Full Report
Recent compromise of a non-profit organization reflects continued interest in U.S. policy.
Analysis Summary
# Threat Actor: Unspecified China-linked Actors (Shared TTPs)
## Attribution & Identity
The activity is attributed to China-linked threat actors. The specific TTPs observed have been previously linked to multiple Chinese actor groups, making definitive single attribution difficult.
**Known Aliases and Associated Groups:** Kelp (aka Salt Typhoon), Space Pirates, and APT41 (believed to be the parent group of Earth Longzhi, which used a similar technique).
## Activity Summary
The actors compromised a U.S. non-profit organization active in attempting to influence U.S. government policy on international issues. The intrusion occurred in April 2025, lasting several weeks. The primary objective appeared to be establishing a persistent and stealthy, long-term presence on the network. Initial access involved scanning for known vulnerabilities on a server.
## Tactics, Techniques & Procedures
- **Initial Access:** Mass scanning for well-known exploits, including:
- Atlassian OGNL Injection (CVE-2022-26134)
- Log4j (CVE-2021-44228)
- Apache Struts (CVE-2017-9805)
- GoAhead RCE (CVE-2017-17562)
- **Reconnaissance/Discovery:** Execution of `curl` commands to test internet connectivity, followed by pinging internal systems and using `netstat` to collect network configuration information (likely TCP connections).
- **Persistence:** Creation of a scheduled task (`schtasks /create`) named `\Microsoft\Windows\Ras\Outbound` configured to run every 60 minutes as the `SYSTEM` user, utilizing a legitimate component (`msbuild.exe`) to execute an XML file (`outbound.xml`).
- **Defense Evasion/Execution:**
- Use of a legitimate `vetysafe.exe` component to sideload a malicious DLL (`sbamres.dll`). (This specific technique was linked to Space Pirates).
- Use of a variant of the sideloading component linked to the Kelp group.
- Use of `Imjpuexc` (a legitimate Microsoft file used for East Asian language input) leveraged in the attack chain.
- **Execution/Infection:** Using `msbuild.exe` to load and inject unknown code into `csc.exe`, which subsequently connected to a C2 server.
- **Defense Evasion:** Execution of a custom loader via a different scheduled task (`csidl\_SYSTEMX86\msascui.exe MicrosoftRuntime`), which loaded an encrypted file into memory.
## Targeting
- **Sectors:** Organizations influencing U.S. policy (Non-profit sector specifically compromised).
- **Geography:** U.S.-based institutions.
- **Victims:** A U.S. non-profit organization involved in U.S. policy influence. (Previous related activity targeted a large U.S. organization with a significant presence in China).
## Tools & Infrastructure
- **Malware families used:** Custom loader (SHA256: f52b86b599d7168d3a41182ccd89165e0d1f2562aa7363e0718d502b7e3fcb69), `sbamres.dll` (malicious DLL), Unknown XML payload (`outbound.xml`).
- **Legitimate Tools Abused:** `msbuild.exe`, `netstat`, `curl`, `Imjpuexc`.
- **Infrastructure (C2, domains, IPs):**
- C2 Server: hxxp://38.180.83[.]166/6CDF0FC26CDF0FC2
## Implications
The continued targeting of organizations involved in shaping U.S. policy highlights the strategic intelligence priority these groups place on monitoring foreign governments' attitudes toward China. The sharing of TTPs and tools among groups like Kelp, Space Pirates, and APT41 suggests highly organized and evolving Chinese espionage efforts, complicating attribution efforts. The focus on establishing long-term persistence is a significant risk.
## Mitigations
- Implement stringent patch management to address critical vulnerabilities exploited (Log4j, Apache Struts, OGNL Injection).
- Monitor for the execution of legitimate binaries for unusual purposes, such as using `msbuild.exe` outside of standard development contexts or leveraging legitimate East Asian input tools (`Imjpuexc`).
- Implement detection rules for processes attempting to sideload DLLs using legitimate components (e.g., `vetysafe.exe`).
- Review scheduled tasks for persistent creation, especially those running as high-privilege users (`SYSTEM`) and executing under `\Microsoft\Windows\Ras\`.
- Monitor outbound network connections from processes like `csc.exe` and `msbuild.exe` to external, atypical C2 infrastructure.