. Overlap in command-and-control infrastructure and email addresses further links the two reports.
The use of AI by state-aligned threat actors marks a significant evolution in cyber operations. By automating aspects of social engineering and malware development, attackers can scale their campaigns and reduce the time between ideation and execution. This trend underscores the need for defenders to adapt their detection and response strategies to counter AI-assisted threats.
Organizations should enhance email security, implement multi-factor authentication, and educate users about sophisticated spear-phishing techniques. As AI tools become more accessible, the line between human and machine-generated attacks will continue to blur, requiring continuous vigilance and innovation in cybersecurity defenses.