.png)
2 hours ago
1
Chinese state-aligned online attackers are back at it, targeting US trade policy wonks as Washington and Beijing spar over economic ties.
Proofpoint said this week that it had spotted a Chinese state-backed crew TA415 – also known as APT41, Wicked Panda or Brass Typhoon – using carefully crafted phishing emails to compromise US government agencies, think tanks, and academic organisations.
The lures were themed around US-China economic and trade policy, and in some cases spoofed the identity of Republican Congressman John Robert Moolenaar, who chairs the House Select Committee on the Chinese Communist Party.
"On behalf of The US-China Business Council (USCBC), we are pleased to extend an invitation to your organization to participate in a closed-door briefing on US-Taiwan and US-China affairs, to be held on August 11, 2025," one of the legitimate-looking emails, sent from "[email protected]", reads. "Due to the sensitive nature of the discussion, the meeting agenda, logistical details, and list of participants are provided in the attached encrypted file."
Rather than dropping noisy malware, the crew relied on subtler methods: password-protected archives carrying a Python loader dubbed WhirlCoil, and developer tools such as Visual Studio Code Remote Tunnels to establish persistence while blending into legitimate network activity. The attackers also leaned on legitimate cloud services like Google Sheets and Zoho WorkDrive for command-and-control to stay under the radar.
Proofpoint's threat research team said the operation's timing was no accident. The campaigns ran through July and August, overlapping with high-level trade negotiations and debates over China policy in Washington. Proofpoint believes the objective was to gather intelligence on the trajectory of US-China economic relations and possible legislative responses.
- Pot calls kettle black as China dubs US 'surveillance empire' over chip tracking
- DEF CON hackers plug security holes in US water systems amid tsunami of threats
- Pentagon ends Microsoft's use of China-based support staff for DoD cloud
- Ex-White House cyber, counter-terrorism guru: Microsoft considers security an annoyance, not a necessity
- Surprise, surprise: Chinese spies, IP stealers, other miscreants attacking Microsoft SharePoint servers
According to a US government indictment, TA415 is a Chengdu-based outfit that once went by the corporate-sounding moniker Chengdu 404 Network Technology. Prosecutors say the company moonlighted as a contractor for China's cyber-ops machine, rubbing shoulders with other MSS-linked players like I-Soon.
The findings landed just a week after the House Select Committee issued an advisory warning about an "ongoing" series of campaigns linked to Chinese threat actors. That alert said attackers were impersonating Moolenaar and other officials in phishing messages that delivered data-stealing malware to trade policy stakeholders, law firms and government agencies – precisely the targets Proofpoint has now outed.
The group's renewed push underscores Beijing's appetite for timely intelligence as trade talks heat up – and shows once again that China's cyber operators are willing to get creative when it comes to getting it. ®
