The Chinese group TA415 has launched a new cyberespionage campaign against US government agencies, think tanks and universities. The attackers used fake invitations to “closed briefings” and malicious archives from VS Code Remote Tunnels to gain control of victims’ systems.
According to Proofpoint, the attacks continued in July-August 2025 and were disguised as letters from the US-China Competition Commission and the U.S.-China Business Council. The main targets were international trade and economic policy experts.
The letters came from the fake address *uschina@zohomail[.]com* and contained archives with hidden files. Inside was an LNK file that launched an obfuscated Python loader called WhirlCoil. It set up tasks to run every 2 hours with SYSTEM privileges, created a remote tunnel in Visual Studio Code, and sent data to external servers via *requestrepo[.]com*.
The infection chain featured a decoy PDF document that distracted the user while a backdoor was set up in the background. This approach was previously used against aerospace and manufacturing companies in 2024.
TA415 is believed to be part of a larger cluster of attackers known as APT41 or Brass Typhoon. The campaign coincided with new warnings from the US Congress about a “prolonged wave” of Chinese espionage operations. Similar attacks have already been carried out on behalf of Republican Congressman John Mulenaar to steal data via phishing emails.
The goal of such campaigns is to gather intelligence amid tense negotiations between the US and the PRC over trade and Taiwan.
TA415 campaign demonstrates that even the latest developer tools like VS Code can become a conduit for espionage attacks. Protecting organizations requires enhanced attachment scanning, blocking dangerous LNK files, and implementing a Zero Trust access model.
