China APT Infiltrates US Policy Nonprofit in Months-Long Espionage Campaign Using DLL Sideloading

A new investigation by the Broadcom Threat Hunter Team has uncovered a China-linked cyber espionage campaign that infiltrated a U.S.-based nonprofit organization involved in influencing U.S. government policy on international issues. The intrusion, which persisted for several weeks in April 2025, is the latest in a string of operations tied to Chinese state-sponsored threat groups seeking to monitor and influence foreign policy developments.

The first signs of malicious activity occurred on April 5, 2025, when the attackers initiated a mass scan targeting servers with a range of well-known exploits, including Atlassian OGNL Injection (CVE-2022-26134), Log4j (CVE-2021-44228), Apache Struts (CVE-2017-9805), and GoAhead RCE (CVE-2017-17562).

After nearly ten days of dormancy, attacker activity surged on April 16, marked by a series of curl commands testing external connectivity to well-known domains such as google.com, microsoft.com, and bing.com, as well as attempts to connect to internal IP addresses.

“Trying all these different methods suggests that the attackers may have been having some issues connecting to the particular machine they were interested in,” the report noted.

The reconnaissance continued with the use of the netstat command to enumerate network connections, followed by the creation of a Windows scheduled task to ensure persistence across reboots.

To maintain long-term access, the attackers leveraged msbuild.exe, a legitimate Microsoft .NET component, to execute malicious XML configuration files every hour. This approach is a living-off-the-land tactic that exploits trusted Windows binaries to evade detection.

“The schtask command was used to create a new scheduled task called ‘\Microsoft\Windows\Ras\Outbound’, which was configured to run every 60 minutes as a high-privileged SYSTEM user.”

This scheduled task was designed to execute code from an XML file that loaded additional payloads into memory via csc.exe, which later established a command-and-control (C2) connection to 38.180.83[.]166.

Shortly afterward, a custom loader was observed decrypting and executing an encrypted payload — likely a remote access tool (RAT) — using msascui.exe under the alias MicrosoftRuntime.

A major indicator linking the operation to Chinese state-backed groups was the use of DLL sideloading, a tactic where adversaries abuse legitimate applications to load malicious DLLs.

The attackers exploited vetysafe.exe, a signed component of Vipre Antivirus by Sunbelt Software, Inc., to sideload a malicious DLL named sbamres.dll.

“Evidence of various techniques, including the use of a legitimate vetysafe.exe component to sideload a malicious DLL (sbamres.dll), point to the attackers being based in China.”

This specific DLL has been observed in multiple campaigns attributed to Chinese APT groups, including Space Pirates, Kelp (aka Salt Typhoon), and Earth Longzhi — the latter identified as a subgroup of APT41. The shared use of this loader underscores how Chinese espionage operators frequently reuse and repurpose malware components across campaigns.

“This component was also used for DLL sideloading before in conjunction with Deed RAT (aka Snappy Bee)… activity that was attributed to Kelp (aka Salt Typhoon, Earth Estries).”

The attackers also deployed a likely version of DCSync, a credential extraction tool that pretends to be a domain controller to replicate Active Directory credentials. This indicates a deeper interest in gaining control over the organization’s authentication infrastructure.

Additionally, they used Imjpuexc.exe, a legitimate Microsoft file used for East Asian language input, as part of their toolkit — another hallmark of Chinese state-aligned threat groups employing legitimate binaries for obfuscation.

The Broadcom Threat Hunter Team linked elements of this operation to known China-based espionage actors, including Space Pirates, Kelp (Salt Typhoon), and APT41. These groups share malware, infrastructure, and operational tactics — a phenomenon long noted in Chinese cyber operations.

Related Posts:

• OpenAI and Microsoft Solidify Partnership in New Restructuring Deal
• Microsoft Streamlines Nonprofit Offerings, Limits Free M365 & Office 365 E1 Licenses
• Kansas City Man Indicted for Hacking into Nonprofit and Health Club
• China-Linked Phishing Campaign Exploits Geopolitical Tensions, Ravages Asian Finance Sector
• Google to Restrict Android Sideloading in New Security Push