Chinese Cyberactors Who Impersonated Lawmaker Part of Indicted Group: Researchers

Udumbara Udumbara
Sep 19, 2025 - 09:56 Updated: Sep 19, 2025 - 00:26
0
Chinese Cyberactors Who Impersonated Lawmaker Part of Indicted Group: Researchers

.

Cybersecurity researchers with Proofpoint on Sept. 16 detailed a spearphishing campaign that targeted the U.S. government, a think tank, and academic organizations, which aligns with activity the House Select Committee on the Chinese Communist Party (CCP) disclosed recently.
.
The Chinese state-backed malicious cyberactor group TA415 overlaps with what other researchers track as APT41, Brass Typhoon, or Wicked Panda—a group whose members have been charged by the Justice Department for hacks into more than 100 U.S. companies.

Proofpoint researchers confirmed TA415 impersonated the committee chair, Rep. John Moolenaar (R-Mich.), as well as the U.S.–China Business Council in correspondence with trusted contacts.

The impersonators tried to “target a range of individuals and organizations predominantly focused on U.S.-China relations, trade, and economic policy,” according to Proofpoint blog post, with the goal of establishing remote access to the targets’ devices without the use of malware.

TA415’s other recent campaigns tracked by Proofpoint have also been spearphishing campaigns that use legitimate services, like Google Sheets and Google Calendar, instead of malware, researchers said. “This is likely a concerted effort from TA415 to blend in with existing legitimate traffic to these trusted services.”

The targets “specialized in international trade, economic policy, and U.S.-China relations,” the researchers said. The campaign appears to have begun in July and continued through August.

Some of the emails impersonating Moolenaar had invited targets to click on a link that purportedly led to proposed piece of legislation, requesting their insight.

Others that appeared to come from the U.S.–China Business Council appeared to invite targets to a closed-door briefing on U.S.–Taiwan and U.S.–China affairs.

The activity is similar to campaigns run by TA415 in 2024 that used malware instead, the researchers said.

In this case targets who clicked on the links would have downloaded a password-protected archive file that would contain a decoy PDF document that was corrupted. It would also contain other files that would execute a scheduled task named something like GoogleUpdate or MicrosoftHealthcareMonitorNode.

It would establish remote access to the targets’ devices for the malicious cyberactors, and collect system information and the contents of user directories.

The researchers published known emails and links used by TA415 in this campaign as well.

“In this case, many of the targeted entities are consistent with known Chinese intelligence collection priorities,” the blog post reads. “However, the timing of TA415’s pivot toward these targets is particularly noteworthy given the ongoing complex evolution of economic and foreign policy relations between China and the United States.”

Moolenaar on Sept. 8 had confirmed Wall Street Journal reports of this campaign, and said in a statement that the committee determined the hackers were from China.

“This is another example of China’s offensive cyber operations designed to steal American strategy and leverage it against Congress, the Administration, and the American people,” Moolenaar said in a statement. “We will not be intimidated, and we will continue our work to keep America safe.”

The committee noted it had seen a similar campaign target staffers in January, in the midst of a confidential investigation into Chinese state-owned port machinery company Shanghai Zhenhua Heavy Industries Company Limited.

According to a federal indictment, the cybergroup operates out of Chengdu, China, and claimed connections to China’s Ministry of State Security, the regime’s spy agency.

From August 2019 to August 2020, hackers with this group penetrated more than 100 targets including telecom providers, social media companies, software development companies, computer hardware manufacturers, critics of the CCP, nonprofits, universities, think tanks, and foreign governments.

.

Read More