Chinese cyber group targets US policy bodies during trade talks

Security researchers have identified a cyber-espionage campaign targeting United States government, academic, and think tank organisations amid ongoing economic negotiations between the United States and China.

Impersonation tactics

Recent research from Proofpoint reveals that the Chinese state-aligned threat actor TA415, tracked by others as APT41, Brass Typhoon, or Wicked Panda, has shifted its approach by spoofing the U.S.-China Business Council and a senior congressional figure to launch spearphishing attacks. These lures have referenced issues relating to trade and sanctions policy, targeting individuals and departments closely involved with U.S.-China relations.

Proofpoint found that, during July and August 2025, TA415 campaigns presented themselves as the Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party, as well as the U.S.-China Business Council. The phishing correspondence was sent to diverse targets, predominantly those engaged in economic and foreign policy analysis relating to U.S.-China ties. These entities included high-profile government, academic, and policy organisations focused on international trade and economic relations.

New methods for persistent access

Unlike earlier activity where the "Voldemort" backdoor was utilised, TA415's recent campaigns have not primarily relied upon traditional malware. Instead, the attackers delivered a chain of infection which attempted to establish a persistent Visual Studio (VS Code) Remote Tunnel. This tool, designed for legitimate developer use, was abused to enable the actors to maintain covert, ongoing remote access to compromised systems.

"The TA415 phishing campaigns delivered an infection chain that attempts to establish a Visual Studio (VS Code) Remote Tunnel, enabling the threat actor to gain persistent remote access without the use of conventional malware. Recent TA415 phishing operations have consistently used legitimate services for command and control (C2), including Google Sheets, Google Calendar, and VS Code Remote Tunnels. This is likely a concerted effort from TA415 to blend in with existing legitimate traffic to these trusted services," Proofpoint stated.

Investigators observed that phishing emails routinely impersonated the U.S.-China Business Council and U.S. Representative John Moolenaar. The correspondence often included links to password-protected archive files hosted via public cloud services, making detection more challenging. The group also consistently used Cloudflare's WARP VPN service to conceal the source of their phishing attempts.

Technical details of the infection

Once a victim downloaded and opened the password-protected archive, it contained a Microsoft Shortcut (LNK) file and other files in a hidden directory. Executing the shortcut triggered a batch script, which then executed a custom Python loader called WhirlCoil. The loader downloaded the VS Code Command Line Interface from Microsoft, extracted it, and registered a scheduled task for persistence. This task would run every two hours, and, where possible, operate with administrative privileges.

The WhirlCoil script collected system and directory data from the target machine and sent it to a public request logging service. This enabled TA415 to obtain a verification code for authenticating a VS Code Remote Tunnel via GitHub, granting the group access to the compromised computer's file system and enabling arbitrary command execution on the host.

Espionage objectives and attribution

The observed campaign occurred during a period of increased uncertainty in U.S.-China trade relations. Analysts believe the timing and target selection reflect Chinese state intelligence requirements around U.S.-China economic policy and negotiations.

"Proofpoint Threat Research assesses that a primary objective of these campaigns is likely the collection of intelligence on the trajectory of U.S.-China economic ties. This activity aligns with recent reporting by the Wall Street Journal," the company reported.

TA415 has been indicted by the United States government in 2020 and identified as a private contractor based in Chengdu, China. The group, also known as Chengdu 404 Network Technology, has reportedly maintained relationships with other private contractors and is said by U.S. authorities to have connections to China's Ministry of State Security. Proofpoint expressed high confidence in attributing the current activity to TA415 based on established infrastructure links, technical and procedural consistencies, and the geopolitical alignment of the targeting.

Significance of the shift

The adoption of legitimate developer tunnel tools and the consistent use of legitimate cloud-based services for command and control marks a departure from TA415's earlier tactics, signifying its ability to adapt and evade standard security measures.

"Within the phishing threat landscape, shifts in established targeting patterns by state-aligned threat actors often raise interesting analytical questions. While the precise drivers behind these changes are frequently opaque, they are suggestive of evolving tasking requirements and shifting priorities shaped by broader geopolitical developments. In this case, many of the targeted entities are consistent with known Chinese intelligence collection priorities. However, the timing of TA415's pivot toward these targets is particularly noteworthy given the ongoing complex evolution of economic and foreign policy relations between China and the United States," Proofpoint's researchers added.

The report highlights the ongoing risks posed by state-affiliated cyber threat actors adapting their approach to compromise trusted organisations and further geopolitical intelligence objectives.