TA415 Hackers Aligned with China Exploit Google Sheets and Google Calendar for C2 Communications

Chinese state-sponsored threat actor TA415 has intensified its cyberespionage operations throughout July and August 2025, conducting sophisticated spearphishing campaigns targeting United States government entities, think tanks, and academic organizations with a focus on U.S.-China economic relations.

The group, also tracked as APT41, Brass Typhoon, and Wicked Panda, has demonstrated advanced operational security by leveraging legitimate cloud services for command and control communications.

Security researchers at Proofpoint have identified TA415’s consistent use of legitimate services for command and control operations, including Google Sheets, Google Calendar, and Visual Studio Code Remote Tunnels.

This strategic approach allows the threat actor to blend malicious traffic with legitimate network communications, significantly reducing detection rates by traditional security monitoring systems.

Advanced C2 Infrastructure Using Trusted Services

The group’s infection chain begins with highly targeted phishing emails that masquerade as communications from prominent U.S. officials, including the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party, and representatives from the US-China Business Council.

These campaigns specifically target individuals specializing in international trade, economic policy, and U.S.-China relations.

TA415’s current attack methodology involves delivering password-protected archives hosted on public cloud sharing services such as Zoho WorkDrive, Dropbox, and OpenDrive.

The downloaded archives contain Microsoft Shortcut (LNK) files alongside hidden files stored in a “MACOS” subfolder. Upon execution, these LNK files trigger a batch script that launches the WhirlCoil Python loader through an embedded Python package.

The WhirlCoil loader, obfuscated using variable names like “IIIllIIIIlIlIIlIII,” downloads the legitimate VS Code Command Line Interface from Microsoft sources and establishes a Visual Studio Code Remote Tunnel, authenticated via GitHub.

The malware creates scheduled tasks named “GoogleUpdate,” “GoogleUpdated,” or “MicrosoftHealthcareMonitorNode” for persistence, running every two hours with SYSTEM-level privileges when administrative access is available.

Following the establishment of the tunnel, the malware collects comprehensive system information, including the Windows version, locale, computer name, username, and domain details, as well as contents from various user directories.

This intelligence is exfiltrated via POST requests to free request logging services, with URLs containing timestamp and base64-encoded computer name parameters.

According to U.S. government indictments, TA415 operates as a private contractor from Chengdu, China, under the company name Chengdu 404 Network Technology, with reported connections to China’s Ministry of State Security.

The timing of these campaigns coincides with ongoing U.S.-China economic negotiations, suggesting primary objectives involve collecting intelligence on the trajectory of bilateral economic relations and trade policies.

This sophisticated campaign showcases the evolving tactics of state-sponsored actors, who are increasingly relying on legitimate cloud infrastructure to maintain persistent access while evading traditional malware detection mechanisms.

Indicators of compromise

Indicator	Type	Context	First Seen
uschina@zohomail[.]com	Email	Malware Delivery	July 2025
johnmoolenaar[.]mail[.]house[.]gov@zohomail[.]com	Email	Malware Delivery	August 2025
john[.]moolenaar[.]maii[.]house[.]gov@outlook[.]com	Email	Malware Delivery	August 2025
https://www.dropbox[.]com/scl/fi/d1gceow3lpvg2rlb45zl4/USCBC_Meeting_Info_20250811.rar?rlkey=hg5kja70lgn6n2lozb2cjr1l5&st=2gj6un0k&dl=1	URL	Malware Delivery	July 2025
https://od[.]lk/d/OTRfMTA3OTczMjQwXw/USCBC_20250811_Meeting_Info.7z	URL	Malware Delivery	July 2025

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post TA415 Hackers Aligned with China Exploit Google Sheets and Google Calendar for C2 Communications appeared first on Cyber Security News.