A hacking campaign linked to China successfully infiltrated a U.S. nonprofit organization that is active in shaping U.S. government policy on international matters. This intrusion, which occurred in April 2025, aligns with a broader pattern of Chinese state-sponsored actors showing sustained interest in U.S. entities tied to policy and geopolitical issues. According to a report by Broadcom’s Symantec, the attackers maintained unauthorized access for several weeks, indicating a clear determination to establish persistence and secure long-term access to the victim’s network.
The attack commenced on April 5, 2025, with a mass scan targeting a server using multiple well-known public exploits, including those for Log4j and Atlassian OGNL. The core offensive activity resumed on April 16, beginning with reconnaissance. The attackers used repeated curl commands to test connectivity to external sites and an internal host. Following this, they ran netstat to enumerate network connections before establishing a persistent scheduled task named \Microsoft\Windows\Ras\Outbound. This task was set to run hourly, executing msbuild.exe to likely inject code into csc.exe and establish a connection to a command-and-control (C2) server. A custom loader was also deployed at this time, executing an encrypted payload, likely a Remote Access Trojan (RAT), directly into memory.
A critical technique employed by the threat actors was DLL sideloading, leveraging a legitimate signed component of VipreAV, vetysafe.exe, to load a malicious DLL named sbamres.dll. DLL sideloading is a stealthy method that exploits the Windows DLL search order to execute malicious code using a trusted application. This specific tactic of abusing the VipreAV component is strongly linked to other China-associated actors like Space Pirates and subgroups of APT41, such as Kelp. This shared technique reinforces the attribution and suggests the use of tools, such as the Deed RAT (aka Snappy Bee), that are known to be circulated among multiple Chinese hacking groups.
In their efforts to maximize network control and remain undetected, security teams observed activity indicative of DCSync-like attacks and the use of Imjpuexc, a Microsoft file associated with East Asian input, to mask their actions. DCSync-like activity involves attempts to remotely harvest password data from domain controllers, which would grant the attackers credentials necessary to spread across a wider range of machines on the network. This focus on domain controllers further illustrates the attackers’ intent to secure a persistent and widespread presence, giving them potential access to sensitive organizational data.
All observable malicious activity ceased after April 16, 2025. This intrusion underscores the persistent espionage focus of China-linked groups, whose mission often involves monitoring and gathering intelligence on foreign governments’ attitudes and policies toward China. The attackers’ methodical actions, from initial compromise and testing to establishing long-term persistence and attempting to compromise domain controllers, make it clear their primary objective was to maintain a stealthy foothold for future intelligence-gathering operations.
Reference:
