China-affiliated actors are believed to have engaged in cyberattacks targeting U.S. nonprofit organizations with the goal of establishing long-term sustainability as part of a broader campaign targeting U.S. organizations related to or engaged in policy issues.
The organization “actively seeks to influence U.S. government policy on international issues,” according to a report by Broadcom’s Symantec and Carbon Black teams. The attackers were able to gain access to the network for several weeks in April 2025.
The first sign of activity occurred on April 5, 2025 and included CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), CVE-2017-9805 (Apache Struts), CVE-2017-17562 We have detected a mass scanning effort against servers utilizing a variety of known exploits, including: (GoAhead Web Server).
No further action was recorded until April 16th. The attack ran several curl commands to test internet connectivity, and then ran the Windows command-line tool netstat to gather network configuration information. I then set up persistence on the host using a scheduled task.
This task is designed to run a legitimate Microsoft binary “msbuild.exe” to execute an unknown payload, as well as create another scheduled task configured to run every 60 minutes as the highly privileged SYSTEM user.
According to Symantec and Carbon Black, this new task may load and inject unknown code into csc.exe, ultimately establishing communication with a command and control (C2) server (38.180.83).[.]The attacker was then observed running a custom loader to unpack and execute an unspecified payload, likely an in-memory remote access Trojan (RAT).
We also observed running a legitimate Vipre AV component (‘vetysafe.exe’) to sideload a DLL loader (‘sbamres.dll’). This component is also said to have been used to sideload DLLs associated with the Deed RAT (aka Snappybee) in previous activity by Salt Typhoon (aka Earth Estries) and attacks by Earth Longzhi, a subcluster of APT41.
“A copy of this malicious DLL has previously been used in attacks associated with China-based attackers known as Space Pirates,” Broadcom said. “A variant of this component with a different file name was also used by the Chinese APT group Kelp (also known as Salt Typhoon) in a separate incident.”
Other tools observed on targeted networks included Dcsync and Imjpuexc. It is unclear how successful the attackers’ attacks were. No additional activities have been registered since April 16, 2025.
Symantec and Carbon Black said: “It is clear from the activity against this victim that the attackers were looking to establish a persistent and stealth presence on the network. The attackers were also very interested in targeting domain controllers, which could potentially spread the infection to many machines on the network.”
“Sharing tools between groups is a long-standing trend among Chinese threat actors, making it difficult to determine which specific group is behind a range of activities.”
The disclosure comes after a security researcher who goes by the online name BartBlaze revealed that Salt Typhoon exploited a security flaw in WinRAR (CVE-2025-8088) to begin an attack chain that sideloaded a DLL responsible for executing shellcode on compromised hosts. The final payload is designed to establish a connection with a remote server (‘mimosa.gleeze’).[.]com”).
Activities of other Chinese hacking groups
According to the ESET report, China-aligned groups remain active, attacking organizations across Asia, Europe, Latin America, and the United States in order to serve Beijing’s geopolitical priorities. Some notable campaigns include:
In July 2025, an attacker codenamed “Speccom” targeted the energy sector in Central Asia via phishing emails delivering BLOODALCHEMY variants and custom backdoors such as kidsRAT and RustVoralix. In July 2025, an attacker codenamed “DigitalRecyclers” targeted organizations in Europe using an unusual persistence technique that used the Magnifier accessibility tool to gain SYSTEM privileges. Targeted Latin government agencies. A threat actor codenamed FamousSparrow may have exploited a ProxyLogon flaw in Microsoft Exchange Server to deploy SparrowDoor in the United States (Argentina, Ecuador, Guatemala, Honduras, and Panama) from June to September 2025. From May to September 2025, a Taiwanese company in the defense aviation sector, a US trade organization based in China, offices of a Greek government agency based in China, and an Ecuadorian government agency were targeted. Codenamed SinisterEye (also known as LuoYu and Cascade Panda) distributed malware such as WinDealer (for Windows) and SpyDealer (for Android) to hijack legitimate software update mechanisms using adversarial man-in-the-middle (AitM) attacks. In June 2025, a threat actor codenamed PlushDaemon used AitM poisoning to target Japanese and multinational companies in Cambodia. slow stepper.
“PlushDaemon accomplishes AitM positioning by compromising network devices such as routers and deploying a tool named EdgeStepper, which redirects DNS traffic from the target network to a remote DNS server controlled by the attacker,” ESET said.
“This server responds to queries for domains associated with the software update infrastructure using the IP address of the web server that performs update hijacking and ultimately powers PlushDaemon’s flagship backdoor, SlowStepper.”
Chinese hacking group targets misconfigured IIS servers
In recent months, threat hunters have discovered Chinese-speaking attackers targeting misconfigured IIS servers by using exposed machine keys to install a backdoor called TOLLBOOTH (also known as HijackServer) with SEO cloaking and web shell capabilities.
“REF3927 exploits publicly available ASP.NET machine keys to compromise IIS servers and deploy the TOLLBOOTH SEO cloaking module globally,” Elastic Security Labs researchers said in a report released late last month. According to HarfangLab, the operation infected hundreds of servers around the world, with infections concentrated in India and the United States.
The attack is also characterized by attempts to weaponize initial access to drop the Godzilla web shell, run the GotoHTTP remote access tool, use Mimikatz to harvest credentials, and deploy HIDDENDRIVER, a modified version of the open source rootkit Hidden, to hide the presence of the malicious payload on the infected machine.
It’s worth pointing out that this cluster is the latest addition to a long list of Chinese threat actors targeting IIS servers, including GhostRedirector, Operation Rewrite, and UAT-8099, and marks a spike in such activity.
“The malicious operators, who use Chinese as their primary language and appear to be leveraging the breach to support search engine optimization (SEO), have discovered that the deployed module provides a persistent, unauthenticated channel that allows any party to remotely execute commands on the affected servers,” the French cybersecurity firm said.
Source link
