The Chinese state-sponsored threat actor TA415 has evolved its tactics, techniques, and procedures by leveraging legitimate cloud services like Google Sheets and Google Calendar for command and control communications in recent campaigns targeting U.S. government, think tank, and academic organizations.
Throughout July and August 2025, this sophisticated group conducted spearphishing operations using U.S.-China economic-themed lures, masquerading as prominent figures including the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party.
TA415, also known as APT41, Brass Typhoon, and Wicked Panda, represents a significant shift in state-sponsored cyber operations by abandoning traditional malware delivery mechanisms in favor of legitimate development tools.
The group’s latest campaigns have consistently utilized trusted services for command and control infrastructure, demonstrating a deliberate strategy to blend malicious activities with normal network traffic patterns.
This approach significantly complicates detection efforts as security tools must distinguish between legitimate business communications and adversarial command channels.
Proofpoint researchers identified that TA415’s recent operations primarily focused on intelligence collection regarding the trajectory of U.S.-China economic relations, aligning with broader geopolitical tensions and ongoing trade negotiations.
The timing of these campaigns coincides with critical policy discussions surrounding U.S.-Taiwan relations and comprehensive sanctions frameworks targeting China, suggesting targeted intelligence requirements from state-level decision makers.
The threat actor’s infection methodology involves delivering password-protected archives through cloud sharing services including Zoho WorkDrive, Dropbox, and OpenDrive.
These archives contain Microsoft Shortcut files alongside hidden components stored within concealed MACOS subfolders.
The group consistently employs Cloudflare WARP VPN services to obscure sender IP addresses during email transmission, adding an additional layer of operational security to their campaigns.
Advanced Infection Chain Analysis
The TA415 infection mechanism demonstrates sophisticated understanding of legitimate development workflows through its deployment of Visual Studio Code Remote Tunnels.
.webp "China-Aligned TA415 Hackers Uses Google Sheets and Google Calendar for C2 Communications 3")
Upon execution, the malicious LNK file triggers a batch script named logon.bat, which subsequently launches the WhirlCoil Python loader through an embedded Python package.
This loader exhibits advanced obfuscation techniques using repeated variable and function names like IIIllIIIIlIlIIlIII to evade static analysis detection methods.
The WhirlCoil component downloads the VSCode Command Line Interface from official Microsoft sources, extracts it to %LOCALAPPDATA%MicrosoftVSCode, and establishes persistence through scheduled tasks named GoogleUpdate, GoogleUpdated, or MicrosoftHealthcareMonitorNode.
The script executes the command code.exe tunnel user login --provider github --name to create GitHub-authenticated remote tunnels, providing persistent access without conventional malware signatures.
System information collection includes Windows version details, locale settings, computer identification, username, and domain information, which gets transmitted via POST requests to free request logging services like requestrepo.com.
The exfiltrated data combines with VS Code Remote Tunnel verification codes, enabling threat actors to authenticate remote sessions and execute arbitrary commands through Visual Studio’s integrated terminal interface.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
