A China-linked espionage campaign targeted a U.S. non-profit organization engaged in influencing government policy, maintaining weeks of access in April 2025. The intrusion leveraged legitimate binaries for DLL sideloading and persistence, consistent with techniques observed in operations by groups such as APT41, Kelp (Salt Typhoon), and Space Pirates.
The attack began with widespread scanning activity on April 5, exploiting known vulnerabilities in Atlassian Confluence (CVE-2022-26134), Log4j (CVE-2021-44228), Apache Struts (CVE-2017-9805), and GoAhead (CVE-2017-17562). Subsequent attacker activity on April 16 involved testing network connectivity via multiple curl commands, internal reconnaissance with netstat, and persistence through a scheduled task invoking msbuild.exe every 60 minutes. The task executed a malicious XML file that loaded code into csc.exe, which connected to a remote C2 server (hxxp://38.180.83[.]166/6CDF0FC26CDF0FC2).
Attackers also executed a custom loader f52b86b599d7168d3a41182ccd89165e0d1f2562aa7363e0718d502b7e3fcb69, likely to deploy a remote access trojan. DLL sideloading was performed using a legitimate VipreAV component (vetysafe.exe) to load a malicious DLL (sbamres.dll) - a tactic tied to prior operations. Additional tools included Imjpuexc.exe for keyboard input manipulation and a likely variant of Dcsync to extract domain credentials, suggesting an intent to expand control across the network.