In a recent series of cyber espionage activities, the China-affiliated threat actor known as TA415 has been identified targeting U.S. government entities, think tanks, and academic institutions. These campaigns, observed during July and August 2025, utilized spear-phishing techniques with themes centered around U.S.-China economic relations.
According to cybersecurity firm Proofpoint, TA415 impersonated prominent figures and organizations, including the Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party (CCP) and the U.S.-China Business Council. The objective was to deceive individuals and organizations focused on U.S.-China relations, trade, and economic policy into engaging with malicious content.
This activity is believed to be an effort by Chinese state-sponsored actors to gather intelligence amid ongoing U.S.-China trade discussions. TA415 shares characteristics with other threat clusters, notably APT41 and Brass Typhoon (formerly known as Barium).
The campaign primarily targeted professionals specializing in international trade, economic policy, and U.S.-China relations. Victims received emails that appeared to be from the U.S.-China Business Council, inviting them to exclusive briefings on U.S.-Taiwan and U.S.-China affairs. These emails were sent from the address uschina@zohomail[.]com and utilized the Cloudflare WARP VPN service to mask the origin of the attacks.
Embedded within these emails were links to password-protected archives hosted on public cloud services such as Zoho WorkDrive, Dropbox, and OpenDrive. Inside these archives, recipients found a Windows shortcut (LNK) file accompanied by other files concealed within a hidden folder.
When the LNK file was executed, it triggered a batch script that displayed a decoy PDF document to the user. Simultaneously, the script ran an obfuscated Python loader named WhirlCoil, also present in the archive. Earlier versions of this attack chain downloaded the WhirlCoil loader from paste sites like Pastebin and obtained the Python package directly from the official Python website.
To maintain persistence on the compromised system, the script established a scheduled task, often named GoogleUpdate or MicrosoftHealthcareMonitorNode, set to run the loader every two hours. If the user had administrative privileges, the task was executed with SYSTEM-level access.
The Python loader then initiated a Visual Studio Code remote tunnel, providing the attackers with persistent backdoor access. It also collected system information and contents from various user directories. This data, along with the remote tunnel verification code, was transmitted to a free request logging service (e.g., requestrepo[.]com) as a base64-encoded blob within an HTTP POST request.
With the verification code, the attackers could authenticate the Visual Studio Code Remote Tunnel, granting them the ability to remotely access the file system and execute arbitrary commands via the built-in Visual Studio terminal on the targeted host.
This sophisticated method underscores the evolving tactics of state-sponsored cyber actors and highlights the importance of vigilance and robust cybersecurity measures to protect sensitive information.
