Key Findings

• China-linked hackers targeted a U.S. non-profit organization in a long-term espionage campaign.

• The group gained access to the network for several weeks in April 2025 and used various techniques to establish persistence and maintain long-term access.

• The attackers leveraged DLL sideloading via the vetysafe.exe application, a tactic commonly associated with China-linked APT groups such as Space Pirates, Kelp, and Earth Longzhi (a subgroup of APT41).

• The group also used the Imjpuexc Microsoft file for East Asian input to mask their activities.

• The hackers were interested in targeting domain controllers, potentially allowing them to spread to many machines on the network.

Background

China-linked actors have a history of targeting U.S. organizations with links to or involvement in policy issues, as part of their espionage efforts. This latest intrusion into a U.S. non-profit organization active in attempting to influence U.S. government policy on international issues is another example of this trend.

Intrusion Details

• On April 5, 2025, a mass scan targeted a server with multiple public exploits, including Log4j, Atlassian OGNL CVE-2022-26134, Apache Struts CVE-2017-9805, and GoAhead RCE CVE-2017-17562.

• The activity resumed on April 16 with reconnaissance, including repeated curl commands to external sites and to 192.0.0[.]88, indicating connectivity testing and difficulties reaching that host.

• The attackers ran netstat to enumerate TCP connections and then created a persistent scheduled task "\Microsoft\Windows\Ras\Outbound" running msbuild.exe every hour as SYSTEM to execute an outbound.xml, which likely injected code into csc.exe that connected to a command-and-control server.

• At 02:50, a custom loader was executed, loading an encrypted payload into memory, likely a remote access tool (RAT).

• The attackers abused VipreAV's vetysafe.exe to perform DLL sideloading and install sbamres.dll, a technique linked to China-associated actors such as Space Pirates and Earth Longzhi/APT41 subgroups, including Kelp.

• Security teams also observed DCSync-like activity and the use of Imjpuexc on the same day.

Attacker Objectives

The activity on the victim network suggests that the attackers were aiming to establish a persistent and stealthy presence, with a particular interest in targeting domain controllers. This could potentially have allowed them to spread to many machines on the network and gain broader access.

China-linked groups have a history of focusing on espionage activities, including monitoring foreign governments' attitudes and policies toward China. This intrusion into a U.S. non-profit organization is likely part of a wider effort to gather intelligence and influence policy-related matters.

Sources

• https://securityaffairs.com/184351/apt/china-linked-hackers-target-u-s-non-profit-in-long-term-espionage-campaign.html

• https://www.facebook.com/HackRead/posts/china-linked-hackers-known-as-storm-1849-are-actively-targeting-the-cisco-asa-fi/1385750373550536/