A China-linked group targeted a U.S. non-profit to gain long-term access, part of wider attacks on U.S. entities tied to policy matters.
China-linked hackers breached a U.S. policy-focused nonprofit in April 2025, maintaining weeks of access. They used DLL sideloading via vetysafe.exe, a tactic used by other Chinese APT groups like Space Pirates, Kelp, and Earth Longzhi (APT41 subgroup). The group leveraged Imjpuexc, a Microsoft file for East Asian input, to mask activity.
“China-linked actors continue to show interest in U.S. organizations with links to or involvement in policy issues, including an intrusion earlier this year into a U.S. non-profit organization that is active in attempting to influence U.S. government policy on international issues.” reads the report published by Broadcom’s Symantec. “The threat actors appeared determined to establish persistence and maintain long-term access to the network when they gained access to it for several weeks in April 2025.”
On April 5, 2025 a mass scan targeted a server with multiple public exploits (Log4j, Atlassian OGNL CVE‑2022‑26134, Apache Struts CVE‑2017‑9805, GoAhead RCE CVE‑2017‑17562, etc.). The activity resumed on April 16 with reconnaissance, attackers used repeated curl commands to external sites and to 192.0.0 [.]88, indicating connectivity testing and difficulties reaching that host. Attackers ran netstat to enumerate TCP connections, then created a persistent scheduled task “MicrosoftWindowsRasOutbound” running msbuild.exe every hour as SYSTEM to execute an outbound.xml, which likely injected code into csc.exe that connected to C2 at hxxp://38.180.83[.]166/6CDF0FC26CDF0FC2. At 02:50 a custom loader was executed, loading an encrypted payload into memory, likely a RAT.
The attackers abused VipreAV’s vetysafe.exe to perform DLL sideloading and install sbamres.dll, a technique linked to China‑associated actors such as Space Pirates and Earth Longzhi/APT41 subgroups including Kelp.
“The VipreAV component was signed by “Sunbelt Software, Inc.” DLL sideloading is a technique where the attackers use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious DLL payload.” states the report.
“This component was also used for DLL sideloading before in conjunction with Deed RAT (aka Snappy Bee), a China-linked remote access Trojan, in activity that was attributed to Kelp (aka Salt Typhoon, Earth Estries). Deed RAT is believed to be shared among multiple Chinese groups.”
Security teams observed DCSync‑like activity and Imjpuexc on the same day. The attackers stopped all activity after April 16.
“It is clear from the activity on this victim that the attackers were aiming to establish a persistent and stealthy presence on the network, and they were also very interested in targeting domain controllers, which could potentially allow them to spread to many machines on the network.” continues the report. “China-linked groups have always had a focus on espionage activity, and in monitoring foreign governments’ attitudes and policies toward China.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, China)