China-linked Actors Maintain Focus on Organizations Influencing U.S. Policy

SUMMARY :

Chinese threat actors continue to target U.S. organizations involved in policy issues. A recent intrusion into a non-profit organization active in influencing U.S. government policy on international matters occurred in April 2025. The attackers, likely Chinese-based, used various techniques to establish persistence and maintain long-term network access. They employed DLL sideloading, legitimate tools for malicious purposes, and attempted to compromise domain controllers. The attack chain included mass scanning, network reconnaissance, and the use of tools previously linked to Chinese groups like Space Pirates, Kelp, and APT41. This activity reflects China's ongoing interest in monitoring and influencing U.S. policy, particularly in the current geopolitical climate.

OPENCTI LABELS :

cve-2017-9805,persistence,dll sideloading,apt41,cve-2022-26134,china,espionage,cve-2021-44228,cve-2017-17562,deed rat,domain controllers,space pirates,policy influence,kelp,dcsync


AI COMMENTARY :

1. Introduction The recent report titled China-linked Actors Maintain Focus on Organizations Influencing U.S. Policy highlights a wave of espionage activity aimed at U.S. entities engaged in shaping government decisions on international matters. This campaign, attributed to Chinese threat Intel operations, underscores the strategic value of policy influence as a target and the lengths to which sophisticated actors will go to maintain persistence and control.

2. Background In April 2025, a non-profit organization active in influencing U.S. government policy on global issues became the victim of an intrusion. The attackers, likely based in China, executed a multi-phase operation that began with mass scanning and culminated in deep network infiltration. By exploiting CVE-2017-9805 and CVE-2021-44228 among other vulnerabilities, they established an initial foothold and prepared for long-term access.

3. Attack Chain The adversaries initiated the incident with mass scanning across public-facing infrastructure before conducting internal reconnaissance to map network architecture. They leveraged legitimate administrative tools for credential harvesting, then deployed DLL sideloading techniques to inject malicious code into trusted processes. A deft attempt to compromise domain controllers through DCSync operations demonstrated their intent to capture credentials at scale and move laterally without raising immediate alarms.

4. Techniques and Tools Throughout the intrusion, the threat actors employed a blend of custom malware and established frameworks associated with Chinese groups. They used Deed RAT for remote control, exploited CVE-2022-26134 to escalate privileges, and relied on CVE-2017-17562 for supplemental payload delivery. Side-loading of DLLs allowed them to bypass application whitelisting, while legitimate scripting utilities facilitated automated reconnaissance and data exfiltration tasks.

5. Attribution to Known Groups Analysis of command and control infrastructure and toolsets reveals links to Space Pirates, Kelp, and APT41. Indicators such as specific encryption routines, infrastructure naming conventions, and characteristic persistence mechanisms align closely with prior campaigns. These connections reinforce the pattern of Chinese espionage efforts targeting policy influence networks.

6. Strategic Implications This activity illustrates China’s sustained interest in monitoring and shaping U.S. policy debates. By compromising organizations that influence legislative or regulatory outcomes, threat actors can access sensitive strategic discussions and adapt their own geopolitical strategies. The convergence of espionage and policy manipulation elevates the risk to national interests and underscores the need for vigilant defense.

7. Mitigation and Recommendations Organizations should prioritize patching known vulnerabilities including CVE-2017-9805 and CVE-2021-44228, implement robust monitoring for DLL sideloading, and deploy threat hunting for anomalous DCSync requests. Enforcing least-privilege access, conducting regular credential audits, and maintaining updated threat intelligence feeds will strengthen resilience against future campaigns. Collaboration between public and private sectors remains critical to detect, share, and respond to evolving tactics employed by China-linked actors.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


China-linked Actors Maintain Focus on Organizations Influencing U.S. Policy