Going Underground China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels

Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China economic-themed lures. In this activity, the group masqueraded as the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party (CCP), as well as the US-China Business Council, to target a range of individuals and organizations predominantly focused on U.S.-China relations, trade, and economic policy.

The TA415 phishing campaigns delivered an infection chain that attempts to establish a Visual Studio (VS Code) Remote Tunnel, enabling the threat actor to gain persistent remote access without the use of conventional malware. Recent TA415 phishing operations have consistently used legitimate services for command and control (C2), including Google Sheets, Google Calendar, and VS Code Remote Tunnels. This is likely a concerted effort from TA415 to blend in with existing legitimate traffic to these trusted services.

👉 To read the complete article, see: Proofpoint Blog.