The Chinese state-sponsored cyber group TA415 has refined its tactics by using legitimate cloud platforms such as Google Sheets and Google Calendar to manage command and control communications. These updated methods have been observed in recent attacks targeting U.S. government agencies, think tanks, and academic institutions.
During July and August 2025, TA415 carried out spearphishing campaigns that used themes related to U.S.-China economic relations. The group impersonated high-profile individuals, including the Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party.
Also known as APT41, Brass Typhoon, and Wicked Panda, TA415 has shifted away from traditional malware delivery. Instead, it now relies on legitimate development tools to carry out its operations. The group’s recent campaigns have consistently used trusted services to build command and control infrastructure, making their activities harder to detect by blending in with normal network traffic.
This strategy presents a major challenge for cybersecurity defenses, which must now distinguish between genuine business communications and covert command channels. Researchers at Proofpoint found that TA415’s recent efforts were focused on gathering intelligence about U.S.-China economic developments. These efforts appear to align with ongoing geopolitical tensions and trade negotiations.
The timing of these attacks is notable, as they occurred alongside key policy discussions involving U.S.-Taiwan relations and sanctions targeting China. This suggests that the group may be responding to intelligence demands from high-level decision makers.
TA415’s infection method involves sending password-protected archive files through cloud-sharing platforms such as Zoho WorkDrive, Dropbox, and OpenDrive. These archives typically contain Microsoft Shortcut files and hidden components stored in concealed macOS subfolders.
To further protect their operations, the group uses Cloudflare WARP VPN services to mask sender IP addresses during email delivery. This adds another layer of security to their campaigns.
Infection Chain Breakdown
TA415’s infection process shows a deep understanding of legitimate development environments. It uses Visual Studio Code Remote Tunnels to maintain access. When the malicious shortcut file is opened, it runs a batch script called logon.bat. This script then launches the WhirlCoil Python loader using an embedded Python package.
WhirlCoil uses advanced obfuscation techniques, including repetitive variable and function names like IIIllIIIIlIlIIlIII, to avoid detection by static analysis tools.
The loader downloads the Visual Studio Code Command Line Interface from Microsoft’s official sources and installs it in the local application data folder. It then sets up scheduled tasks with names such as GoogleUpdate, GoogleUpdated, or MicrosoftHealthcareMonitorNode to maintain persistence.
The script runs a command to create GitHub-authenticated remote tunnels using the format code.exe tunnel user login --provider github --name. This allows the attackers to maintain access without using traditional malware signatures.
System data collected includes Windows version, locale, computer name, username, and domain information. This data is sent via POST requests to free logging services like requestrepo.com.
The stolen information is combined with verification codes from Visual Studio Code Remote Tunnels. This enables the attackers to authenticate remote sessions and execute commands through the integrated terminal interface in Visual Studio.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
