China-affiliated actors are believed to have engaged in cyberattacks targeting U.S. nonprofit organizations with the goal of establishing long-term sustainability as part of a broader campaign targeting U.S. organizations related to or engaged in policy issues.
The organization “actively seeks to influence U.S. government policy on international issues,” according to a report by Broadcom’s Symantec and Carbon Black teams. The attackers were able to gain access to the network for several weeks in April 2025.
The first sign of activity occurred on April 5, 2025 and included CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), CVE-2017-9805 (Apache Struts), CVE-2017-17562 We have detected a mass scanning effort against servers utilizing a variety of known exploits, including: (GoAhead Web Server).
Symantec and Carbon Black told The Hacker News that there is no indication that these exploitation efforts were successful. It is suspected that the attackers ultimately gained initial access through brute force or credential stuffing attacks.
No further action was recorded until April 16th. The attack ran several curl commands to test internet connectivity, and then ran the Windows command-line tool netstat to gather network configuration information. I then set up persistence on the host using a scheduled task.
This task is designed to run a legitimate Microsoft binary “msbuild.exe” to execute an unknown payload, as well as create another scheduled task configured to run every 60 minutes as the highly privileged SYSTEM user.
According to Symantec and Carbon Black, this new task may load and inject unknown code into csc.exe, ultimately establishing communication with a command and control (C2) server at 38.180.83(.)166. The attacker was then observed running a custom loader to unpack and execute an unspecified payload, likely an in-memory remote access Trojan (RAT).
We also observed running a legitimate Vipre AV component (‘vetysafe.exe’) to sideload a DLL loader (‘sbamres.dll’). This component is also said to have been used to sideload DLLs associated with the Deed RAT (aka Snappybee) in previous activity by Salt Typhoon (aka Earth Estries) and attacks by Earth Longzhi, a subcluster of APT41.
“A copy of this malicious DLL has previously been used in attacks associated with China-based attackers known as Space Pirates,” Broadcom said. “A variant of this component with a different file name was also used by the Chinese APT group Kelp (also known as Salt Typhoon) in a separate incident.”
Other tools observed on targeted networks included Dcsync and Imjpuexc. It is unclear how successful the attackers’ attacks were. No additional activities have been registered since April 16, 2025.
Symantec and Carbon Black said: “It is clear from the activity against this victim that the attackers were looking to establish a persistent and stealth presence on the network. The attackers were also very interested in targeting domain controllers, which could potentially spread the infection to many machines on the network.”
“Sharing tools between groups is a long-standing trend among Chinese threat actors, making it difficult to determine which specific group is behind a range of activities.”
The disclosure comes after a security researcher who goes by the online name BartBlaze revealed that Salt Typhoon exploited a security flaw in WinRAR (CVE-2025-8088) to begin an attack chain that sideloaded a DLL responsible for executing shellcode on compromised hosts. The final payload is designed to establish a connection with a remote server (‘mimosa.gleeze(.)com’).
Activities of other Chinese hacking groups
According to the ESET report, China-aligned groups remain active, attacking organizations across Asia, Europe, Latin America, and the United States in order to serve Beijing’s geopolitical priorities. Some notable campaigns include:
- In July 2025, an attacker codenamed Speccom (also known as IndigoZebra or SMAC) targeted the Central Asian energy sector through phishing emails delivering BLOODALCHEMY variants and custom backdoors such as kidsRAT and RustVoralix.
- In July 2025, a threat actor codenamed DigitalRecyclers targeted organizations in Europe using an unusual persistence technique by using the Magnifier accessibility tool to gain SYSTEM privileges.
- Between June and September 2025, an attacker codenamed FamousSparrow targeted government agencies in Latin America (Argentina, Ecuador, Guatemala, Honduras, and Panama) and may have exploited a ProxyLogon flaw in Microsoft Exchange Server to deploy SparrowDoor.
- From May to September 2025, a threat actor codenamed SinisterEye (also known as LuoYu and Cascade Panda) targeted a Taiwanese company in the defense aviation sector, a US trade organization based in China, a Greek government agency office based in China, and an Ecuadorian government agency using adversarial man-in-the-middle (AitM) attacks against WinDealer (for Windows) and SpyDealer (for Android). They distributed malware such as, and performed hijacking. Genuine software update mechanism.
- In June 2025, an attacker codenamed PlushDaemon targeted Japanese and multinational companies in Cambodia with AitM poisoning delivering SlowStepper.
“PlushDaemon achieves AitM positioning by compromising network devices such as routers and deploying a tool named EdgeStepper, which redirects DNS traffic from the target network to remote DNS servers controlled by the attacker,” ESET said.
“This server responds to queries for domains associated with the software update infrastructure using the IP address of the web server that performs update hijacking and ultimately powers PlushDaemon’s flagship backdoor, SlowStepper.”
Chinese hacking group targets misconfigured IIS servers
In recent months, threat hunters have discovered Chinese-speaking attackers targeting misconfigured IIS servers by using exposed machine keys to install a backdoor called TOLLBOOTH (also known as HijackServer) with SEO cloaking and web shell capabilities.
“REF3927 exploits publicly available ASP.NET machine keys to compromise IIS servers and deploy the TOLLBOOTH SEO cloaking module globally,” Elastic Security Labs researchers said in a report released late last month. According to HarfangLab, the operation infected hundreds of servers around the world, with infections concentrated in India and the United States.
The attack is also characterized by attempts to weaponize initial access to drop the Godzilla web shell, run the GotoHTTP remote access tool, use Mimikatz to harvest credentials, and deploy HIDDENDRIVER, a modified version of the open source rootkit Hidden, to hide the presence of the malicious payload on the infected machine.
 |
| REF3927 Attack Patterns and TOLLBOOTH SEO Cloaking Workflow |
It’s worth pointing out that this cluster is the latest addition to a long list of Chinese threat actors targeting IIS servers, including GhostRedirector, Operation Rewrite, and UAT-8099, and marks a spike in such activity.
“The malicious operators, who use Chinese as their primary language and appear to be leveraging the breach to support search engine optimization (SEO), have discovered that the deployed module provides a persistent, unauthenticated channel that allows any party to remotely execute commands on the affected servers,” the French cybersecurity firm said.
(This article was updated after publication to include responses from Symantec and Carbon Black.)
