Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker

Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker

Briefly

"The attacks, observed in July and August 2025, attempted to establish a Visual Studio (VS Code) remote tunnel for persistent remote access to the compromised environments, instead of relying on conventional malware. Attributed to TA415, a Chinese state-sponsored hacking group also known as APT41, Barium, Brass Typhoon, Bronze Atlas, Wicked Panda, and Winnti, and indicted by the US in 2020, the campaign targeted US government, think tank, and academic organizations."

"In early July, the threat actor sent email messages spoofing the US-China Business Council, allegedly inviting the recipients to a closed-door briefing regarding the United States' affairs with China and Taiwan. Subsequent emails, Proofpoint says, impersonated John Moolenaar, the Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party, requesting feedback on draft legislation regarding sanctions against China. The Wall Street Journal reported on the Moolenaar impersonation earlier this month, but no technical details were available at the time."

"The phishing messages contained links to password-protected archives hosted on known cloud services, containing a shortcut (LNK) file and a hidden subfolder. Launching the LNK file executed a batch script stored in the hidden folder and a decoy PDF file hosted on OneDrive. The script's execution triggers a multi-stage infection process in which the VSCode Command Line Interface (CLI) is downloaded from Microsoft's servers, a scheduled task is created for persistence, and a VS Code remote tunnel authenticated via GitHub is established."