Particle.news
Download on the App Store
4 ARTICLES
·
yesterday

Proofpoint: Chinese TA415 Used VS Code Remote Tunnels in Phishing of U.S. Trade Policy Targets

Fresh analysis details intelligence-gathering tradecraft that blended trusted cloud services with policy-themed impersonation to evade detection.

Image

Overview

  • Proofpoint reports a July–August 2025 spear-phishing campaign against U.S. government, think-tank, and academic experts focused on U.S.–China trade and economic policy.
  • Lures spoofed the U.S.-China Business Council and Rep. John Moolenaar, using the address [email protected] and cloud links hosted on Zoho WorkDrive, Dropbox, and OpenDrive.
  • Password-protected archives contained an LNK that launched a batch script to run the obfuscated Python loader WhirlCoil, install the VS Code CLI, create a scheduled task, and establish a GitHub-authenticated VS Code Remote Tunnel.
  • Verification codes for the tunnel and harvested system and user data were sent to free request-logging services such as requestrepo[.]com, with Cloudflare WARP used to obscure the origin.
  • The activity is attributed to TA415/APT41 tied to Chengdu 404 Network Technology, and follows a House committee advisory warning of ongoing Chinese impersonation campaigns targeting policy stakeholders.