A recent attack against a U.S.-based non-profit organization has revealed a renewed and ongoing focus by Chinese state-aligned threat actors on entities involved in influencing U.S. government policy.
The intrusion, which took place over several weeks in April 2025, highlights not only the advanced tactics, techniques, and procedures (TTPs) employed by these groups but also their intent to achieve stealthy, long-term persistence within targeted networks.
Evidence suggests that the attack leveraged a range of methods previously linked to established Chinese groups, including APT41, Kelp (also known as Salt Typhoon), and Space Pirates.
These groups are known for sharing malware and tools, making technical attribution increasingly challenging.
The incident began with a large-scale scan using known exploits, including Atlassian OGNL Injection (CVE-2022-26134), Log4j (CVE-2021-44228), Apache Struts (CVE-2017-9805), and GoAhead RCE (CVE-2017-17562), to identify and compromise vulnerable servers.
Technical Attack Chain: Tool Sharing and Persistence
The attackers initiated connectivity checks to external sites using repeated curl commands before shifting their focus to internal systems. Network enumeration followed, using netstat to map active connections and scheduled tasks to maintain persistence.
They created a scheduled task running as SYSTEM that executes msbuild.exe with an outbound.xml file. This approach, leveraging the legitimate Microsoft .NET Framework’s build utility, enabled the loading and execution of additional stealthy payloads.
A notable aspect was the use of DLL sideloading, specifically the abuse of the legitimate VipreAV component vetysafe.exe to load a malicious DLL named sbamres.dll. This TTP has been documented in campaigns by Kelp, Space Pirates, and the APT41 subgroup Earth Longzhi.
The sharing of this loader further blurs the lines of attribution. The suspected delivery of a remote access tool (RAT) was observed via a custom loader and msbuild.exe, with communications established toward a command-and-control server (hxxp://38.180.83[.]166).
Another tool, Imjpuexc (a legitimate Microsoft utility for East Asian keyboard input), and a likely version of Dcsync were deployed.
The latter simulates domain controller functions to extract credentials, underscoring the attackers‘ desire for deeper lateral movement and credential harvesting.
Geopolitical Context: Strategic Espionage for Policy Influence
This attack is consistent with China’s broader espionage objectives: monitoring foreign sentiment and influencing policies that affect Chinese interests.
The group networked across multiple high-profile Chinese APTs, APT41, Kelp, and Space Pirates, leveraging shared resources and sophisticated techniques to evade detection and maintain persistence.
The incident underscores China’s continued interest in entities that influence U.S. government policy, particularly those involved in international affairs. By targeting domain controllers and leveraging a toolkit of both custom and shared malware, these actors aim to gain strategic insights and maintain political leverage.
Key indicators of compromise linked to these operations include the hashes for Imjpuexc, msoutbound, sbamres.dll, Dcsync (mmp.exe), vetysafe.exe, and msascui.exe, each mapped to specific stages of the attack and associated with prior campaigns.
The attack also continues a trend of collaborative tool development across Chinese espionage groups, demonstrating their evolving threat landscape and sustained interest in American policy-shaping organizations.
Indicators of compromise
51ffcff8367b5723d62b3e3108e38fb7cbf36354e0e520e7df7c8a4f52645c4d – Imjpuexc – csidl_profile\documents\imjpuexc.exe
6f7f099d4c964948b0108b4e69c9e81b5fc5ff449f2fa8405950d41556850ed9 – Unknown – csidl_profile\documents\msoutbound
99a0b424bb3a6bbf60e972fd82c514fd971a948f9cedf3b9dc6b033117ecb106 – Same hash also reportedly linked to Space Pirates activity – csidl_profile\ldap_write\documents\sbamres.dll
dae63db9178c5f7fb5f982fbd89683dd82417f1672569fef2bbfef83bec961e2 – Dcsync – csidl_profile\downloads\mmp.exe
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.png?resize=1068,580&ssl=1&description=Chinese hackers U.S. policy - A recent attack against a U.S.-based non-profit organization has revealed a renewed and ongoing focus by Chinese){kind=link}