Chinese-linked APT actors used known exploitation scans and a multi-stage intrusion in April 2025 to establish persistent, stealthy access to a U.S. organization, employing DLL sideloading (vetysafe.exe -> sbamres.dll), legitimate binaries (msbuild.exe, Imjpuexc), scheduled tasks, a custom loader, and DCSync-like activity. #APT41 #Kelp #SpacePirates #Dcsync #DeedRAT
Keypoints
- Multiple China-linked groups (including APT41, Kelp, Space Pirates) are associated with the tooling and techniques observed in the April 2025 intrusion.
- Initial activity began with mass internet-facing scans on April 5, 2025, attempting exploits like CVE-2022-26134, CVE-2021-44228, CVE-2017-9805, and CVE-2017-17562.
- On April 16, attackers validated connectivity with numerous curl commands, enumerated network connections with netstat, and probed an internal host (192.0.0.88) before escalating activity.
- Persistence was achieved by creating a high-privileged scheduled task that invoked msbuild.exe to execute outbound.xml, subsequently injecting code and contacting a malicious C2 (hxxp://38.180.83[.]166/6CDF0FC26CDF0FC2).
- Attackers used DLL sideloading via a signed VipreAV component (vetysafe.exe) to load sbamres.dll, a technique previously linked to Space Pirates, Kelp, and APT41 subgroups and associated with Deed RAT/Deed RAT variants.
- A custom loader (SHA256 f52b86b5…) was executed to decrypt and load a payload into memory, likely a RAT, while DCSync-like activity targeted domain controller replication to harvest credentials.
- Imjpuexc (a legitimate input method executable) and other legitimate binaries (msbuild.exe, msascui.exe) were abused, highlighting living-off-the-land tactics to evade detection.
MITRE Techniques
- [T1592] Active Scanning – Attackers performed mass scans against servers attempting exploits such as Atlassian OGNL Injection (CVE-2022-26134), Log4j (CVE-2021-44228), Apache Struts (CVE-2017-9805), and GoAhead RCE (CVE-2017-17562) – “a mass scan was performed against a server attempting various well-known exploits …”
- [T1071.001] Web Protocols – Use of curl commands to test internet connectivity and reach internal candidate hosts (e.g., multiple curl -I -k calls to google.com, microsoft.com, and 192.0.0.88) – “these were used to test internet connectivity, before pinging internal systems”
- [T1049] System Network Connections Discovery – Execution of netstat to list active connections and associated processes to identify network communications of interest – “the attackers executed the Windows command-line tool netstat to collect network configuration information”
- [T1053.005] Scheduled Task/Job: Scheduled Task – Creation of a persistent scheduled task (MicrosoftWindowsRasOutbound) running as SYSTEM to execute msbuild.exe and an outbound XML every 60 minutes – “schtasks /create /tn MicrosoftWindowsRasOutbound … /sc minute /mo 60 /ru system”
- [T1218] Signed Binary Proxy Execution – Abuse of legitimate signed binaries (msbuild.exe, vetysafe.exe, Imjpuexc) to execute attacker-controlled code, including DLL sideloading of sbamres.dll – “a legitimate VipreAV component (vetysafe.exe) was used by the attackers for DLL-sideloading to install a loader (sbamres.dll)”
- [T1105] Ingress Tool Transfer – Use of a custom loader and delivered encrypted file subsequently decrypted and loaded into memory (custom loader SHA256 … passed an encrypted file) – “a custom loader … was executed, passing an encrypted file on the command line, which is decrypted and loaded into memory.”
- [T1003.005] OS Credential Dumping: DCSync – Use of a Dcsync-like tool to impersonate a domain controller and request replication data via MS-DRSR to obtain credentials – “a likely version of Dcsync – a tool used to pretend to be a domain controller … to get user credentials via the MS Directory Replication Service Remote Protocol”
- [T1574.001] DLL Search Order Hijacking – DLL sideloading technique where a legitimate application launches and loads a malicious DLL payload (vetysafe.exe -> sbamres.dll) – “DLL sideloading is a technique where the attackers use the DLL search order mechanism … to invoke a legitimate application that executes a malicious DLL payload.”
Indicators of Compromise
- [File Hash] Malicious and suspicious binaries – f52b86b599d7168d3a41182ccd89165e0d1f2562aa7363e0718d502b7e3fcb69 (custom loader), 51ffcff8367b5723d62b3e3108e38fb7cbf36354e0e520e7df7c8a4f52645c4d (Imjpuexc)
- [File Hash] DLLs and payloads – 99a0b424bb3a6bbf60e972fd82c514fd971a948f9cedf3b9dc6b033117ecb106 (sbamres.dll, linked to Space Pirates), dae63db9178c5f7fb5f982fbd89683dd82417f1672569fef2bbfef83bec961e2 (Dcsync)
- [File Name] Legitimate components abused – csidl_profiledocumentsvetysafe.exe (VipreAV component used for DLL sideloading), csidl_profiledocumentsmsoutbound (executed via msbuild)
- [Domain/URL] Command-and-control – hxxp://38.180.83[.]166/6CDF0FC26CDF0FC2 (observed C2 endpoint)
- [IP Address] Internal target observed – 192.0.0.88 (internal host probed repeatedly via curl), and scanning activity against various internet hosts
Read more: https://www.security.com/threat-intelligence/china-apt-us-policy