Chinese state aligned hacking groups continue to rely on long standing software vulnerabilities to conduct stealthy cyber operations across the globe. A recent incident involving a U.S. based non profit organization shows how older flaws such as Log4j, Atlassian, Struts, and IIS weaknesses are still being reused to gain long term access for intelligence gathering.
Persistent Targeting of a U.S. Non Profit
According to research from Broadcom’s Symantec team and Carbon Black analysts, a China linked actor infiltrated a U.S. organization that works closely with policy discussions. The attackers maintained access for several weeks in April 2025.
The operation began on April 5 when large scale scanning attempts hit the victim’s server. The scans used public exploits, including CVE 2022 26134 from Atlassian, CVE 2021 44228 affecting Apache Log4j, CVE 2017 9805 related to Apache Struts, and CVE 2017 17562 tied to GoAhead Web Server.
After a short gap, activity resumed on April 16 when the attackers executed curl commands to verify connectivity, followed by netstat to gather network information. They then created scheduled tasks to maintain persistence.
Abuse of Trusted Microsoft Binaries
The adversaries used a legitimate Microsoft file named msbuild.exe to run an unidentified payload. They also added another scheduled task configured to run every sixty minutes with elevated privileges under the SYSTEM account.
This mechanism allowed the loading of malicious code into csc.exe, which then communicated with a command and control server at 38.180.83[.]166. A custom loader was later executed to unpack a memory based payload believed to be a remote access trojan.
The attackers also abused a legitimate Vipre antivirus file vetysafe.exe to sideload a DLL named sbamres.dll. The same component has been observed in previous campaigns linked to groups such as Deed RAT, Salt Typhoon, Earth Estries, Earth Longzhi, and APT41. Broadcom noted that similar DLL variants were previously used by China based groups such as Space Pirates and Kelp.
Tools identified inside the network included Dcsync and Imjpuexc. No additional activity was detected after April 16.
Long Term Access Remains the Primary Goal
Investigators reported that the attackers clearly aimed to establish durable access while attempting to interact with domain controllers, which could allow later movement across multiple systems. The sharing of tools among Chinese aligned threat groups makes attribution challenging, since multiple clusters reuse similar components and loaders.
New Exploits and Expanding Campaigns
Security researcher BartBlaze revealed that Salt Typhoon continues to exploit a WinRAR vulnerability, CVE 2025 8088, to sideload a malicious DLL that executes shellcode and connects to a remote domain mimosa.gleeze[.]com.
At the same time, ESET documented widespread operations by many Chinese aligned groups across Asia, Europe, Latin America, and the United States. These campaigns include:
• Speccom attacking the Central Asian energy sector in July 2025 using phishing messages to deliver BLOODALCHEMY, kidsRAT, and RustVoralix.
• DigitalRecyclers targeting European organizations with a persistence method based on the Magnifier accessibility tool to obtain SYSTEM privileges.
• FamousSparrow attacking Latin American governments by abusing ProxyLogon flaws to drop SparrowDoor.
• SinisterEye targeting defense, trade, and government organizations in Taiwan, China, Greece, and Ecuador and deploying WinDealer and SpyDealer through adversary in the middle attacks.
• PlushDaemon conducting AitM activity in Cambodia to deliver SlowStepper by compromising routers and redirecting DNS traffic through a tool named EdgeStepper.
Rising Attacks on Misconfigured IIS Servers
Threat hunters recently observed a Chinese speaking group exploiting exposed machine keys on misconfigured IIS servers to deploy a backdoor known as TOLLBOOTH, also referred to as HijackServer. According to Elastic Security Labs, this operation has affected hundreds of servers in various countries, especially in India and the United States.
The attackers use their initial foothold to deploy the Godzilla web shell, execute GotoHTTP, run Mimikatz for credential theft, and install HIDDENDRIVER, a modified version of the open source Hidden rootkit.
French cybersecurity analysts noted that although these operators often act in support of search engine optimization tasks, the deployed module also creates a persistent and unauthenticated channel that gives remote command execution capabilities to any party.
