Renewz

Chinese State-Backed Cyber Operations Target US Trade Policy Groups Amid Rising Tensions

Chinese State-Backed Cyber Operations Target US Trade Policy Groups Amid Rising Tensions
source: gettyimages
September 23, 2025

==============================================================================

Chinese state-aligned hackers are actively targeting US trade policy experts as tensions between Washington and Beijing escalate concerning economic relations. According to cybersecurity firm Proofpoint, a Chinese government-affiliated hacking group known as TA415, also referred to as APT41, Wicked Panda, or Brass Typhoon, has been using sophisticated phishing techniques to infiltrate US government agencies, think tanks, and academic institutions.

Deceptive Phishing Campaigns Focused on US-China Trade Relations

------------------------------------------------------------

Proofpoint's researchers observed this group deploying highly targeted phishing emails themed around US-China economic and trade issues. Notably, some emails spoofed the identity of Republican Congressman John Robert Moolenaar, chair of the House Select Committee on the Chinese Communist Party. An example of such an email reads:

> "On behalf of The US-China Business Council (USCBC), we are pleased to extend an invitation to your organization to participate in a closed-door briefing on US-Taiwan and US-China affairs, to be held on August 11, 2025. Due to the sensitive nature of the discussion, the meeting agenda, logistical details, and list of participants are provided in the attached encrypted file."

The emails aimed to lure recipients into opening malicious attachments or engaging with compromised links under the guise of official trade discussions.

Subtle Techniques for Cyberespionage

-----------------------------------

Rather than using overt malware, the attackers relied on more subtle methods to avoid detection. They used password-protected archives containing a Python loader named WhirlCoil and employed developer tools like Visual Studio Code Remote Tunnels to maintain persistence within networks, all while mimicking legitimate activities. Additionally, they utilized common cloud services such as Google Sheets and Zoho WorkDrive for command-and-control channels, making their operations harder to detect.

Timing and Objectives of the Campaign

-----------------------------------

Proofpoint suggests the timing of these campaigns was strategic, coinciding with key trade negotiations and policy debates in Washington during July and August. The primary goal appeared to be gathering intelligence on US-China economic policies, potential legislative responses, and the trajectory of bilateral relations.

Background and Attribution

------------------------

According to a US government indictment, TA415 is based in Chengdu and previously operated under the name Chengdu 404 Network Technology. Prosecutors allege that the group works as a contractor for China's cyber-operations apparatus, closely linked with other Ministry of State Security (MSS) affiliated entities like I-Soon.

Broader Context of Cyber Espionage

----------------------------

This renewed activity follows warnings from US authorities about ongoing campaigns by Chinese threat actors impersonating officials like Moolenaar to distribute malware among trade policy stakeholders, law firms, and government agencies. These efforts reflect China's persistent appetite for real-time intelligence gathering to influence or respond to ongoing trade negotiations.

Implications

-------------

The operations demonstrate the sophistication and adaptability of Chinese cyber actors, underscoring the need for heightened cybersecurity awareness among US trade and policy professionals amidst evolving geopolitical tensions.

Sources: Proofpoint cybersecurity report, US government indictments, recent advisories on Chinese cyber activities.

Related links

By submitting, I confirm I have the right to share this link and I agree to link back to this article from the submitted page. Duplicate URLs are rejected. Up to 5 links per page.

GraphQL · 142 ms 
query Q($id: Int!, $domain: Int!, $srcId: Int!, $hasSrc: Boolean!, $hasSelf: Boolean!) {
  self: qa_ai(where: {id: {_eq: $id}}, limit: 1) @include(if: $hasSelf) {
    id
    title
    text
    date
  }
  linksarticle: qa_ai(where: {domain: {_eq: $domain}, id: {_neq: $id}}, order_by: {id: desc}, limit: 8) {
    id
    title
  }
  linksbottom: qa_ai(where: {domain: {_neq: $domain}, id: {_lt: $id}}, order_by: {id: desc}, limit: 3) {
    id
    title
    domain
  }
  source: qa_ai(where: {id: {_eq: $srcId}}, limit: 1) @include(if: $hasSrc) {
    id
    title
  }
}
{
  "id": 6644279,
  "domain": 6,
  "srcId": 0,
  "hasSrc": false,
  "hasSelf": true
}