China-Linked Espionage Intrusion at U.S. Policy Non-Profit
A China-linked advanced persistent threat (APT) group infiltrated a U.S. non-profit organization focused on influencing U.S. government policy on international issues, maintaining access for several weeks in April 2025. The attackers initiated their campaign with mass scanning on April 5, targeting a server using multiple public exploits, including those for Log4j, Atlassian OGNL, Apache Struts, and GoAhead Web Server. After a brief pause, activity resumed on April 16 with connectivity tests and network reconnaissance, followed by the establishment of persistence through a scheduled task that executed msbuild.exe as SYSTEM every hour. This task likely injected code into csc.exe, which then communicated with a command-and-control server at 38.180.83[.]166. The attackers also used DLL sideloading via the legitimate VipreAV component vetysafe.exe to load a malicious DLL (sbamres.dll), a technique previously associated with other Chinese APT groups.
The intrusion demonstrated a focus on stealth and long-term access, with the use of legitimate binaries and scheduled tasks to evade detection. The attackers' tactics, including the use of Imjpuexc (a Microsoft file for East Asian input) to mask activity and the deployment of a custom loader to execute an encrypted payload (likely a remote access trojan) in memory, align with methods seen in other campaigns attributed to Chinese state-sponsored actors. The operation is part of a broader pattern of Chinese cyber-espionage targeting U.S. organizations involved in policy matters, leveraging both legacy and recent vulnerabilities to gain initial access and maintain persistence within high-value networks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
ESET details broader 2025 China-aligned campaigns and IIS abuse
By 2025-11-07, reporting also highlighted multiple China-aligned campaigns observed across regions in 2025, including exploitation of misconfigured IIS servers with exposed ASP.NET machine keys. Attackers used this access to deploy the TOLLBOOTH (HijackServer) backdoor, enabling SEO cloaking and web shell functionality.
Researcher reports Salt Typhoon exploiting WinRAR flaw CVE-2025-8088
By 2025-11-07, separate research reported Salt Typhoon exploiting the WinRAR vulnerability CVE-2025-8088 to sideload a DLL that runs shellcode and beacons to mimosa.gleeze[.]com. This was presented as a related development in ongoing China-linked intrusion activity.
Symantec and Carbon Black attribute campaign to China-linked actor
By 2025-11-07, Broadcom's Symantec and Carbon Black teams publicly attributed the espionage campaign against the U.S. non-profit to a China-linked threat actor. Researchers said tooling overlapped with several China-nexus clusters, including Salt Typhoon, Earth Estries, Earth Longzhi, Space Pirates, and Kelp, making precise attribution difficult.
Attackers abuse Vipre component for DLL sideloading
During the April 2025 intrusion, the threat actor used the legitimate Vipre antivirus component vetysafe.exe to sideload a malicious DLL named sbamres.dll. This added another stealth mechanism for maintaining access and executing malicious code on the compromised environment.
Intruders expand access and deploy persistence on victim network
On 2025-04-16, the attackers progressed to host reconnaissance, established scheduled-task persistence, and likely executed an in-memory remote access trojan. They also used living-off-the-land techniques, including msbuild.exe and code injection into csc.exe, to communicate with command-and-control infrastructure.
China-linked attackers begin mass scanning of U.S. non-profit
On 2025-04-05, attackers began broad scanning activity against a U.S. non-profit involved in influencing U.S. government policy on international issues. The intrusion leveraged multiple known vulnerabilities, including Log4j and Atlassian Confluence flaws, as initial access vectors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
China APT Infiltrates US Policy Nonprofit in Months-Long Espionage Campaign Using DLL Sideloading
securityonline.info
Open sourceChina-linked hackers target U.S. non-profit in long-term espionage campaign
securityaffairs.com
Open sourceFrom Log4j to IIS, China's Hackers Turn Legacy Bugs into Global Espionage Tools
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chinese Espionage Campaign CL-UNK-1068 Targeting Asian Critical Infrastructure via Web Server Exploitation
Palo Alto Networks Unit 42 reported a **previously undocumented Chinese threat actor**, tracked as **CL-UNK-1068**, conducting a multi-year intrusion campaign (observed since at least 2020) against high-value organizations across **South, Southeast, and East Asia**. Targeted sectors include **aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications**, with Unit 42 assessing **moderate-to-high confidence** that the primary objective is **cyber espionage** (while not fully ruling out criminal motives). The assessment cites tool provenance, linguistic artifacts in configurations, and consistent long-term targeting of Asian critical infrastructure as key factors supporting attribution. The activity features exploitation of **internet-facing web servers** to deploy **web shells** and establish persistence across both Windows and Linux environments, using a mix of custom malware, modified open-source tools, and **living-off-the-land binaries (LOLBINs)**. Reported tooling includes **Godzilla** and **ANTSWORD** web shells, the **Xnote** Linux backdoor, and **Fast Reverse Proxy (FRP)** for tunneling/relay; post-compromise behavior includes lateral movement and targeted file theft from Windows web servers (e.g., `c:\inetpub\wwwroot`) focusing on files such as `web.config`, `.aspx`, `.asmx`, `.asax`, and `.dll`, consistent with credential access and follow-on exploitation discovery.
Mar 21, 2026
China-Linked Espionage Campaigns Target Regional Government and Military Interests
Security researchers reported multiple **China-linked espionage operations**, but they are not the same incident. One campaign tracked by Palo Alto Networks as **CL-STA-1087** targeted military organizations in Southeast Asia over several years, focusing on intelligence collection related to military capabilities, organizational structures, and cooperation with Western armed forces. The activity used custom malware including the **AppleChris** and **MemFun** backdoors and a **Getpass** credential harvester, alongside stable infrastructure and selective file collection consistent with long-term state-sponsored espionage. A separate report from Zscaler described a **China-nexus** intrusion set targeting entities in the Persian Gulf using conflict-themed lures to deliver **PlugX**. That attack chain relied on a ZIP archive containing a deceptive `.lnk` file, which downloaded a malicious CHM file, used `hh.exe` for extraction, displayed a decoy PDF about Iranian missile strikes, and ultimately installed a multi-stage PlugX payload. The other references are unrelated: one is a technical review of **CVE-2026-25185** in Windows shortcut handling, and another covers malicious Packagist themes shipping trojanized jQuery tied to **FUNNULL** infrastructure rather than the China-linked espionage activity described in the relevant reports.
Mar 21, 2026
Chinese State-Backed Espionage Campaign Breached Global Service Providers and Customer Networks
Australia’s ACSC and CISA warned that Chinese state-sponsored actors compromised networks worldwide as part of a broad espionage operation that targeted IT service providers and then leveraged that access to reach downstream customer environments. U.S. government reporting tied the activity to Chinese cyber actors associated with the Ministry of State Security, describing a long-running campaign that stole intellectual property and sensitive data from organizations across at least 12 countries and sectors including information technology, energy, healthcare, communications, and critical manufacturing. The intrusions relied on stolen administrative credentials, abuse of digital certificates, and post-compromise tooling including **PowerShell**, **PowerSploit**, **REDLEAVES**, and **PLUGX** to maintain persistence and move laterally. Authorities said the malware used techniques such as **DLL side-loading**, in-memory execution, and **RC4**-encrypted command-and-control over port `443`, including spoofed domains masquerading as Windows update infrastructure, and urged defenders to strengthen privileged account protections, network segmentation, logging, and monitoring for suspicious administrative share activity and protocol mismatches.
May 27, 2026