Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels

    Wednesday, September 17, 2025 In: Threat Research Print

    Date: 09/17/2025

    Severity: High

    Summary

    Between July and August 2025, TA415 conducted spearphishing campaigns targeting U.S. government, think tanks, and academic institutions using U.S.-China economic-themed lures. The group impersonated prominent entities like the Select Committee on Strategic Competition and the US-China Business Council to target individuals focused on U.S.-China relations. The phishing campaigns deployed a Visual Studio Code Remote Tunnel to establish persistent access without traditional malware. TA415 leveraged legitimate services such as Google Sheets, Google Calendar, and VS Code tunnels for command and control to evade detection. This activity, tied to APT41 and other aliases, likely aims to collect intelligence on U.S.-China economic policy amid ongoing geopolitical tensions.

    Indicators of Compromise (IOC) List 

    Domains\URLs : 

    https://www.dropbox.com/scl/fi/d1gceow3lpvg2rlb45zl4/USCBC_Meeting_Info_20250811.rar?rlkey=hg5kja70lgn6n2lozb2cjr1l5&st=2gj6un0k&dl=1

    https://od.lk/d/OTRfMTA3OTczMjQwXw/USCBC_20250811_Meeting_Info.7z

    https://workdrive.zoho.com/file/pelj30e40fd96a6084862bef88daf476dac8d

    https://workdrive.zoho.com/file/f8h84a6732545e79d4afdb5e6d6bcaa343416

    https://pastebin.com/raw/WcFQApJH

    http://requestrepo.com/r/2yxp98b3/

    https://1bjoijsh.requestrepo.com/

    https://6mpbp0t3.requestrepo.com/

    Hash : 

    29cfd63b70d59761570b75a1cc4a029312f03472e7f1314c806c4fb747404385

    660ba8a7a3ec3be6e9ef0b60a2a1d98904e425d718687ced962e0d639b961799

    b33ccbbf868b8f9089d827ce0275e992efe740c8afd36d49d5008ede35920a2e

    32bf3fac0ca92f74c2dd0148c29e4c4261788fb082fbaec49f9e7cd1fda96f56

    ae5977f999293ae1ce45781decc5f886dd7153ce75674c8595a94a20b9c802a8

    d12ce03c016dc999a5a1bbbdf9908b6cfa582ee5015f953a502ec2b90d581225

    10739e1f1cf3ff69dbec5153797a1f723f65d371950007ce9f1e540ebdc974ed

    674962c512757f6b3de044bfecbc257d8d70cf994c62c0a5e1f4cb1a69db8900

    8d55747442ecab6dec3d258f204b44f476440d6bb30ad2a9d3e556e5a9616b03

    4b2a250b604ca879793d1503be87f7a51b0bde2aca9642e0df5bb519d816cd2c

    d81155fa8c6bd6bd5357954e2e8cae91b9e029e9b1e23899b882c4ea0fffad06

    Email Address : 

    uschina@zohomail.com

    johnmoolenaar.mail.house.gov@zohomail.com

    john.moolenaar.maii.house.gov@outlook.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs : 

    domainname like "https://od.lk/d/OTRfMTA3OTczMjQwXw/USCBC_20250811_Meeting_Info.7z" or url like "https://od.lk/d/OTRfMTA3OTczMjQwXw/USCBC_20250811_Meeting_Info.7z" or siteurl like "https://od.lk/d/OTRfMTA3OTczMjQwXw/USCBC_20250811_Meeting_Info.7z" or domainname like "http://requestrepo.com/r/2yxp98b3/" or url like "http://requestrepo.com/r/2yxp98b3/" or siteurl like "http://requestrepo.com/r/2yxp98b3/" or domainname like "https://www.dropbox.com/scl/fi/d1gceow3lpvg2rlb45zl4/USCBC_Meeting_Info_20250811.rar?rlkey=hg5kja70lgn6n2lozb2cjr1l5&st=2gj6un0k&dl=1" or url like "https://www.dropbox.com/scl/fi/d1gceow3lpvg2rlb45zl4/USCBC_Meeting_Info_20250811.rar?rlkey=hg5kja70lgn6n2lozb2cjr1l5&st=2gj6un0k&dl=1" or siteurl like "https://www.dropbox.com/scl/fi/d1gceow3lpvg2rlb45zl4/USCBC_Meeting_Info_20250811.rar?rlkey=hg5kja70lgn6n2lozb2cjr1l5&st=2gj6un0k&dl=1" or domainname like "https://workdrive.zoho.com/file/pelj30e40fd96a6084862bef88daf476dac8d" or url like "https://workdrive.zoho.com/file/pelj30e40fd96a6084862bef88daf476dac8d" or siteurl like "https://workdrive.zoho.com/file/pelj30e40fd96a6084862bef88daf476dac8d" or domainnname like "https://workdrive.zoho.com/file/f8h84a6732545e79d4afdb5e6d6bcaa343416" or url like "https://workdrive.zoho.com/file/f8h84a6732545e79d4afdb5e6d6bcaa343416" or siteurl like "https://workdrive.zoho.com/file/f8h84a6732545e79d4afdb5e6d6bcaa343416" or domainname like "https://pastebin.com/raw/WcFQApJH" or url like "https://pastebin.com/raw/WcFQApJH" or siteurl like "https://pastebin.com/raw/WcFQApJH" or domainname like "https://1bjoijsh.requestrepo.com/" or url like "https://1bjoijsh.requestrepo.com/" or siteurl like "https://1bjoijsh.requestrepo.com/" or domainname like "https://6mpbp0t3.requestrepo.com/" or url like "https://6mpbp0t3.requestrepo.com/" or siteurl like "https://6mpbp0t3.requestrepo.com/"

    Hash :

    sha256hash IN ("29cfd63b70d59761570b75a1cc4a029312f03472e7f1314c806c4fb747404385","660ba8a7a3ec3be6e9ef0b60a2a1d98904e425d718687ced962e0d639b961799","b33ccbbf868b8f9089d827ce0275e992efe740c8afd36d49d5008ede35920a2e","32bf3fac0ca92f74c2dd0148c29e4c4261788fb082fbaec49f9e7cd1fda96f56","ae5977f999293ae1ce45781decc5f886dd7153ce75674c8595a94a20b9c802a8","d12ce03c016dc999a5a1bbbdf9908b6cfa582ee5015f953a502ec2b90d581225","10739e1f1cf3ff69dbec5153797a1f723f65d371950007ce9f1e540ebdc974ed","674962c512757f6b3de044bfecbc257d8d70cf994c62c0a5e1f4cb1a69db8900","8d55747442ecab6dec3d258f204b44f476440d6bb30ad2a9d3e556e5a9616b03","4b2a250b604ca879793d1503be87f7a51b0bde2aca9642e0df5bb519d816cd2c","d81155fa8c6bd6bd5357954e2e8cae91b9e029e9b1e23899b882c4ea0fffad06")

    Email Address : 

    sender in ("uschina@zohomail.com","johnmoolenaar.mail.house.gov@zohomail.com","john.moolenaar.maii.house.gov@outlook.com") 

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/going-underground-china-aligned-ta415-conducts-us-china-economic-relations


    Tags

    United StatesChinaGovernment Services and FacilitiesEducationMalwarePhishingSpearphishingTA415APT41VS Code Remote Tunnels

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.