Proofpoint threat researchers published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.

🔗 Full blog: https://www.proofpoint.com/us/blog/threat-insight/going-underground-china-aligned-ta415-conducts-us-china-economic-relations

The group is impersonating trusted organizations and policymakers to target U.S. government, academic, and think tank targets.

See our blog for a detailed breakdown of these July and August 2025 campaigns, infection chain, IOCs, and Emerging Threats rulesets. 

A new DISCARDED podcast episode is here 🚨

👉 https://ow.ly/H3SO50Ukn7w

Listen in to hear APT research expert Mark Kelly share his insight on the #cybercrime and state-sponsored espionage of #TA415 (AKA #APT41 #BrassTyphoon).

In August 2024, Proofpoint published research highlighting an unusual, suspected espionage campaign targeting dozens of organizations worldwide to deliver a custom malware family named “Voldemort”.

Proofpoint analysts now attribute this campaign to the China-aligned threat group #TA415 (also known as #APT41 and #BrassTyphoon).

This attribution is based on multiple newly identified high confidence links between the campaign distributing Voldemort and known TA415-attributed infrastructure, including overlaps with activity publicly reported by Mandiant in July 2024: https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust.

Furthermore, in late August 2024, Proofpoint identified a targeted campaign featuring an almost identical attack chain to deliver the Voldemort backdoor. This activity spoofed a Taiwanese aerospace industry association and repeatedly targeted fewer than five aerospace companies in the US and Taiwan, aligning with more typical targeting associated with TA415 and other China-aligned actors.

The screenshot below shows a machine translated version of a phishing email associated with this campaign (originally written in Traditional Chinese).

In this campaign, TA415 began using Google AMP Cache URLs that redirected to password protected 7-Zip files hosted on OpenDrive. These archives contained malicious Microsoft Shortcut (LNK) files that attempted to download a Python script hosted on paste[.]ee. This activity continued into late September 2024 and also targeted a small number of organizations in the chemicals, insurance, and manufacturing industries.

The initial widespread #TA415 campaign distributing Voldemort remains unusual due to its widespread targeting and techniques more commonly observed in cybercrime activity.

While this volume of targeting from an APT actor is uncommon, it is not unheard of, as Proofpoint
observed similar high volume targeting by the Russia state-aligned threat actor #TA422 in 2023: https://ow.ly/BJuW50TQSt0.

⬇️⬇️⬇️

Read our recent blog to learn more about the TA415 Voldemort campaign: https://ow.ly/8Cka50TQSv1.