A notorious Chinese hacking group has been targeting entities involved in US-China relations, economic policy, and international trade in a fresh phishing campaign, Proofpoint reports.
The attacks, observed in July and August 2025, attempted to establish a Visual Studio (VS Code) remote tunnel for persistent remote access to the compromised environments, instead of relying on conventional malware.
Attributed to TA415, a Chinese state-sponsored hacking group also known as APT41, Barium, Brass Typhoon, Bronze Atlas, Wicked Panda, and Winnti, and indicted by the US in 2020, the campaign targeted US government, think tank, and academic organizations.
In early July, the threat actor sent email messages spoofing the US-China Business Council, allegedly inviting the recipients to a closed-door briefing regarding the United States’ affairs with China and Taiwan.
Subsequent emails, Proofpoint says, impersonated John Moolenaar, the Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party, requesting feedback on draft legislation regarding sanctions against China. The Wall Street Journal reported on the Moolenaar impersonation earlier this month, but no technical details were available at the time.
The phishing messages contained links to password-protected archives hosted on known cloud services, containing a shortcut (LNK) file and a hidden subfolder. Launching the LNK file executed a batch script stored in the hidden folder and a decoy PDF file hosted on OneDrive.
The script’s execution triggers a multi-stage infection process in which the VSCode Command Line Interface (CLI) is downloaded from Microsoft’s servers, a scheduled task is created for persistence, and a VS Code remote tunnel authenticated via GitHub is established.
The script also collects system information and the contents of various user directories and sends it to the attackers.
In recent attacks, the script also sends a VS Code remote tunnel verification code that the threat actor then uses to access the victim’s computer remotely and execute arbitrary commands using the system’s built-in Visual Studio terminal.
TA415 operates out of Chengdu, China, as a private government contractor under the company name Chengdu 404 Network Technology, and has ties to other private contractors, including i-Soon.
“Many of the targeted entities are consistent with known Chinese intelligence collection priorities. However, the timing of TA415’s pivot toward these targets is particularly noteworthy given the ongoing complex evolution of economic and foreign policy relations between China and the United States,” Proofpoint notes.
Related: China-Linked Hackers Hijack Web Traffic to Deliver Backdoor
Related: Cambodia Makes 1,000 Arrests in Latest Crackdown on Cybercrime
Related: AI Asset Inventories: The Only Way to Stay on Top of a Lightning-fast Landscape
Related: TikTok Says It Will ‘Go Dark’ Unless It Gets Clarity From Biden Following Supreme Court Ruling
