Chinese Hackers Organization Influence U.s. Government Policy On...

China-linked threat actors have intensified their focus on influencing American governmental decision-making processes by targeting organizations involved in shaping international policy.

In April 2025, a sophisticated intrusion into a U.S. non-profit organization revealed the persistent efforts of these attackers to establish long-term network access and gather intelligence related to policy matters.

The threat actors demonstrated considerable technical sophistication, employing multiple evasion techniques and exploiting various vulnerabilities to maintain control over the compromised infrastructure for several weeks.

The attack campaign reflects a broader pattern of Chinese state-sponsored espionage targeting policy-influencing institutions.

Initial reconnaissance began on April 5, 2025, when attackers conducted mass vulnerability scans against organizational servers, attempting exploits including CVE-2022-26134 (Atlassian OGNL Injection), CVE-2021-44228 (Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead RCE).

These scanning activities established the foundation for their subsequent exploitation attempts and network compromise.

Symantec security analysts identified multiple tactical indicators linking this campaign to established Chinese threat groups including Space Pirates, Kelp (Salt Typhoon), and Earth Longzhi, a recognized subgroup of the long-standing APT41 collective.

The forensic evidence pointed directly to China-based attribution through several distinctive attack methodologies.

The attackers deployed DLL sideloading as their primary persistence mechanism, leveraging a legitimate VipreAV component named vetysafe.exe to execute malicious payload sbamres.dll.

This technique exploits Windows’ dynamic library search order by planting malicious code that legitimate applications automatically load and execute.