This threat involves a China-linked advanced persistent threat (APT) actor leveraging a range of legacy vulnerabilities and misconfigurations to conduct cyber espionage and establish persistent footholds in targeted networks. The initial intrusion was detected in April 2025 against a U.S. non-profit organization engaged in policy influence, using mass scanning and exploitation of known CVEs such as CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead Web Server). Post-compromise actions included executing network reconnaissance commands (curl, netstat), creating scheduled tasks to run legitimate Microsoft binaries (msbuild.exe) for payload execution, and injecting code into csc.exe to communicate with a command-and-control server. The attackers deployed remote access trojans (RATs) in memory and used DLL sideloading techniques with legitimate antivirus components (Vipre’s vetysafe.exe) to evade detection. Tools such as Dcsync and Imjpuexc were observed, indicating attempts to harvest credentials and escalate privileges. The attackers targeted domain controllers to enable lateral movement and network-wide compromise. The campaign is linked to multiple Chinese APT groups, including Salt Typhoon (Earth Estries), Earth Longzhi, Space Pirates, and Kelp, who share tooling and techniques. Additional activity includes exploitation of WinRAR vulnerabilities (CVE-2025-8088) and IIS server compromises using publicly exposed ASP.NET machine keys to deploy the TOLLBOOTH backdoor with SEO cloaking and web shell capabilities. These IIS attacks enable unauthenticated remote command execution and use rootkits like HIDDENDRIVER to maintain stealth. Broader Chinese cyber campaigns also target sectors across Asia, Europe, Latin America, and the U.S., employing phishing, adversary-in-the-middle attacks, and DNS hijacking to deliver malware such as BLOODALCHEMY, WinDealer, and SlowStepper. The shared use of tools and overlapping tactics among Chinese groups complicates attribution and defense efforts.

European organizations face significant risks from this threat due to the widespread use of affected legacy software and IIS servers across the continent. Successful exploitation can lead to unauthorized access, credential theft, and establishment of persistent backdoors, enabling espionage, data exfiltration, and potential disruption of critical services. Targeting domain controllers threatens the integrity and availability of entire networks, facilitating lateral movement and broad compromise. The use of stealthy techniques like DLL sideloading and rootkits increases the difficulty of detection and remediation. Given the geopolitical context, European entities involved in policy, government, energy, and critical infrastructure sectors are particularly vulnerable to espionage and influence operations. The presence of SEO cloaking backdoors also risks reputational damage and potential blacklisting of compromised web assets. The ongoing activity by multiple Chinese APT groups in Europe indicates a sustained threat environment requiring vigilant defense.

European organizations should implement a multi-layered defense strategy focusing on: 1) Immediate patching and mitigation of all known legacy vulnerabilities exploited by these actors, including CVE-2022-26134, CVE-2021-44228, CVE-2017-9805, CVE-2017-17562, and CVE-2025-8088. 2) Conduct comprehensive audits of IIS server configurations to identify and remediate misconfigurations, especially exposure of ASP.NET machine keys. 3) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting DLL sideloading, scheduled task abuse, and in-memory RAT execution. 4) Monitor for unusual scheduled tasks, especially those invoking msbuild.exe or csc.exe, and investigate any anomalous network connections to suspicious IPs or domains. 5) Harden domain controllers by restricting access, enabling multi-factor authentication, and monitoring for Dcsync and credential dumping activities. 6) Employ network segmentation to limit lateral movement and isolate critical assets. 7) Use threat intelligence feeds to detect indicators of compromise related to Chinese APT tooling and infrastructure. 8) Regularly review and update incident response plans to address advanced persistent threats and conduct red team exercises simulating these attack techniques. 9) Educate staff on phishing and social engineering tactics used by these groups to reduce initial infection vectors. 10) Collaborate with national cybersecurity centers and share threat intelligence to improve detection and response capabilities across Europe.