Chinese cyber-espionage groups have once again demonstrated their determination and technical prowess in targeting U.S. organizations with ties to international policy-making, highlighting the persistent and evolving threat posed by state-linked cyber actors.
Evidence indicates that the attackers sought to establish a stealthy, persistent presence within their target’s network.
The initial breach was preceded by a mass scan on April 5, 2025, using exploits for vulnerabilities such as Atlassian OGNL Injection (CVE-2022-26134), Log4j (CVE-2021-44228), Apache Struts (CVE-2017-9805), and GoAhead RCE (CVE-2017-17562).
The latest intrusion, observed in April 2025 against a prominent U.S. non-profit active in policy advocacy, underscores the sophisticated techniques and shared tools among Chinese hacking groups such as Kelp, Space Pirates, and the notorious APT41.
Their activity resumed on April 16 with a surge of suspicious commands testing both internet connectivity and internal network reach, particularly focusing on a system at 192.0.0.88. Multiple protocols and connection methods were used, reflecting both technical adaptability and a determination to access specific internal resources.
Almost immediately after the connectivity tests, the threat actors leveraged tools such as netstat for network reconnaissance and created a recurring scheduled task using the Windows command-line tool schtasks.
This task executed a legitimate MSBuild.exe application, which in turn processed an outbound.xml file to inject code into csc.exe, connecting eventually to a command-and-control server.
The steps taken point to both automation (via scheduled tasks) and a clear intent for persistence, with the use of system-level privileges amplifying the potential damage and complexity of the compromise.
The toolkit and techniques on display bore hallmarks of several Chinese espionage groups. The attackers weaponized legitimate software components a method known as DLL sideloading by exploiting vetysafe.exe (a VipreAV component signed by Sunbelt Software, Inc.) to load sbamres.dll, a malicious payload.
This precise technique had previously been recorded in campaigns attributed to Space Pirates and Earth Longzhi, the latter being a known APT41 subgroup.
Notably, the same approach was seen in incidents linked to Kelp (aka Salt Typhoon or Earth Estries), illustrating the pervasive tool-sharing practices among Chinese APTs.
The presence of Imjpuexc, a legitimate Microsoft utility for East Asian script input, further supports the attribution to actors based in or affiliated with China.
The attackers also deployed a likely version of Dcsync a tool designed to impersonate domain controllers and siphon credentials, which could enable privilege escalation and network-wide lateral movement.
Historical Context and Geopolitical Implications
APT41 stands out as one of China’s longest-running espionage groups, spanning multiple subgroups known for their relentless targeting of high-value organizations across the Asia-Pacific and the West.
Kelp gained notoriety for extensive incursions into U.S. telecom networks during the 2024 U.S. presidential election cycle, while Space Pirates have been active since at least 2017 and are noted for unconventional attack vectors and a focus on Russian companies.
This campaign echoes a larger trend: Chinese state-linked actors habitually monitor and infiltrate foreign entities involved in shaping policy towards China.
Efforts to establish long-term network access reinforce long-standing goals of espionage, intelligence collection, and strategic influence.
The continued use of standard tools and techniques across multiple well-known groups signals a high level of operational cooperation and resource-sharing, enabling them to bypass traditional security measures and maintain an enduring presence in their targets.
As the geopolitical rivalry between the U.S. and China deepens, these intrusions serve as a stark reminder that cyberespionage has become a central instrument for influencing international policy and gathering strategic intelligence.
Through a combination of stealth, technical sophistication, and shared expertise, Chinese threat groups remain formidable adversaries intent on shaping the very discussions that define global diplomacy and security.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.