EXECUTIVE SUMMARY
The recent compromise of a U.S.-based non-profit organization underscores the sustained interest of China-linked groups in infiltrating institutions that influence U.S. foreign policy. Researchers observed that the attackers-maintained access to the organization–s network for several weeks, highlighting their goal of establishing long-term persistence and stealthy control. The intrusion involved the use of legitimate software components for malicious purposes–such as vetysafe.exe Imjpuexc –to disguise their presence within the environment. These tactics, along with DLL sideloading and scheduled task creation, closely align with methods attributed to Chinese entities including Space Pirates, Kelp, and APT41.
During the technical investigation, the initial compromise was traced back to mass scanning activity targeting vulnerabilities such as Atlassian OGNL Injection, Log4j, Apache Struts, and GoAhead RCE. The attackers employed numerous connectivity checks using curl commands to establish communication with specific systems of interest. Persistence was achieved through the creation of a scheduled task designed to execute msbuild.exe and an outbound XML file every 60 minutes under system privileges. This mechanism ultimately facilitated communication with an external command and control server and potentially loaded a remote access tool to maintain covert access. Additional findings revealed the use of DLL sideloading via VipreAV components, previously linked to Chinese operations involving Deed RAT and other shared malware families.
The conclusion drawn from this intrusion highlights the continued focus of China-linked actors on intelligence collection within policy-related organizations. Their operations exhibit patience, persistence, and technical proficiency, emphasizing a long-term commitment to espionage objectives. The observed use of shared malware infrastructure and consistent techniques across multiple Chinese groups points to a collective ecosystem rather than isolated operations. This interconnected network of threat actors relies on overlapping toolsets, customized loaders, and strategic targeting of domain controllers to maximize reach and data access within compromised environments. The campaign further confirms a pattern of Chinese intrusion sets maintaining persistent surveillance capabilities against entities that shape U.S. or global policy, reinforcing the broader geopolitical motive underpinning their cyber operations.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Reconnaissance | T1595.002 | Active Scanning | Vulnerability Scanning |
| Initial Access | T1190 | Exploit Public-Facing Application | – |
| Execution | T1127.001 | Trusted Developer Utilities Proxy Execution | MSBuild |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1574.002 | Hijack Execution Flow | DLL Side-Loading |
| Discovery | T1049 | System Network Connections Discovery | – |
| Credential Access | T1003.006 | OS Credential Dumping | DCSync |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
|---|---|---|
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Defense Evasion | B0025 | Conditional Execution |
| Discovery | B0013 | Analysis Tool Discovery |
| Collection | E1113 | Screen Capture |
| Command and Control | B0030 | C2 Communication |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Exfiltration | E1020 | Automated Exfiltration |
REFERENCES:
The following reports contain further
https://cybersecuritynews.com/chinese-hackers-organization-influence-u-s-government/
https://www.security.com/threat-intelligence/china-apt-us-policy