Overview

• Proofpoint detailed July–August spear-phishing that targeted U.S. government officials, think-tank analysts, and academics focused on U.S.–China trade and policy.
• Emails impersonated the U.S.-China Business Council and Rep. John Moolenaar to entice recipients with a closed-door briefing and requests to review draft sanctions legislation.
• Links led to password-protected cloud archives on services like Zoho WorkDrive, Dropbox, and OpenDrive that contained an LNK launching a batch script and a decoy PDF.
• The infection chain ran an obfuscated Python loader dubbed WhirlCoil, installed the VS Code CLI, created scheduled tasks for persistence, and established a GitHub-authenticated VS Code Remote Tunnel.
• System data and the tunnel verification code were exfiltrated to a free request-logging site, enabling remote file access and command execution, while Cloudflare WARP and the sender address uschina@zohomail[.]com obscured the activity’s origin.