China-aligned TA415 hackers have adopted Google Sheets and Google Calendar as covert command-and-control (C2) channels in a sustained espionage campaign targeting U.S. government, academic, and think tank entities.
By blending malicious operations into trusted cloud services, TA415 aims to evade detection and harvest intelligence on evolving U.S.–China economic policy discussions.
Throughout July and August 2025, TA415 orchestrated a series of spearphishing campaigns aimed at individuals and organizations focused on U.S.–China relations, trade, and economic policy.
Using spoofed email addresses purportedly belonging to the Chair of the Select Committee on Strategic Competition between the United States and the CCP, as well as the U.S.–China Business Council, attackers invited targets to “closed-door briefings” and solicited feedback on draft sanctions legislation.
Emails contained links to password-protected archives hosted on cloud-sharing platforms such as Zoho WorkDrive, Dropbox, and OpenDrive.
Analysis of email headers revealed delivery via the Cloudflare WARP VPN service, underlining the group’s use of anonymization techniques to mask origin.
Once a target accessed the archive, a hidden subfolder named MACOS housed a malicious Microsoft Shortcut (LNK) file that executed a batch script, logon.bat, and displayed a corrupt PDF decoy.
The script launched an obfuscated Python loader—tracked as WhirlCoil—which established a persistent foothold by deploying a scheduled task under benign names like GoogleUpdate or MicrosoftHealthcareMonitorNode.
Legitimate Cloud Services for C2
Rather than relying on custom malware, TA415 embraced legitimate cloud applications to reduce network anomalies.
Proofpoint and other security researchers addressed that TA415’s primary objective is to harvest intelligence on U.S. economic policy deliberations, sanctions planning, and legislative trajectories.
The WhirlCoil loader downloads the official VS Code Command Line Interface (CLI) from Microsoft’s servers, extracts it to %LOCALAPPDATA%MicrosoftVSCode, and authenticates a VS Code Remote Tunnel via GitHub credentials.
This tunnel provides the attacker with shell-level access through the Visual Studio terminal, enabling arbitrary command execution and data exfiltration without traditional beaconing.
For additional redundancy, TA415 stored operational instructions and exfiltrated system information in Google Sheets and Calendar events.
By writing encoded payload markers into spreadsheets and scheduling event entries containing timestamps and base64-encoded host data, the group blended C2 traffic with routine cloud API calls.
Exfiltrated metadata—including Windows version, locale, computer name, and user directories—is POSTed to free request-logging services under filenames combining timestamps with base64-encoded hostnames.
This multi-vector approach helps attackers maintain communication even if one channel is disrupted.
Context and Motivations
This activity coincides with high-stakes negotiations over U.S.–China trade relations and economic cooperation. U.S. indictments label TA415 (also tracked as APT41, Brass Typhoon, and Wicked Panda) as a civilian contractor group operating from Chengdu under the name Chengdu 404 Network Technology.
TA415’s innovative use of Google Sheets, Google Calendar, and VS Code Remote Tunnels demonstrates that attackers will continue iterating on techniques that evade conventional defenses, underscoring the need for continuous threat-focused cloud security measures.
Historical ties to China’s Ministry of State Security and prior deployment of the Voldemort backdoor underscore the group’s espionage mandate.
Shifting from Voldemort to VS Code Remote Tunnels and cloud-native C2 reflects an evolution in Chinese state-aligned threat actor tradecraft, prioritizing stealth and operational resilience.
By targeting think tanks, academic institutions, and government bodies specializing in trade and sanctions, the group seeks timely insights to inform CCP decision-making and strategic competition tactics.
The adoption of widely used productivity services for C2 highlights a growing trend among sophisticated threat actors to exploit legitimate cloud platforms.
Traditional network-based defenses may struggle to distinguish between benign and malicious API calls to Google services, complicating detection and response efforts.
Security teams must augment network monitoring with behavior-based analytics and anomaly detection within cloud environments.
In particular, monitoring of atypical calendar event payloads and suspicious spreadsheet modifications can help surface such covert operations.
As geopolitical tensions between Washington and Beijing persist, organizations engaged in U.S–China economic and policy research remain high-value espionage targets.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
