China-linked APT41 targets government, think tanks, and academics tied to US-China trade and policy

China-linked group APT41 impersonated a U.S. lawmaker in phishing attacks on government, think tanks, and academics tied to US-China trade and policy.

Proofpoint observed China-linked cyber espionage group APT41 impersonating a U.S. lawmaker in a phishing campaign targeting government, think tanks, and academics tied to U.S.-China trade and policy.

APT41, known also as Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA e WICKED SPIDER originated from China (with possible ties to the government), it’s known for its complex campaigns and variety of targeted sectors, their motivation varies from exfiltration of sensible data to financial gain.

“Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China economic-themed lures.” reads the report published by Proofpoint. “In this activity, the group masqueraded as the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party (CCP), as well as the US-China Business Council, to target a range of individuals and organizations predominantly focused on U.S.-China relations, trade, and economic policy.”

TA415 runs phishing campaigns that use VS Code Remote Tunnels and legitimate services like Google Sheets and Calendar to gain persistent remote access. By blending with normal traffic, attackers avoid detection. These operations aim to collect intelligence on U.S.-China economic relations amid ongoing trade negotiations, reflecting TA415’s focus on monitoring policy and economic developments.

In July and August 2025, TA415 launched phishing attacks impersonating U.S. Representative John Moolenaar, Chair of the Select Committee on Strategic Competition with China. They crafted convincing emails using open-source info, asking targets to review fake draft legislation on sanctions against China. The emails included links to password-protected files hosted on cloud services like Zoho and Dropbox, while the group masked their activity with Cloudflare WARP VPN.

The password-protected archive contains an LNK that runs logon.bat from a hidden MACOS folder and shows a corrupt PDF as a decoy. The batch launches an embedded Python loader (WhirlCoil) via pythonw.exe. WhirlCoil installs the VSCode CLI to %LOCALAPPDATA%\Microsoft\VSCode, checks admin rights, and creates a scheduled task to maintain persistence (e.g., GoogleUpdate). The WhirlCoil script runs code.exe tunnel user login --provider github --name <PC>, saves the verification code, harvests system info and user files, then exfiltrates everything to a free request-logging service. With the verification code, attackers remotely authenticate the VS Code Remote Tunnel to access the host filesystem and terminal.

U.S. indictments say TA415 operates from Chengdu as Chengdu 404 Network Technology, a private contractor tied to China’s cyberespionage ecosystem. The group worked with other contractors like i-Soon, and some members claimed links to the Ministry of State Security. Proofpoint attributes recent and historical Voldemort backdoor activity to TA415 with high confidence based on infrastructure overlaps, tactics, and targeting that align with Chinese state interests.

“many of the targeted entities are consistent with known Chinese intelligence collection priorities. However, the timing of TA415’s pivot toward these targets is particularly noteworthy given the ongoing complex evolution of economic and foreign policy relations between China and the United States.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT41)