CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

APT41 targets U.S. trade officials with phishing campaigns amid negotiations

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

APT41, a China-linked threat group, has been conducting targeted phishing campaigns against U.S. trade officials, law firms, think tanks, and academic organizations. The attacks, impersonating U.S. officials and organizations, aim to steal sensitive data related to U.S.-China trade negotiations. The campaigns have been ongoing since at least January 2025, with a surge in activity observed in July and August 2025. The U.S. House Select Committee on China has issued a formal advisory warning about these activities, linking them to a Beijing-led effort to influence policy deliberations. The FBI is investigating these attacks. The phishing emails impersonate U.S. officials, including Rep. John Robert Moolenaar, and organizations such as the U.S.-China Business Council, to trick recipients into opening malicious attachments or links. The attacks exploit software and cloud services to evade detection and exfiltrate data. The goal is to gain an advantage in trade and foreign policy negotiations. The Chinese embassy has denied the allegations, stating that China opposes cyber attacks and cyber crime. APT41 has been linked to various sophisticated campaigns targeting multiple sectors, including logistics, utility companies, healthcare, high-tech, and telecommunications.

Timeline

  1. 17.09.2025 15:56 1 articles · 12d ago

    APT41 uses Visual Studio Code remote tunnels for persistent access

    The phishing campaigns employ Visual Studio Code remote tunnels to establish persistent backdoor access and harvest system information and directory contents. The data and remote tunnel verification code are sent to a free request logging service in the form of a base64-encoded blob within the body of an HTTP POST request. The campaigns use sophisticated techniques, including obfuscated Python loaders and scheduled tasks, to maintain persistence and evade detection.

    Show sources
  2. 10.09.2025 12:53 3 articles · 19d ago

    APT41 targets U.S. trade officials with phishing campaigns amid negotiations

    The U.S. House Select Committee on China has issued a formal advisory warning about ongoing phishing campaigns targeting U.S. trade officials, law firms, and think tanks. The campaigns, attributed to APT41, impersonate U.S. officials and organizations to trick recipients into opening malicious attachments or links. The attacks exploit software and cloud services to evade detection and exfiltrate data. The goal is to gain an advantage in trade and foreign policy negotiations. The Chinese embassy has denied the allegations. The FBI is investigating these attacks, and the committee has linked the impersonation attacks to a Beijing-led effort to influence policy deliberations. The activity observed throughout July and August 2025 is likely an effort by Chinese state-sponsored threat actors to facilitate intelligence gathering amid ongoing U.S.-China trade talks.

    Show sources

Information Snippets

Similar Happenings

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.

VoidProxy phishing service targets Microsoft 365, Google accounts

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains and protected by Cloudflare to hide their real IPs. VoidProxy's attack flow involves serving a Cloudflare CAPTCHA challenge, filtering traffic, and presenting phishing pages that mimic Microsoft or Google login screens. Federated accounts using Okta for SSO are redirected to a second-stage phishing page impersonating Microsoft 365 or Google SSO flows. The service's proxy server captures usernames, passwords, and MFA codes in transit, and intercepts session cookies for attackers. Okta Threat Intelligence researchers discovered the platform and noted that users with phishing-resistant authentications like Okta FastPass were protected from these attacks.

EggStreme Fileless Malware Used in Philippine Military Breach

A Chinese APT group has breached a Philippine military company using a previously undocumented fileless malware framework called EggStreme. The malware framework facilitates persistent, low-profile espionage through memory injection and DLL sideloading. The attack began in early 2024 and includes extensive system reconnaissance, lateral movement, and data theft. The EggStreme framework comprises multiple components: EggStremeFuel, EggStremeLoader, EggStremeReflectiveLoader, and EggStremeAgent. The core component, EggStremeAgent, acts as a backdoor enabling system reconnaissance, lateral movement, and data theft via an injected keylogger. The attack aligns with Chinese APT objectives, targeting the Philippines amid geopolitical tensions in the South China Sea.

SectopRAT and Betruger Malware Linked to Play, RansomHub, and DragonForce Ransomware Operations

A September 2024 intrusion involved SectopRAT and Betruger malware, linked to Play, RansomHub, and DragonForce ransomware operations. The attack began with a malicious EarthTime executable, leading to extensive reconnaissance, credential theft, and data exfiltration. The threat actor used multiple tools and techniques to evade detection and prepare for ransomware deployment. The attack started with a malicious file disguised as DeskSoft’s EarthTime application, deploying SectopRAT malware. The threat actor established persistence, created an admin account, and used various tools for reconnaissance and credential theft. They deployed SystemBC, Betruger, and other tools to facilitate their operations. The final goal was ransomware deployment, but no encryption occurred; data was archived and exfiltrated via FTP. The threat actor used multiple defense evasion techniques, including process injection, timestomping, and disabling security features. The tools used in the attack link the threat actor to Play, RansomHub, and DragonForce ransomware operations.

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS). The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake GitHub repositories. These repositories impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.