A China-linked threat actor targeted a U.S. non-profit organization in a strategic cyber campaign aiming for long-term persistence and influence over U.S. policy discussions. The attack involved exploit scanning, establishing persistence, and deploying sophisticated malware, revealing ongoing Chinese cyber activities affecting various sectors worldwide. #SaltTyphoon #Kelp
Keypoints
- A Chinese threat actor conducted a multi-week intrusion into a U.S. non-profit organization to influence policy.
- The attackers exploited known vulnerabilities like CVE-2022-26134 and CVE-2021-44228 during their initial scans.
- Persistence was established via scheduled tasks that enabled continuous command-and-control communication using custom loaders.
- Methods included DLL side-loading, AITM attacks, and leveraging publicly exposed IIS servers with web shells like TOLLBOOTH.
- Related Chinese hacking groups continue to target sectors globally, including energy, government, and defense, with evolving tactics.
Read More: https://thehackernews.com/2025/11/from-log4j-to-iis-chinas-hackers-turn.html