Full Report
A China-linked espionage campaign targeted a U.S. non-profit organization engaged in influencing government policy, maintaining weeks of access in April 2025. The intrusion leveraged legitimate binaries for DLL sideloading and persistence, consistent with techniques observed i...
Analysis Summary
# Threat Actor: APT41 (Suspected Association)
## Attribution & Identity
* **Identification:** China-linked espionage group.
* **Known Aliases and Associations:** The techniques observed in this operation are consistent with APT41, Kelp (Salt Typhoon), and Space Pirates.
## Activity Summary
* **Recent Campaign:** Espionage campaign targeting a U.S. non-profit organization engaged in government policy influence.
* **Timeline:** Access maintained for several weeks, starting in April 2025.
* **Initial Access:** Widespread scanning activity beginning April 5, 2025, exploiting known vulnerabilities. Successful initial intrusion involved exploitation of multiple high-profile vulnerabilities.
## Tactics, Techniques & Procedures
* **Initial Access:** Vulnerability exploitation, specifically targeting:
* Atlassian Confluence (CVE-2022-26134)
* Log4j (CVE-2021-44228)
* Apache Struts (CVE-2017-9805)
* GoAhead (CVE-2017-17562)
* **Execution & Persistence:**
* Persistence established via a scheduled task invoking `msbuild.exe` every 60 minutes.
* The task executed a malicious XML file which loaded code into `csc.exe`.
* Leveraged legitimate binaries for DLL sideloading and persistence.
* **Defense Evasion/Privilege Escalation:** Used a legitimate VipreAV component (`vetysafe.exe`) to load a malicious DLL (`sbamres.dll`) for DLL sideloading.
* **Discovery/Credential Access:**
* Internal reconnaissance using `netstat`.
* Testing network connectivity via `curl` commands.
* Executed `Imjpuexc.exe` for keyboard input manipulation.
* Likely used a variant of Dcsync to extract domain credentials.
* **Command and Control (C2):** Communicated with a remote C2 server via the infected `csc.exe` process.
## Targeting
* **Sectors:** Non-profit organizations focused on influencing government policy.
* **Geography:** United States (Victim locality).
* **Victims:** A U.S. non-profit organization engaged in influencing government policy.
## Tools & Infrastructure
* **Malware Families Used:** Custom loader (`f52b86b599d7168d3a41182ccd89165e0d1f2562aa7363e0718d502b7e3fcb69`), likely leading to a Remote Access Trojan (RAT).
* **Infrastructure (C2):** `hxxp://38.180.83[.]166/6CDF0FC26CDF0FC2`
## Implications
This operation demonstrates a focus on politically sensitive entities within the US policy ecosystem. The reliance on widely known, but unpatched, critical vulnerabilities (Log4j, Struts, Confluence) indicates a broad initial scanning posture, followed by advanced techniques like DLL sideloading and credential dumping (Dcsync) to ensure sustained, low-profile access.
## Mitigations
* Immediately patch all instances of Atlassian Confluence, Apache Struts, and applications utilizing Log4j libraries.
* Implement robust network monitoring to detect unusual scheduled task creation and execution paths involving legitimate binaries (`msbuild.exe`, `csc.exe`).
* Monitor for defense evasion techniques such as DLL Sideloading, specifically watching for legitimate application components loading unknown DLLs.
* Restrict use of credentials dumping techniques like Dcsync, monitor for abnormal directory service replication activity indicative of credential theft.