Full Report
A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues. The organization, according to a report from Broadcom's Symantec and Carbon Black teams, is "active in attempting to influence U.S. government
Analysis Summary
# Threat Actor: China-linked Threat Actor (Attribution Unconfirmed/Shared Tooling)
## Attribution & Identity
* **Attribution:** China-linked threat actor.
* **Known Aliases and Associated Groups (Based on shared tooling):** The activity shows overlap or use of tactics/tools associated with **Salt Typhoon (aka Earth Estries, Kelp)** and **APT41 (specifically the Earth Longzhi sub-cluster)**. Tooling (a specific malicious DLL) was also used by **Space Pirates**. The article stresses that tool sharing makes definitive attribution difficult.
## Activity Summary
* **Recent Campaign:** A cyber attack targeting a U.S. non-profit organization, active in April 2025.
* **Goal:** To establish long-term, stealthy persistence and potentially gain access to domain controllers to spread laterally within the network.
* **Initial Access:** The attackers utilized mass scanning efforts to exploit several well-known, legacy vulnerabilities, including zero-day or previously disclosed vulnerabilities:
* CVE-2022-26134 (Atlassian)
* CVE-2021-44228 (Apache Log4j)
* CVE-2017-9805 (Apache Struts)
* CVE-2017-17562 (GoAhead Web Server)
* **Persistence:** Achieved via creating a scheduled task set to run every 60 minutes as a high-privileged SYSTEM user, designed to execute `msbuild.exe` to run an unknown payload.
## Tactics, Techniques & Procedures
* Exploitation of known, legacy vulnerabilities (**Log4j, Atlassian, Apache Struts**) for initial access.
* Execution of `curl` commands to test internet connectivity.
* Information gathering using built-in Windows tools (`netstat`).
* Establishing persistence via **Scheduled Tasks**.
* Living off the Land (LotL): Execution of legitimate Microsoft binary **`msbuild.exe`** to run unknown code.
* Code Injection/Sideloading: Observed loading and injecting unknown code into **`csc.exe`**.
* DLL Sideloading using a legitimate Vipre AV component (**`vetysafe.exe`**) to load a malicious DLL (**`sbamres.dll`**).
* Lateral Movement Preparation: Observed interest in targeting **domain controllers**.
* Use of post-exploitation tools such as **Dcsync** and **Imjpuexc**.
## Targeting
* **Sectors:** Non-Profit Organizations (specifically those active in influencing U.S. government policy on international issues).
* **Geography:** United States (U.S. entities).
* **Victims:** Unnamed U.S. non-profit organization.
## Tools & Infrastructure
* **Malware Families Used:** Unknown payload likely a Remote Access Trojan (RAT) executed in memory after being unpacked by a custom loader.
* **DLL Used:** Malicious DLL (`sbamres.dll`) associated with Deed RAT/Snappybee activity in prior incidents.
* **Infrastructure (C2):** `38.180.83[.]166`
* **Other Associated C2 (from related Salt Typhoon activity):** `mimosa.gleeze[.]com` (defanged)
## Implications
This actor displays a consistent focus on U.S. entities engaged in policy matters, suggesting a state-sponsored intelligence gathering mission. The attackers prioritized establishing deep, stealthy, and long-term persistence using advanced techniques like DLL-sideloading and LotL binaries (`msbuild.exe`). The targeting of domain controllers indicates an objective of achieving broad network compromise rather than purely exfiltration from a single host. The heavy reliance on exploiting older, known vulnerabilities suggests the target environment may have poor patch management practices.
## Mitigations
* Prioritize patching all publicly known vulnerabilities, especially those dating back several years (e.g., Log4j, Struts).
* Monitor for the use of legitimate system utilities being run for malicious purposes (e.g., `msbuild.exe` execution outside normal development cycles).
* Implement strong monitoring and alerting around DLL sideloading attempts, particularly those involving trusted components like AV executables (`vetysafe.exe`).
* Implement security controls or detection rules specifically looking for the execution of `Dcsync` commands, as this is a high-privilege technique often used for credential dumping against Domain Controllers.
* Segment networks to limit lateral movement potential, especially restricting access to domain controllers.