THE CORTEX PROTOCOL
🏠Home🚨Threats🧠Insights📚Books
🔴 HIGHapt

China-Linked APT41 Espionage - U.S. Policy Nonprofit Hit

Category:Threat Alerts / Threat Intelligence
China-linked APT41 espionage activity against a U.S. policy-focused nonprofit shows how Beijing-aligned actors pursue long-term access to institutions shaping government decision-making. Symantec reports that attackers first mass-scanned an exposed server on April 5, 2025 using exploits for Log4j, Atlassian OGNL CVE-2022-26134, Apache Struts CVE-2017-9805, and GoAhead CVE-2017-17562, then returned on April 16 to conduct reconnaissance and establish persistence. The intrusion chain relied on DLL sideloading via the VipreAV component vetysafe.exe to load a malicious sbamres.dll, a technique previously linked to Space Pirates and Earth Longzhi, both associated with APT41 activity. The operators created an hourly scheduled task under \Microsoft\Windows\Ras that invoked msbuild.exe as SYSTEM to execute an outbound.xml script, likely injecting code into csc.exe that called out to command-and-control at 38.180.83[.]166. Symantec also observed DCSync-like behavior and use of the Imjpuexc binary, indicating attempts to target domain controllers and harvest directory data for broader lateral movement. Although operations ceased after April 16, the campaign demonstrates persistent interest in U.S. organizations that influence foreign policy toward China, and underscores that think tanks and NGOs remain high-value espionage targets alongside government agencies.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: China-linked APT41 espionage against a U.S. policy nonprofit reinforces that advocacy groups, research institutes, and NGOs with policy influence face the same long-term intrusion risks as government ministries. Access to internal debates, draft reports, and contact networks creates strategic intelligence value that can shape diplomatic negotiations and economic policy, with potential spillover into partner organizations and donors. Technical Context: The campaign chains internet-facing exploits including CVE-2022-26134 and CVE-2017-9805 with DLL sideloading of sbamres.dll via vetysafe.exe, a pattern linked to Deed RAT operations by Space Pirates and other APT41 subgroups. Attackers use msbuild.exe and outbound.xml to inject code into csc.exe, maintain hourly persistence, and reach external C2 infrastructure, while DCSync-like traffic signals efforts to seize control of Active Directory and pivot across the environment.

Strategic Intelligence Guidance

  • Inventory and harden all internet-facing services at NGOs and policy institutions, prioritizing patching for legacy vulnerabilities such as CVE-2022-26134 and CVE-2017-9805 that continue to feature in Chinese APT playbooks.
  • Deploy application control and command-line monitoring on domain controllers to flag anomalous msbuild.exe, csc.exe, and signed security product binaries being abused for DLL sideloading.
  • Implement strict tiered administration for Active Directory, limiting accounts with DCSync rights and continuously alerting on replication-like activity from unexpected hosts.
  • Formalize threat hunting procedures tuned to China-linked tradecraft, including scheduled task creation under unusual paths, use of VipreAV components, and outbound connections to rarely-used IP ranges.

CVEs

CVE-2022-26134CVE-2017-9805CVE-2017-17562

Vendors

BroadcomSymantecVipreAV

Threats

APT41Space PiratesEarth LongzhiDeed RATChina-linked hackers

Targets

U.S. policy-focused nonprofitU.S. organizations influencing government policy

Tags

#apt41#china-linked-apt#us-nonprofit-espionage#deed-rat#dll-sideloading#symantec-report
Intelligence Source: China-Linked APT41 Espionage - U.S. Policy Nonprofit Hit | Nov 9, 2025
More stories in Threat Intelligence