APT41 targets U.S. trade officials with phishing campaigns amid negotiations
Summary
Hide ▲
Show ▼
APT41, a China-linked threat group, has been conducting targeted phishing campaigns against U.S. trade officials, law firms, think tanks, and academic organizations. The attacks, impersonating U.S. officials and organizations, aim to steal sensitive data related to U.S.-China trade negotiations. The campaigns have been ongoing since at least January 2025, with a surge in activity observed in July and August 2025. The U.S. House Select Committee on China has issued a formal advisory warning about these activities, linking them to a Beijing-led effort to influence policy deliberations. The FBI is investigating these attacks. The phishing emails impersonate U.S. officials, including Rep. John Robert Moolenaar, and organizations such as the U.S.-China Business Council, to trick recipients into opening malicious attachments or links. The attacks exploit software and cloud services to evade detection and exfiltrate data. The goal is to gain an advantage in trade and foreign policy negotiations. The Chinese embassy has denied the allegations, stating that China opposes cyber attacks and cyber crime. APT41 has been linked to various sophisticated campaigns targeting multiple sectors, including logistics, utility companies, healthcare, high-tech, and telecommunications.
Timeline
-
17.09.2025 15:56 1 articles · 12d ago
APT41 uses Visual Studio Code remote tunnels for persistent access
The phishing campaigns employ Visual Studio Code remote tunnels to establish persistent backdoor access and harvest system information and directory contents. The data and remote tunnel verification code are sent to a free request logging service in the form of a base64-encoded blob within the body of an HTTP POST request. The campaigns use sophisticated techniques, including obfuscated Python loaders and scheduled tasks, to maintain persistence and evade detection.
Show sources
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
10.09.2025 12:53 3 articles · 19d ago
APT41 targets U.S. trade officials with phishing campaigns amid negotiations
The U.S. House Select Committee on China has issued a formal advisory warning about ongoing phishing campaigns targeting U.S. trade officials, law firms, and think tanks. The campaigns, attributed to APT41, impersonate U.S. officials and organizations to trick recipients into opening malicious attachments or links. The attacks exploit software and cloud services to evade detection and exfiltrate data. The goal is to gain an advantage in trade and foreign policy negotiations. The Chinese embassy has denied the allegations. The FBI is investigating these attacks, and the committee has linked the impersonation attacks to a Beijing-led effort to influence policy deliberations. The activity observed throughout July and August 2025 is likely an effort by Chinese state-sponsored threat actors to facilitate intelligence gathering amid ongoing U.S.-China trade talks.
Show sources
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
Information Snippets
-
APT41 is a China-linked threat group known for targeting diverse sectors and geographies.
First reported: 10.09.2025 12:532 sources, 3 articlesShow sources
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The phishing campaigns impersonate U.S. officials, including Rep. John Robert Moolenaar.
First reported: 10.09.2025 12:532 sources, 3 articlesShow sources
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The attacks target U.S. government agencies, business organizations, law firms, think tanks, and at least one foreign government.
First reported: 10.09.2025 12:532 sources, 3 articlesShow sources
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The phishing emails contain malicious attachments or links that deploy malware to steal sensitive data.
First reported: 10.09.2025 12:532 sources, 3 articlesShow sources
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The attacks exploit software and cloud services to cover traces and evade detection.
First reported: 10.09.2025 12:532 sources, 3 articlesShow sources
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The campaigns have been ongoing since at least January 2025, with a recent surge in September 2025.
First reported: 10.09.2025 12:532 sources, 3 articlesShow sources
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The U.S. House Select Committee on China has issued a formal advisory warning about these activities.
First reported: 10.09.2025 12:532 sources, 3 articlesShow sources
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The Chinese embassy has denied the allegations, stating that China opposes cyber attacks and cyber crime.
First reported: 10.09.2025 12:531 source, 1 articleShow sources
- China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations — thehackernews.com — 10.09.2025 12:53
-
The FBI is investigating the phishing attacks attributed to APT41.
First reported: 10.09.2025 19:441 source, 1 articleShow sources
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
-
APT41 has been linked to various sophisticated campaigns targeting logistics, utility companies, healthcare, high-tech, and telecommunications sectors.
First reported: 10.09.2025 19:441 source, 1 articleShow sources
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
-
APT41 has used software supply chain compromises, bootkits, and compromised digital certificates in their operations.
First reported: 10.09.2025 19:441 source, 1 articleShow sources
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
-
APT41 has targeted the video game industry for personal gain, contributing to the development of tactics used in their espionage operations.
First reported: 10.09.2025 19:441 source, 1 articleShow sources
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
-
The U.S. House Select Committee on China has linked the impersonation attacks to a Beijing-led effort to influence policy deliberations.
First reported: 10.09.2025 19:442 sources, 2 articlesShow sources
- Chinese Hackers Allegedly Pose as US Lawmaker — www.darkreading.com — 10.09.2025 19:44
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
TA415, a China-aligned threat actor, has been attributed to spear-phishing campaigns targeting U.S. government, think tanks, and academic organizations.
First reported: 17.09.2025 15:561 source, 1 articleShow sources
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The campaigns masqueraded as the Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party (CCP) and the U.S.-China Business Council.
First reported: 17.09.2025 15:561 source, 1 articleShow sources
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The activity observed throughout July and August 2025 is likely an effort by Chinese state-sponsored threat actors to facilitate intelligence gathering amid ongoing U.S.-China trade talks.
First reported: 17.09.2025 15:561 source, 1 articleShow sources
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The hacking group shares overlaps with APT41 and Brass Typhoon (formerly Barium).
First reported: 17.09.2025 15:561 source, 1 articleShow sources
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The campaign focused on individuals specializing in international trade, economic policy, and U.S.-China relations.
First reported: 17.09.2025 15:561 source, 1 articleShow sources
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The emails were sent using the email address 'uschina@zohomail[.]com' and relied on the Cloudflare WARP VPN service to obfuscate the source of the activity.
First reported: 17.09.2025 15:561 source, 1 articleShow sources
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The messages contained links to password-protected archives hosted on public cloud sharing services such as Zoho WorkDrive, Dropbox, and OpenDrive.
First reported: 17.09.2025 15:561 source, 1 articleShow sources
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The primary function of the LNK file is to execute a batch script that displays a decoy PDF document while running an obfuscated Python loader named WhirlCoil.
First reported: 17.09.2025 15:561 source, 1 articleShow sources
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The Python loader establishes a Visual Studio Code remote tunnel for persistent backdoor access and harvests system information and directory contents.
First reported: 17.09.2025 15:561 source, 1 articleShow sources
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
-
The data and remote tunnel verification code are sent to a free request logging service in the form of a base64-encoded blob within the body of an HTTP POST request.
First reported: 17.09.2025 15:561 source, 1 articleShow sources
- Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts — thehackernews.com — 17.09.2025 15:56
Similar Happenings
RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare
The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.
VoidProxy phishing service targets Microsoft 365, Google accounts
A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains and protected by Cloudflare to hide their real IPs. VoidProxy's attack flow involves serving a Cloudflare CAPTCHA challenge, filtering traffic, and presenting phishing pages that mimic Microsoft or Google login screens. Federated accounts using Okta for SSO are redirected to a second-stage phishing page impersonating Microsoft 365 or Google SSO flows. The service's proxy server captures usernames, passwords, and MFA codes in transit, and intercepts session cookies for attackers. Okta Threat Intelligence researchers discovered the platform and noted that users with phishing-resistant authentications like Okta FastPass were protected from these attacks.
EggStreme Fileless Malware Used in Philippine Military Breach
A Chinese APT group has breached a Philippine military company using a previously undocumented fileless malware framework called EggStreme. The malware framework facilitates persistent, low-profile espionage through memory injection and DLL sideloading. The attack began in early 2024 and includes extensive system reconnaissance, lateral movement, and data theft. The EggStreme framework comprises multiple components: EggStremeFuel, EggStremeLoader, EggStremeReflectiveLoader, and EggStremeAgent. The core component, EggStremeAgent, acts as a backdoor enabling system reconnaissance, lateral movement, and data theft via an injected keylogger. The attack aligns with Chinese APT objectives, targeting the Philippines amid geopolitical tensions in the South China Sea.
SectopRAT and Betruger Malware Linked to Play, RansomHub, and DragonForce Ransomware Operations
A September 2024 intrusion involved SectopRAT and Betruger malware, linked to Play, RansomHub, and DragonForce ransomware operations. The attack began with a malicious EarthTime executable, leading to extensive reconnaissance, credential theft, and data exfiltration. The threat actor used multiple tools and techniques to evade detection and prepare for ransomware deployment. The attack started with a malicious file disguised as DeskSoft’s EarthTime application, deploying SectopRAT malware. The threat actor established persistence, created an admin account, and used various tools for reconnaissance and credential theft. They deployed SystemBC, Betruger, and other tools to facilitate their operations. The final goal was ransomware deployment, but no encryption occurred; data was archived and exfiltrated via FTP. The threat actor used multiple defense evasion techniques, including process injection, timestomping, and disabling security features. The tools used in the attack link the threat actor to Play, RansomHub, and DragonForce ransomware operations.
GPUGate Malware Campaign Targets IT Firms in Western Europe
A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS). The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake GitHub repositories. These repositories impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.