"A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues. The organization, according to a report from Broadcom's Symantec and Carbon Black teams, is "active in attempting to influence U.S. government policy on international issues." The attackers managed to gain access to the network for several weeks in April 2025."
"The first sign of activity occurred on April 5, 2025, when mass scanning efforts were detected against a server by leveraging various well-known exploits, including CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead Web Server). No further actions were recorded until April 16, when the attacks executed several curl commands to test internet connectivity, after which the Windows command-line tool netstat was executed to collect network configuration information. This was followed by setting up persistence on the host by means of a scheduled task."
"The task was designed to execute a legitimate Microsoft binary "msbuild.exe" to run an unknown payload, as well as create another scheduled task that's configured to run every 60 minutes as a high-privileged SYSTEM user. This new task, Symantec and Carbon Black said, was capable of loading and injecting unknown code into "csc.exe" that ultimately established communications with a command-and-control (C2) server ("38.180.83[.]166"). Subsequently, the attackers were observed executing a custom loader to unpack and run an unspecified payload, likely a remote access trojan (RAT) in memory."
A China-linked threat actor targeted a U.S. non-profit active in attempting to influence U.S. government policy, gaining network access for several weeks in April 2025. Initial mass scanning on April 5 leveraged multiple known exploits including CVE-2022-26134, CVE-2021-44228, CVE-2017-9805, and CVE-2017-17562. On April 16 attackers tested connectivity with curl, collected network info with netstat, and established persistence via scheduled tasks. A task launched msbuild.exe to run an unknown payload and created an hourly SYSTEM-level task that injected code into csc.exe to contact a C2 server. Observed activity included a custom loader unpacking a likely in-memory RAT and DLL sideloading via a legitimate AV component.
#china-linked-apt #exploits-and-cves #persistence-and-scheduled-tasks #code-injection-and-in-memory-rat #dll-sideloading
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]