APT41 PRC-linked trade-policy espionage campaign
Campaign
Summary
Hide ▲
Show ▼
An ongoing PRC-linked phishing campaign is targeting U.S.-China trade policy and diplomacy organizations, creating a live risk of unauthorized access and data theft across government, legal, think-tank, and business circles. The operation uses impersonation of Rep. John Robert Moolenaar to make malicious emails appear trustworthy. A related January 2025 spear-phishing wave also sought Microsoft 365 credentials and covert data exfiltration. Reporting attributes the activity to APT41 and broader CCP state-backed cyber-espionage.
Related Happenings
TA416 European government espionage campaign
Campaign
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
TP-Link router password-spraying campaign by Chinese state-sponsored groups
Campaign
First: 09.11.2025 20:14
Last: 09.11.2025 20:14
Sources 1
About this happening:
A **multi-actor password-spraying campaign** has used **compromised TP-Link SOHO routers** as infrastructure to target **Microsoft accounts**, extending the risk of account abuse...
TP-Link router password-spraying campaign by Chinese state-sponsored groups
CampaignAbout this happening: A **multi-actor password-spraying campaign** has used **compromised TP-Link SOHO routers** as infrastructure to target **Microsoft accounts**, extending the risk of account abuse...
UNK_SmudgedSerpent overlaps with TA453 TA455 and TA450 campaign expands across multiple victims
Campaign
First: 05.11.2025 18:00
Last: 05.11.2025 18:00
Sources 1
About this happening:
**UNK_SmudgedSerpent** is a **previously unknown** campaign that targeted **academics** and **foreign policy experts** focused on **Iran** and related policy issues between **June...
UNK_SmudgedSerpent overlaps with TA453 TA455 and TA450 campaign expands across multiple victims
CampaignAbout this happening: **UNK_SmudgedSerpent** is a **previously unknown** campaign that targeted **academics** and **foreign policy experts** focused on **Iran** and related policy issues between **June...
UTA0388 spear-phishing campaign delivering GOVERSHELL
Campaign
First: 09.10.2025 20:19
Last: 09.10.2025 20:19
Sources 1
About this happening:
A **China-aligned** actor, **UTA0388**, is running a **spear-phishing campaign** across **North America, Asia, and Europe** to deliver the **GOVERSHELL** implant. The operation ma...
UTA0388 spear-phishing campaign delivering GOVERSHELL
CampaignAbout this happening: A **China-aligned** actor, **UTA0388**, is running a **spear-phishing campaign** across **North America, Asia, and Europe** to deliver the **GOVERSHELL** implant. The operation ma...
Phantom Taurus as a China-aligned espionage actor targeting government and telecoms
Threat Actor Meta
First: 30.09.2025 19:07
Last: 30.09.2025 19:07
Sources 1
About this happening:
**Phantom Taurus** has been formally classified by **Palo Alto Networks Unit 42** as a **China-aligned espionage actor** targeting **government agencies, embassies, military opera...
Phantom Taurus as a China-aligned espionage actor targeting government and telecoms
Threat Actor MetaAbout this happening: **Phantom Taurus** has been formally classified by **Palo Alto Networks Unit 42** as a **China-aligned espionage actor** targeting **government agencies, embassies, military opera...
Timeline
-
10.09.2025 12:53 1 articles · 8mo ago
Phishing email impersonates Rep. John Robert Moolenaar to target trade-policy organizations
Exploitation ObservedA phishing message impersonating Rep. John Robert Moolenaar targets trade groups, law firms, and U.S. government agencies with a draft sanctions attachment designed to deploy malware, gather sensitive data, and establish entrenched access to the targeted organizations.
Show sources
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53
-
10.09.2025 12:53 2 articles · 8mo ago
House Select Committee on China warns of ongoing PRC-linked cyber espionage campaigns
Initial DisclosureThe House Select Committee on China issues an advisory warning about an ongoing series of highly targeted cyber espionage campaigns linked to the People's Republic of China amid U.S.–China trade talks, saying the activity seeks to compromise organizations and individuals involved in trade policy and diplomacy, including U.S. government agencies, U.S. business organizations, D.C. law firms, think tanks, and at least one foreign government.
Show sources
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53