Chinese state-linked cyber actors are increasingly leveraging well-known vulnerabilities and exploiting server misconfigurations to establish enduring footholds within critical networks globally, according to recent reports from cybersecurity researchers. For example, a Chinese State-Linked Group Exploited Windows Zero-Day Against European Diplomats. This expansive campaign targets a range of entities, from U.S. policy organizations to European businesses and Latin American governmental bodies, signaling a concerted effort to gather intelligence and maintain long-term access.
Recent analyses from Broadcom’s Symantec and Carbon Black teams, alongside disclosures from ESET, Elastic Security Labs, and HarfangLab, reveal a pervasive strategy. Attackers are not solely relying on zero-day exploits but are effectively weaponizing older, publicly documented vulnerabilities such as Apache Log4j (CVE-2021-44228) and Atlassian Confluence (CVE-2022-26134), alongside exploiting common weaknesses in Internet Information Services (IIS) servers. The objective appears to be sustained espionage, particularly against organizations influencing U.S. foreign policy.
One notable incident detailed by Symantec and Carbon Black involved a U.S. non-profit organization actively engaged in international policy advocacy. In April 2025, a China-linked threat actor initiated mass scanning against the organization’s servers, deploying various exploits. After an initial reconnaissance period, attackers established persistence using scheduled tasks designed to execute legitimate Microsoft binaries, `msbuild.exe` and `csc.exe`, to load undisclosed payloads and communicate with a command-and-control server (38.180.83.166). The operation also showcased the sideloading of a malicious DLL via the legitimate Vipre AV component `vetysafe.exe`, a technique previously observed in activities attributed to groups like Salt Typhoon and Space Pirates. This sharing of tools among different Chinese threat clusters complicates definitive attribution but underscores a coordinated, state-backed cyber ecosystem. Additionally, CISA Directed Federal Agencies to Patch an Actively Exploited VMware Vulnerability by Chinese Threat Actor UNC5174.
Broader Campaign Scope and Tactics
Beyond the U.S., China-aligned groups have intensified their operations across multiple continents. ESET highlights several distinct campaigns: “Speccom” targeted the energy sector in Central Asia with custom backdoors; “DigitalRecyclers” exploited the Magnifier accessibility tool for elevated privileges against European organizations; “FamousSparrow” likely leveraged ProxyLogon flaws in Microsoft Exchange Server to compromise Latin American government entities; and “SinisterEye” deployed adversary-in-the-middle (AitM) attacks to hijack software updates for malware delivery against targets in Taiwan, China, and Ecuador. Another group, “PlushDaemon,” achieved AitM positioning by compromising network devices to redirect DNS traffic, ultimately serving its “SlowStepper” backdoor.
A separate and increasing trend involves Chinese-speaking threat actors, such as “REF3927,” systematically targeting misconfigured IIS servers. Researchers from Elastic Security Labs and HarfangLab documented how these groups exploit publicly exposed ASP.NET machine keys to install a backdoor known as TOLLBOOTH (also called HijackServer). This backdoor provides SEO cloaking and web shell capabilities. Once access is gained, attackers often deploy the Godzilla web shell, use GotoHTTP for remote access, employ Mimikatz for credential harvesting, and install HIDDENDRIVER, a modified rootkit, to obscure their presence. Hundreds of servers globally, particularly in India and the U.S., have been compromised through this method, adding to a growing list of Chinese groups observed exploiting IIS servers.
The sustained activity underscores a persistent and adaptable cyber espionage threat, where adversaries continually refine their methods by weaponizing both old vulnerabilities and common misconfigurations. The shared use of tools and techniques across various Chinese threat actors presents a significant challenge for cybersecurity defenders seeking to attribute and counter these sophisticated operations.