The Silent Spy: How Chinese Hackers are Exploiting U.S.-China Policy

State-aligned Chinese threat actor TA415 (also tracked as APT41, Brass Typhoon, Wicked Panda) has launched a series of spearphishing campaigns targeting U.S. government, think tank, and academic organizations in July and August 2025. According to Proofpoint, these campaigns mark a strategic pivot toward intelligence collection on U.S.-China economic relations and trade policy.

Proofpoint researchers write, “Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China economic-themed lures.”

The campaigns leveraged highly convincing impersonations. Attackers posed as the U.S.-China Business Council and even spoofed John Moolenaar, Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party.

“Multiple subsequent TA415 campaigns in July and August 2025 posed as John Moolenaar… Proofpoint regularly observes state-aligned threat actors spoofing prominent individuals in this manner to exploit the trust and credibility tied to their public profiles.”

Emails invited recipients to closed-door briefings or solicited input on draft legislation regarding sanctions against China. Attachments were delivered as password-protected archives hosted on Zoho WorkDrive, Dropbox, or OpenDrive, a tactic designed to bypass email security systems.

The infection chain has evolved from TA415’s earlier Voldemort backdoor delivery to a stealthier approach using legitimate developer tools.

The archives contained malicious LNK files that executed a batch script, which in turn ran an obfuscated Python loader dubbed WhirlCoil. Proofpoint explains: “The WhirlCoil loader is a Python script obfuscated by repeated use of variable and function names like IIIllIIIIlIlIIlIII.”

Instead of deploying custom malware, WhirlCoil installed the VS Code Command Line Interface (CLI) from official Microsoft sources and used it to establish a VS Code Remote Tunnel, authenticated via GitHub. This gave TA415 covert remote access without dropping traditional implants.

Persistence was maintained by creating scheduled tasks disguised as GoogleUpdate or MicrosoftHealthcareMonitorNode, running every two hours.

This tactic is notable for its abuse of trusted cloud services. TA415 has consistently used Google Sheets, Google Calendar, and VS Code Remote Tunnels for command-and-control. Proofpoint notes this is “likely a concerted effort from TA415 to blend in with existing legitimate traffic to these trusted services.”

Exfiltrated system information and VS Code tunnel verification codes were sent to request logging services like requestrepo[.]com, allowing attackers to authenticate tunnels and interact directly with compromised systems.

According to U.S. indictments, TA415 operates out of Chengdu, China, under the company Chengdu 404 Network Technology, with historic links to China’s Ministry of State Security (MSS). Proofpoint attributes this activity to TA415 with high confidence, citing overlaps in infrastructure, TTPs, and targeting.

The timing is no coincidence. Proofpoint highlights that these operations align with Chinese intelligence priorities around U.S.-China economic negotiations: “This activity occurs amid ongoing negotiations and uncertainty surrounding the future of U.S.-China economic and trade relations… the timing of TA415’s pivot toward these targets is particularly noteworthy.”

Related Posts:

• Malicious VS Code Extension Masquerades as Zoom to Steal Chrome Cookies
• A Dangerous Loophole in the VS Code Marketplace Is Allowing Malicious Extensions
• Developers Beware: Supply Chain Attacks Target Visual Studio Code Extensions
• Malicious VS Code Extensions Deliver Spyware, Steal Crypto Credentials
• North Korean Hacking Organization Kimsuky’s Global Spearphishing Campaign Unraveled