China-Linked Threat Actor Targets U.S. Non-Profit with Legacy Exploits

First reported

07.11.2025 18:07

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A China-linked threat actor targeted a U.S. non-profit organization in April 2025, leveraging multiple legacy vulnerabilities to gain persistent access. The attackers used exploits like CVE-2022-26134, CVE-2021-44228, and others to establish a foothold, then employed scheduled tasks and legitimate binaries to maintain persistence and communicate with a command-and-control server. The activity aligns with broader Chinese espionage efforts against U.S. entities involved in policy issues.

Timeline

07.11.2025 18:07 1 articles · 3d ago

China-Linked Threat Actor Targets U.S. Non-Profit with Legacy Exploits
In April 2025, a China-linked threat actor targeted a U.S. non-profit organization using multiple legacy vulnerabilities to gain persistent access. The attackers leveraged exploits like CVE-2022-26134 and CVE-2021-44228 to establish a foothold, then used scheduled tasks and legitimate binaries to maintain persistence and communicate with a command-and-control server. The activity aligns with broader Chinese espionage efforts against U.S. entities involved in policy issues.
Show sources

From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools — thehackernews.com — 07.11.2025 18:07
Open in new tab

Information Snippets

The attack began on April 5, 2025, with mass scanning efforts using exploits like CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), and others.
First reported: 07.11.2025 18:07

1 source, 1 article
Show sources
- From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools — thehackernews.com — 07.11.2025 18:07
On April 16, 2025, the attackers executed curl commands and netstat to test connectivity and gather network information.
First reported: 07.11.2025 18:07

1 source, 1 article
Show sources
- From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools — thehackernews.com — 07.11.2025 18:07
The attackers set up persistence using scheduled tasks to execute msbuild.exe and csc.exe, communicating with a C2 server at 38.180.83[.]166.
First reported: 07.11.2025 18:07

1 source, 1 article
Show sources
- From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools — thehackernews.com — 07.11.2025 18:07
The attackers used a DLL loader (sbamres.dll) previously linked to Chinese threat groups like Space Pirates and Salt Typhoon.
First reported: 07.11.2025 18:07

1 source, 1 article
Show sources
- From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools — thehackernews.com — 07.11.2025 18:07
The attackers targeted domain controllers, aiming to spread across the network.
First reported: 07.11.2025 18:07

1 source, 1 article
Show sources
- From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools — thehackernews.com — 07.11.2025 18:07