Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

China-linked hackers target U.S. non-profit in long-term espionage campaign

A China-linked group targeted a U.S. non-profit to gain long-term access, part of wider attacks on U.S. entities tied to policy matters. China-linked hackers breached a U.S. policy-focused nonprofit in April 2025, maintaining weeks of access. They used DLL sideloading via vetysafe.exe, a tactic used by other Chinese APT groups like Space Pirates, Kelp, and […]

China-linked APT Salt Typhoon

A China-linked group targeted a U.S. non-profit to gain long-term access, part of wider attacks on U.S. entities tied to policy matters.

China-linked hackers breached a U.S. policy-focused nonprofit in April 2025, maintaining weeks of access. They used DLL sideloading via vetysafe.exe, a tactic used by other Chinese APT groups like Space Pirates, Kelp, and Earth Longzhi (APT41 subgroup). The group leveraged Imjpuexc, a Microsoft file for East Asian input, to mask activity.

“China-linked actors continue to show interest in U.S. organizations with links to or involvement in policy issues, including an intrusion earlier this year into a U.S. non-profit organization that is active in attempting to influence U.S. government policy on international issues.” reads the report published by Broadcom’s Symantec. “The threat actors appeared determined to establish persistence and maintain long-term access to the network when they gained access to it for several weeks in April 2025.”

On April 5, 2025 a mass scan targeted a server with multiple public exploits (Log4j, Atlassian OGNL CVE‑2022‑26134, Apache Struts CVE‑2017‑9805, GoAhead RCE CVE‑2017‑17562, etc.). The activity resumed on April 16 with reconnaissance, attackers used repeated curl commands to external sites and to 192.0.0 [.]88, indicating connectivity testing and difficulties reaching that host. Attackers ran netstat to enumerate TCP connections, then created a persistent scheduled task “\Microsoft\Windows\Ras\Outbound” running msbuild.exe every hour as SYSTEM to execute an outbound.xml, which likely injected code into csc.exe that connected to C2 at hxxp://38.180.83[.]166/6CDF0FC26CDF0FC2. At 02:50 a custom loader was executed, loading an encrypted payload into memory, likely a RAT.

The attackers abused VipreAV’s vetysafe.exe to perform DLL sideloading and install sbamres.dll, a technique linked to China‑associated actors such as Space Pirates and Earth Longzhi/APT41 subgroups including Kelp.

“The VipreAV component was signed by “Sunbelt Software, Inc.”  DLL sideloading is a technique where the attackers use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious DLL payload.” states the report.

“This component was also used for DLL sideloading before in conjunction with Deed RAT (aka Snappy Bee), a China-linked remote access Trojan, in activity that was attributed to Kelp (aka Salt Typhoon, Earth Estries). Deed RAT is believed to be shared among multiple Chinese groups.”

Security teams observed DCSync‑like activity and Imjpuexc on the same day. The attackers stopped all activity after April 16.

“It is clear from the activity on this victim that the attackers were aiming to establish a persistent and stealthy presence on the network, and they were also very interested in targeting domain controllers, which could potentially allow them to spread to many machines on the network.” continues the report. “China-linked groups have always had a focus on espionage activity, and in monitoring foreign governments’ attitudes and policies toward China.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)