Code Editor Turned Spy Tool: A Single Shortcut Can Uncover a Nation's Economic Secrets
Negotiations with China haven't even begun, but the US has already lost.
Negotiations with China haven't even begun, but the US has already lost.
Proofpoint has published an analysis detailing a series of targeted phishing attacks orchestrated by a group linked to Chinese state interests, designated as TA415. The report states that the threat actors targeted U.S. government employees, think tanks, and scientific organizations working on U.S.-China economic relations. They crafted emails impersonating the Chairman of the U.S. House Select Committee on Strategic Competition between the United States and the Chinese Communist Party and the U.S.-China Business Council—all in an attempt to gather intelligence ahead of trade negotiations.
The attacks were recorded in July and August 2025 and used emails with themed invitations to closed-door briefings on Taiwan and trade relations. The emails originated from the address uschina@zohomail[.]com and were further masked using the Cloudflare WARP service to hide the traffic source. Recipients were prompted to download password-protected archives from cloud platforms—Zoho WorkDrive, Dropbox, OpenDrive—which contained an LNK shortcut and a set of hidden files.
The shortcut launched a batch script from a disguised folder while simultaneously showing the user a decoy PDF document. In the background, an obfuscated Python downloader known as WhirlCoil was executed. Previously, similar attack chains downloaded this loader from public paste services or installed the Python package directly from the official Python website. To maintain persistence, the attackers created a scheduled task with names like GoogleUpdate or MicrosoftHealthcareMonitorNode, which launched the downloader every two hours and, if admin rights were present, ran with SYSTEM privileges.
A subsequent module established a persistent Visual Studio Code Remote Tunnel, enabling remote access to the file system and command execution through the VSCode integrated terminal. Collected system information and the contents of user directories were exfiltrated to a free request logging service as a base64-blob in the body of an HTTP POST request. According to Proofpoint, the same technique using a Visual Studio Code tunnel was employed in September 2024 against companies in the aerospace, chemical, and manufacturing sectors.
Analysts note overlaps in the tactics and tools of TA415 with clusters previously linked to APT41 and Brass Typhoon. They connect this activity to attempts to gain an advantage in ongoing economic negotiations between the U.S. and China. The report emphasizes that the strikes were aimed at trade and economic policy experts, indicating a selection of targets based on their expertise and an intent to gain access to specialized, often non-public information.
