A Chinese state-sponsored threat actor known as TA415 has been linked to a string of spearphishing attacks against US government entities, think tanks, and academic institutions in July and August of 2025. The campaign tailored its lures by using US-China economic and trade topics, even impersonating the US-China Business Council and the Chair of the House Select Committee on Strategic Competition to target individuals focused on relations and policy between the two nations.
Emails appeared to invite recipients to closed-door briefings and were sent from uschina@zohomail[.]com, with links to archives hosted on Zoho WorkDrive, Dropbox, and OpenDrive. These archives contained a decoy PDF and a Windows shortcut (LNK) file, which executed a batch script that deployed WhirlCoil, an obfuscated Python loader. The malware was able to establish persistence via scheduled tasks and open Visual Studio Code Remote Tunnels to grant attackers backdoor access and enable arbitrary command execution.[1]
TA415 phishing emails (Source: Proofpoint)
The collected data, including system information and user files, was exfiltrated through request logging services in base64-encoded HTTP POST requests. While early variants downloaded WhirlCoil components from Pastebin and Python.org, the infection chain has remained largely consistent since its first noted use in 2024 against aerospace, insurance, and manufacturing firms.
The continued abuse of Visual Studio Code Remote Tunnels highlights the challenge for defenders: since the feature is legitimate, it blends into normal developer workflows and is hard to detect without specific monitoring. Analysts note that TA415, which overlaps with APT41, has gradually refined this technique over the past year, ramping up activity in recent months as US-China trade negotiations intensify.
APT41, also referred to as Double Dragon, is a prolific Chinese state-sponsored cyber threat group known for conducting both espionage and financially motivated operations. The group has targeted organizations across numerous sectors worldwide, including healthcare, high-tech, telecommunications, and government, often leveraging sophisticated malware and spearphishing techniques. TA415, the focus of this report, is believed to overlap with APT41, sharing tactics and infrastructure, and demonstrating a similar ability to adapt its methods for persistent access and data exfiltration.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a Notification and a Tier I Mitigation service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-38-7/
Comments