VERY IMPORTANT

Throughout July and August 2025, TA415, a Chinese state-sponsored threat actor, conducted spearphishing campaigns targeting U.S. government, think tank, and academic organizations focused on U.S.-China relations. The group impersonated high-profile individuals and organizations to deliver an infection chain establishing Visual Studio Code Remote Tunnels for persistent remote access. This activity, likely aimed at gathering intelligence on U.S.-China economic ties, utilized legitimate services like Google Sheets and VS Code for command and control. TA415 employed a Python loader called WhirlCoil to set up the remote tunnels and exfiltrate system information. The targeting pattern and timing suggest evolving priorities shaped by the complex U.S.-China economic relationship.