A sophisticated cyber attack attributed to a China-linked threat actor aimed to establish long-term persistence within a U.S. non-profit organization. This incident, detailed in a report from Broadcom’s Symantec and Carbon Black teams, is believed to be part of a broader campaign targeting U.S. entities involved in policy discussions on international matters, highlighting the growing concern over state-sponsored cyber espionage.
A U.S. non-profit organization actively engaged in influencing international policy was recently the target of a sophisticated cyber attack by a China-linked threat actor. The attackers sought to gain and maintain a persistent presence on the organization’s network, as revealed by a joint report from Broadcom’s Symantec and Carbon Black teams. The breach, which saw the attackers gain access for several weeks in April 2025, underscores the persistent threat of state-sponsored cyber operations targeting organizations involved in geopolitical and policy-related work.
China-Linked Threat Actor Targets U.S. Non-Profit for Long-Term Persistence
The initial signs of malicious activity were detected on April 5, 2025, with extensive server scanning employing well-known exploits such as CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead Web Server). While Symantec and Carbon Black indicated no evidence of these specific exploits being successful, it is suspected that the attackers ultimately achieved initial access through brute-force or credential stuffing methods. This approach allows attackers to bypass the need for exploiting publicly known vulnerabilities.
Further actions were observed on April 16, beginning with the execution of several curl commands to test internet connectivity. Subsequently, the Windows command-line tool netstat was used to gather network configuration details. To establish persistence, the attackers created a scheduled task designed to execute a legitimate Microsoft binary, “msbuild.exe,” to run an unknown payload. This was followed by the creation of another scheduled task, configured to run every 60 minutes with high privileges as a SYSTEM user.
This newly established task possessed the capability to load and inject undisclosed code into “csc.exe.” This process ultimately led to the establishment of communication with a command-and-control (C2) server located at “38.180.83[.]166.” The attackers were also observed utilizing a custom loader to unpack and execute an unspecified payload in memory, strongly suggesting the deployment of a remote access trojan (RAT).
The attackers also leveraged the legitimate Vipre AV component, “vetysafe.exe,” to perform DLL side-loading with a malicious DLL loader, “sbamres.dll.” This same technique has been previously linked to the threat actor known as Salt Typhoon (also referred to as Earth Estries) in connection with Deed RAT (aka Snappybee), and to Earth Longzhi, a sub-cluster of APT41. Broadcom noted that a copy of this malicious DLL was previously used in attacks associated with China-based threat actors known as Space Pirates, and a variant was also employed by the Chinese APT group Kelp (aka Salt Typhoon) in a separate incident.
Other tools observed within the compromised network included Dcsync and Imjpuexc. The extent of the attackers’ ultimate success remains unclear, as no further activity was recorded after April 16, 2025. Symantec and Carbon Black emphasized that the attackers’ objective was to establish a persistent and stealthy network presence and to target domain controllers, which would have provided a pathway to infect numerous other machines on the network. The report also highlighted the ongoing trend of tool sharing among Chinese threat actors, making definitive attribution challenging.
Broader Activity from Chinese Hacking Groups
The incident with the U.S. non-profit comes amidst a period of heightened activity from various China-aligned hacking groups, according to a report from ESET. These groups have been observed conducting operations across Asia, Europe, Latin America, and the U.S., aligning with Beijing’s geopolitical objectives. Notable campaigns include:
- The targeting of Central Asia’s energy sector by a threat actor codenamed Speccom (aka IndigoZebra or SMAC) in July 2025, utilizing phishing emails to deploy BLOODALCHEMY variants and custom backdoors like kidsRAT and RustVoralix.
- European organizations were targeted in July 2025 by DigitalRecyclers, who employed an unconventional persistence method using the Magnifier accessibility tool to gain SYSTEM privileges.
- Between June and September 2025, governmental entities in Argentina, Ecuador, Guatemala, Honduras, and Panama were targeted by FamousSparrow, likely exploiting ProxyLogon flaws in Microsoft Exchange Server to deploy SparrowDoor.
- A Taiwanese defense aviation company, a U.S. trade organization operating in China, the China-based offices of a Greek governmental entity, and an Ecuadorian government body were targeted between May and September 2025 by SinisterEye (aka LuoYu and Cascade Panda). These attacks used adversary-in-the-middle (AitM) strategies to hijack legitimate software updates and deliver malware such as WinDealer and SpyDealer.
- A Japanese company and a multinational enterprise in Cambodia were compromised in June 2025 by PlushDaemon via AitM poisoning to deliver the SlowStepper backdoor. PlushDaemon achieves AitM positioning by compromising network devices like routers and deploying a tool named EdgeStepper to redirect DNS traffic to attacker-controlled servers.
Chinese Hacking Groups Target Misconfigured IIS Servers
In parallel, threat hunters have recently identified a Chinese-speaking threat actor exploiting misconfigured Internet Information Services (IIS) servers. By leveraging publicly exposed machine keys, the actor, referred to as REF3927, deploys a backdoor named TOLLBOOTH (aka HijackServer), which includes SEO cloaking and web shell functionalities. Elastic Security Labs reported that this operation has infected hundreds of servers globally, with significant concentrations in India and the U.S.
These attacks also involve weaponizing initial access to deploy the Godzilla web shell, execute the GotoHTTP remote access tool, use Mimikatz for credential harvesting, and deploy HIDDENDRIVER, a modified version of the open-source rootkit Hidden, to conceal malicious payloads. Per HarfangLab, the operation has infected hundreds of servers around the world.
The REF3927 cluster represents the latest in a series of Chinese threat actors, including GhostRedirector, Operation Rewrite, and UAT-8099, that have targeted IIS servers, indicating a notable increase in such attacks. While the operators appear to use Chinese as their primary language and leverage compromises for SEO purposes, the deployed module provides a persistent, unauthenticated channel for remote command execution on affected servers, according to the French cybersecurity company.
The ongoing, multifaceted cyber activities attributed to China-linked groups underscore a persistent and evolving threat to organizations involved in policy, critical infrastructure, and international trade. The continuous development and adaptation of attack vectors, coupled with the observed sharing of tools and techniques among different threat clusters, present a significant challenge for cybersecurity professionals and necessitate ongoing vigilance and robust defense strategies.