China-Linked Hackers Target U.S. Non-Profit in Long-Term Espionage Campaign Using DLL Sideloading

In April 2025, a China-linked hacker group targeted a U.S. non-profit organization focused on public policy, gaining prolonged access over several weeks. This attack is part of a broader campaign targeting U.S. entities involved in policy issues. The attackers employed DLL sideloading via vetysafe.exe, a technique also used by other Chinese APT groups like Space Pirates and Kelp. DLL sideloading is a sophisticated method that involves tricking a legitimate application into loading a malicious DLL file, making detection challenging. The prolonged access indicates that the attackers were able to evade detection mechanisms, highlighting the need for robust endpoint detection and response (EDR) solutions. This attack underscores the strategic focus of Chinese APT groups on gathering intelligence related to U.S. policy, which has significant implications for national security. Organizations should monitor for unusual DLL loading activities, implement robust EDR solutions, and enhance their incident response plans. Policy-related organizations should be particularly vigilant and implement advanced threat detection and response capabilities. This attack highlights the ongoing threat posed by Chinese APT groups and the need for proactive cybersecurity measures.