Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TA415 phishing campaign targeting US policy entities

Campaign
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The TA415 phishing campaign targeted US government, think tank, and academic organizations in July and August 2025, raising the risk of persistent remote access to sensitive policy-related environments. Instead of conventional malware, the operation used spoofed impersonation emails and a VS Code remote tunnel to reach compromised systems. The activity matters because the attackers could remotely access victims and execute commands after the tunnel was established.

Related Happenings

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

APT28 SOHO router DNS hijacking and credential theft campaign

Campaign
First: 07.04.2026 18:30 Last: 07.04.2026 18:30 Sources 1

About this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...

Latest development: 08.04.2026 13:03

On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Tycoon2FA phishing campaign resumes after takedown

Campaign
First: 23.03.2026 18:05 Last: 23.03.2026 18:05 Sources 1

About this happening: **Tycoon2FA** has resumed a **broad phishing campaign** after a **major takedown**, and it is again **compromising email accounts** while **bypassing MFA**. The operation uses **a...

Open Happening

Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign

Campaign
First: 09.03.2026 23:24 Last: 09.03.2026 23:24 Sources 1

About this happening: An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...

Open Happening

Timeline

  1. 17.09.2025 15:59 2 articles · 8mo ago

    TA415 phishing campaign targets US policy organizations

    Initial Disclosure

    Proofpoint attributes a phishing campaign observed in July and August 2025 to TA415, a Chinese state-sponsored group also known as APT41, and says the targets included US government, think tank, and academic organizations focused on US-China relations and trade. The initial lures spoofed the US-China Business Council and later impersonated John Moolenaar, while the intrusion chain used password-protected archives with an LNK file, a batch script, a decoy PDF hosted on OneDrive, downloaded the VSCode Command Line Interface (CLI) from Microsoft servers, created a scheduled task for persistence, and established a GitHub-authenticated VS Code remote tunnel for remote access and command execution.

    Show sources
    Open in new tab