A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues.
The organization, according to a report from Broadcom’s Symantec and Carbon Black teams, is “active in attempting to influence U.S. government policy on international issues.” The attackers managed to gain access to the network for several weeks in April 2025.
The first sign of activity occurred on April 5, 2025, when mass scanning efforts were detected against a server by leveraging various well-known exploits, including CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead Web Server).
No further actions were recorded until April 16, when the attacks executed several curl commands to test internet connectivity, after which the Windows command-line tool netstat was executed to collect network configuration information. This was followed by setting up persistence on the host by means of a scheduled task.
The task was designed to execute a legitimate Microsoft binary “msbuild.exe” to run an unknown payload, as well as create another scheduled task that’s configured to run every 60 minutes as a high-privileged SYSTEM user.
This new task, Symantec and Carbon Black said, was capable of loading and injecting unknown code into “csc.exe” that ultimately established communications with a command-and-control (C2) server (“38.180.83[.]166”). Subsequently, the attackers were observed executing a custom loader to unpack and run an unspecified payload, likely a remote access trojan (RAT) in memory.
Also observed was the execution of the legitimate Vipre AV component (“vetysafe.exe”) to sideload a DLL loader (“sbamres.dll”). This component is also said to have been used for DLL side-loading in connection with Deed RAT (aka Snappybee) in prior activity attributed to Salt Typhoon (aka Earth Estries), and in attacks attributed to Earth Longzhi, a sub-cluster of APT41.
“A copy of this malicious DLL was previously used in attacks linked to the China-based threat actors known as Space Pirates,” Broadcom said. “A variant of this component, with a different filename, was also used by that Chinese APT group Kelp (aka Salt Typhoon) in a separate incident.”
Some of the other tools observed in the targeted network included Dcsync and Imjpuexc. It’s not clear how successful the attackers were in their efforts. No additional activity was registered after April 16, 2025.
“It is clear from the activity on this victim that the attackers were aiming to establish a persistent and stealthy presence on the network, and they were also very interested in targeting domain controllers, which could potentially allow them to spread to many machines on the network,” Symantec and Carbon Black said.
“The sharing of tools among groups has been a long-standing trend among Chinese threat actors, making it difficult to say which specific group is behind a set of activities.”
The disclosure comes as a security researcher who goes by the online moniker BartBlaze disclosed Salt Typhoon’s exploitation of a security flaw in WinRAR (CVE-2025-8088) to initiate an attack chain that sideloads a DLL responsible for running shellcode on the compromised host. The final payload is designed to establish contact with a remote server (“mimosa.gleeze[.]com”).
Activity from Other Chinese Hacking Groups
According to a report from ESET, China-aligned groups have continued to remain active, striking entities across Asia, Europe, Latin America, and the U.S. to serve Beijing’s geopolitical priorities. Some of the notable campaigns include –
- The targeting of the energy sector in Central Asia by a threat actor codenamed Speccom in July 2025 via phishing emails to deliver a variant of BLOODALCHEMY and custom backdoors such as kidsRAT and RustVoralix.
- The targeting of European organizations by a threat actor codenamed DigitalRecyclers in July 2025, using an unusual persistence technique that involved the use of the Magnifier accessibility tool to gain SYSTEM privileges.
- The targeting of governmental entities in Latin America (Argentina, Ecuador, Guatemala, Honduras, and Panama) between June and September 2025 by a threat actor codenamed FamousSparrow that likely exploited ProxyLogon flaws in Microsoft Exchange Server to deploy SparrowDoor.
- The targeting of a Taiwanese company in the defense aviation sector, a U.S. trade organization based in China, and the China-based offices of a Greek governmental entity, and an Ecuadorian government body between May and September 2025 by a threat actor codenamed SinisterEye (aka LuoYu and Cascade Panda) to deliver malware like WinDealer (for Windows) and SpyDealer (for Android) using adversary-in-the-middle (AitM) attacks to hijack legitimate software update mechanisms.
- The targeting of a Japanese company and a multinational enterprise, both in Cambodia, in June 2025 by a threat actor codenamed PlushDaemon by means of AitM poisoning to deliver SlowStepper.
“PlushDaemon achieves AitM positioning by compromising network devices such as routers, and deploying a tool that we have named EdgeStepper, which redirects DNS traffic from the targeted network to a remote, attacker-controlled DNS server,” ESET said.
“This server responds to queries for domains associated with software update infrastructure with the IP address of the web server that performs the update hijacking and ultimately serves PlushDaemon’s flagship backdoor, SlowStepper.”
Chinese Hacking Groups Target Misconfigured IIS Servers
In recent months, threat hunters have also spotted a Chinese-speaking threat actor targeting misconfigured IIS servers using publicly exposed machine keys to install a backdoor called TOLLBOOTH (aka HijackServer) that comes with SEO cloaking and web shell capabilities.
“REF3927 abuses publicly disclosed ASP.NET machine keys to compromise IIS servers and deploy TOLLBOOTH SEO cloaking modules globally,” Elastic Security Labs researchers said in a report published late last month. Per HarfangLab, the operation has infected hundreds of servers around the world, with infections concentrated in India and the U.S.
The attacks are also characterized by attempts to weaponize the initial access to drop the Godzilla web shell, execute GotoHTTP remote access tool, use Mimikatz to harvest credentials, and deploy HIDDENDRIVER, a modified version of the open source rootkit Hidden, to conceal the presence of malicious payloads on the infected machine.
It’s worth pointing out that the cluster is the latest addition to a long list of Chinese threat actors, such as GhostRedirector, Operation Rewrite, and UAT-8099, that have targeted IIS servers, indicating a surge in such activity.
“While the malicious operators appear to be using Chinese as their main language and leveraging the compromises to support search engine optimization (SEO), we notice that the deployed module offers a persistent and unauthenticated channel which allows any party to remotely execute commands on affected servers,” the French cybersecurity company said.
