China-linked persistent-access campaign against U.S. policy-linked entities
Campaign
Summary
Hide ▲
Show ▼
China-linked operators maintained weeks-long access to a U.S. non-profit and used that foothold to pursue long-term persistence, making the activity significant for broader targeting of U.S. policy-linked entities. The intrusion began with mass scanning against exposed servers and progressed into scheduled-task persistence, msbuild.exe abuse, and a C2 connection tied to 38.180.83[.]166.
Related Happenings
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
Phantom Taurus as a China-aligned espionage actor targeting government and telecoms
Threat Actor Meta
First: 30.09.2025 19:07
Last: 30.09.2025 19:07
Sources 1
About this happening:
**Phantom Taurus** has been formally classified by **Palo Alto Networks Unit 42** as a **China-aligned espionage actor** targeting **government agencies, embassies, military opera...
Phantom Taurus as a China-aligned espionage actor targeting government and telecoms
Threat Actor MetaAbout this happening: **Phantom Taurus** has been formally classified by **Palo Alto Networks Unit 42** as a **China-aligned espionage actor** targeting **government agencies, embassies, military opera...
Phantom Taurus Operation Diplomatic Specter espionage campaign
Campaign
First: 30.09.2025 19:07
Last: 30.09.2025 19:07
Sources 1
About this happening:
The **Phantom Taurus** campaign, also tracked as **CL-STA-0043** and **TGR-STA-0043** under **Operation Diplomatic Specter**, is a **China-linked espionage operation** targeting *...
Phantom Taurus Operation Diplomatic Specter espionage campaign
CampaignAbout this happening: The **Phantom Taurus** campaign, also tracked as **CL-STA-0043** and **TGR-STA-0043** under **Operation Diplomatic Specter**, is a **China-linked espionage operation** targeting *...
Genesis Panda high-volume cloud espionage campaign
Campaign
First: 22.08.2025 14:06
Last: 22.08.2025 14:06
Sources 1
About this happening:
The **Genesis Panda** campaign is active across **11 countries**, targeting **financial services, media, telecommunications, and technology** organizations for intelligence collec...
Genesis Panda high-volume cloud espionage campaign
CampaignAbout this happening: The **Genesis Panda** campaign is active across **11 countries**, targeting **financial services, media, telecommunications, and technology** organizations for intelligence collec...
UAT-7237 Taiwan web infrastructure targeting campaign using customized open-source tooling
Campaign
First: 15.08.2025 19:20
Last: 15.08.2025 19:20
Sources 1
About this happening:
The **UAT-7237** campaign targeted **web infrastructure entities in Taiwan** with customized open-source tooling to establish **long-term access** in high-value environments. The...
UAT-7237 Taiwan web infrastructure targeting campaign using customized open-source tooling
CampaignAbout this happening: The **UAT-7237** campaign targeted **web infrastructure entities in Taiwan** with customized open-source tooling to establish **long-term access** in high-value environments. The...
Timeline
-
07.11.2025 18:07 1 articles · 6mo ago
Mass scanning targets the U.S. non-profit organization
Detection Ioc UpdateA China-linked threat actor began mass scanning a server tied to the affected U.S. non-profit organization, using public exploits associated with CVE-2022-26134, CVE-2021-44228, CVE-2017-9805, and CVE-2017-17562 to probe for accessible services and possible footholds.
Show sources
- From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools — thehackernews.com — 07.11.2025 18:07
-
07.11.2025 18:07 1 articles · 6mo ago
Persistence and tooling activity on the compromised host
Exploitation ObservedOn April 16, the operators ran curl to test internet connectivity and used netstat to collect network configuration information before establishing persistence with scheduled tasks. The activity included a task that launched msbuild.exe, a second high-privileged SYSTEM task that loaded code into csc.exe to reach 38.180.83[.]166, and the use of vetysafe.exe to sideload sbamres.dll, alongside Dcsync and Imjpuexc on the targeted network.
Show sources
- From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools — thehackernews.com — 07.11.2025 18:07
-
07.11.2025 18:07 2 articles · 6mo ago
Broadcom discloses the China-linked campaign against the U.S. non-profit organization
Initial DisclosureBroadcom's Symantec and Carbon Black teams publicly attributed the intrusion to a China-linked threat actor targeting a U.S. non-profit organization active in U.S. policy issues and said the attackers maintained access for several weeks in April 2025. The disclosure framed the activity as part of broader targeting of U.S. entities linked to policy issues and emphasized persistent, stealthy access with interest in domain controllers.
Show sources
- From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools — thehackernews.com — 07.11.2025 18:07
- From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools — thehackernews.com — 07.11.2025 18:07