Key Findings
In February 2025, ReliaQuest investigated a sophisticated intrusion targeting a US-based defense technology customer, which we assessed, with medium-high confidence, to have originated from a Chinese advanced persistent threat (APT) group. The attack, which had all the hallmarks of espionage, showcased advanced techniques and technical expertise, including re-compromising the network after being removed. The attackers exploited multiple vulnerabilities, leveraged stealthy evasion techniques, and maintained persistence through custom tools and web shells.
In this report, we uncover the inner workings of a clever and sophisticated cyber attack likely intended to extricate sensitive information. Here's what you'll uncover:
A deep dive into the anatomy of the attack, revealing how breakout times shift with the attacker’s objectives and the cutting-edge tactics they deploy—like layering multiple techniques to outsmart security defenses.
A trail of breadcrumbs: How we traced the activity back to a Chinese nation-state actor through linguistic clues, operational timing, and an alignment with China's strategic ambitions.
Remediation and mitigation strategies, powered by ReliaQuest GreyMatter automated response playbooks, designed to stop these tactics in their tracks and protect against future threats.
China’s Fingerprints: Attribution Points to Espionage
The adversary’s stealth, strategic targets, operational timing, and technical sophistication all point to a nation-state actor. The attack’s likely focus on stealing defense and engineering intellectual property (IP) aligns with China’s well-documented goals of bolstering military strength and technological dominance through espionage. Let’s break down the key evidence that led us to this hypothesis.
Indicators | Attribution |
|---|---|
Breakout time | In our Annual Threat Report, we recorded an average breakout time—the time it takes attackers to move from initial access to lateral movement—of 48 minutes. In this attack, with a breakout time of 21 hours, the APT group’s slower, methodical pace likely indicates a focus on evading detection over speed, a common calling card of nation-state-associated threat actors. |
Timing | The timing of the attacks—predominantly occurring between 7:00 and 18:00 UTC—matches typical working hours in China, including those for state-sponsored operations. |
Targets | The assets targeted included comprehensive backup files from Secure File Transfer Protocol (SFTP) servers that would yield access to defense technology blueprints and electrical design frameworks, aligning seamlessly with China’s 14th Five-Year Plan to achieve technological self-sufficiency and advance military modernization. China-backed groups often pursue these types of objectives, stealing IP to strengthen China’s domestic industries and defense capabilities. |
Language | While Chinese linguistic markers in malicious scripts can be used to mislead investigators, their presence in this attack is a relevant but inconclusive indicator on its own of Chinese actor involvement. |
Technicality | The attackers exploited multiple vulnerabilities for initial access and used advanced evasion tactics like disabling monitoring systems, wiping logs, and using custom tools and legitimate binaries (LOLbins) to stay under the radar. They maintained persistence with custom Dynamic Link Library (DLL) files designed to bypass conventional defenses and remain undetected. |
We also analyzed past campaigns by China-linked APT groups and found key tactics from this attack mirrored in other incidents:
Residential proxies used to hide traffic and maintain stealth for command-and-control (C2) infrastructure
Web shell techniques, enabling in-memory execution and persistence via DLLs
Server Message Block (SMB) shares used for lateral movement across network segments
High-privileged accounts with possible unchanged passwords exploited
Web shell tunneling, linking servers across network segments
Implications for Enterprises
Unlike financially motivated attacks, campaigns linked to nation-state actors, such as those associated with China, focus on long-term persistence and strategic objectives like acquiring IP to achieve technological supremacy and military dominance. This distinction means enterprises must prepare for highly sophisticated tactics and extended operational timelines.
Nation-states leverage advanced techniques like traffic obfuscation, web shell tunneling, and exploitation of weak credential practices to maintain access over months or years. The resources and specialization involved allow these actors to bypass traditional defenses, posing a unique challenge to enterprises. Organizations must adapt their defenses by focusing on detecting persistence, securing privileged accounts, and implementing advanced monitoring to protect critical assets from these persistent threats.
Attack Lifecycle
Initial Access
Figure 1: Initial access via SharePoint vulnerability
The threat actor exploited multiple SharePoint vulnerabilities to gain access to a SharePoint server in the environment. They then brute-forced several service accounts tied to SharePoint and the security assessment software Varonis (see Figure 1). Fifteen days after losing access, they exploited Ivanti Pulse Secure vulnerabilities to compromise multiple Ivanti devices using proxy residential IPs to mask their traffic source (see Figure 2).
Why Does This Matter?
In 2024, 45% of hands-on-keyboard intrusions abused external remote services like Ivanti—prime targets due to their public exposure and difficulty to secure. In this case, end-of-life, unpatched Ivanti devices left the environment unprotected against new vulnerabilities. Abusing these weaknesses and compromising service accounts yielded extensive access, with the repeated intrusions highlighting the adversary's laser focus.
Lateral Movement
Figure 2: Initial access via Ivanti vulnerability
Twenty hours after achieving initial access through SharePoint, the attacker used compromised service accounts to scan the network and map the quickest route to the “crown jewels.” They pivoted to multiple servers, focusing on SFTP servers holding sensitive data. One hour after the scan was complete, they achieved lateral movement. Then, the threat actor moved to other hosts, using:
SMB Named Pipe Creation: Named pipes let attackers send commands to other hosts on the network and retrieve the commands’ outputs for lateral movement. Here, the “ntsvcs” pipe was created in the IPC$ network share, granting the attacker extensive file access and execute permissions on a System Center Configuration Manager (SCCM) Server and domain controller.
Remote Desktop Protocol (RDP): The SharePoint service account attempted RDP connections to 27 different hosts but failed, with logs citing “insufficient data passed.”
HTTPS Remote Process Manipulation: During the second initial access (Ivanti), the web server process “w3wp.exe” remotely modified multiple files on the target servers, including “redirsuiteserviceproxy.aspx,” “logon.aspx,” and “logoff.aspx,” to deploy web shells. These web shells communicated to a compromised Ivanti device for outbound C2, using “web shell chaining” to move through network layer segments undetected.
Why Does This Matter?
After identifying targets through scans, the attacker zeroed in on critical infrastructure like domain controllers responsible for network authentication and file servers holding sensitive data. With access to domain controllers and sensitive file servers, the adversary could steal credentials, read network documentation, and expose proprietary information.
Step Up Your Defenses
Block network-sharing protocols like SMB on critical systems using host-based firewalls. This stops attackers using these protocols to pivot into critical resources and access sensitive authentication data.
Figure 3: Continued Ivanti device persistence
Execution
The attacker hijacked legitimate binaries like “lbfoAdmin.exe” on the SharePoint server to run malicious payloads and move laterally, bypassing security policies by signing the payloads with old, legitimate certificates. They also ran in-memory scripts (see Figures 4 and 5) via Windows Management Instrumentation (WMI), including one with Chinese characters, likely to evade endpoint detection. While this activity was flagged because of the “Trojan:JS/SharpShooterInvoke.A” signature, the script points to a Chinese threat actor skilled in endpoint evasion.
Figure 4: Malicious use of ActiveX objects and obfuscated .NET objects to execute payloads in memory, including Chinese characters
Figure 5: Malicious WMI event script using obfuscation techniques to execute a VBScript payload (obfuscation methods highlighted)
The adversary repeatedly tried loading additional heavily obfuscated malicious scripts through WMI. The scripts were designed to prepare and write data to “C:\ProgramData\Templates.log,” which we saw written on several domain controllers and, later, on the SFTP server during the Ivanti intrusion (see Figure 5). Using a permanent WMI event consumer with the multi-stage custom scripts (a hallmark of a sophisticated threat actor) allowed the attacker to maintain persistence on these critical hosts across reboots, checking for host changes every five seconds and executing the VBS script (see Figure 5).
Why Does This Matter?
Abuse of legitimate processes, in-memory execution, high obfuscation, custom tooling, and old certificates hinder response efforts, as security tools struggle to classify the threat actor’s activity as malicious. If detection is harder, attacks persist longer and amplify the risk of data exfiltration, operational disruption, and greater damage to the organization.
Step Up Your Defenses
Use endpoint detection and response (EDR) with strong behavioral detections to identify abuse of legitimate system features that can bypass traditional preventive measures.
Defense Evasion
Defense evasion was constant throughout the attack. In-memory malware hit the first domain controller, logging was disabled on Ivanti appliances, and process injection into niche binaries like “lbfoAdmin.exe” bypassed EDR and facilitated the adversary’s operations on the SFTP server. On an exchange server, the threat actor wiped Active Directory driver logs to hide authentication events and user access trails. Each of these actions was calculated and often occurred prior to known malicious activity.
Why Does This Matter?
These actions highlight the threat actor’s determination to stay hidden, hinder remediation, and complete their mission. Disabling logging on the Ivanti devices blocked alerts that could have triggered an investigation, while wiping Active Directory driver logs cut off visibility into authentication events and user access. These logs are critical for tracking compromised accounts and identifying their origin, making their removal a major blow to forensic efforts.
Step Up Your Defenses
Forward logs to remote storage immediately to stop attackers from tampering with them. Minimize local storage and use log forwarders to move logs quickly while giving storage servers time to process them.
Persistence
The threat actor’s main goal was to find the shortest path to, and remain persistent on, the SFTP server, which stored sensitive data like network configurations, system backups, and proprietary information related to defense contracts. Once the actor found the shortest and most efficient path to the SFTP server (e.g., SharePoint Server → Domain Controller → SFTP server), they reused same path, without expanding to other parts of the environment.
On the SFTP server, the attacker identified the use of Globalscape, SFTP software that provides secure and automated data transfer capabilities, and impersonated legitimate Globalscape files to establish a backdoor. They utilized the program’s files and paths to blend their actions in with standard Globalscape operating functions. The following Globalscape binaries were manipulated:
C:\Program Files\Globalscape\EFT Server\IPWork EDI COM.dll
C:\Program Files\Globalscape\EFT Server\DBUtility\logs4net.dll
C:\ProgramData\Globalscape\EFT Server\Backup\Temp\1.bak
C:\Program Files\Globalscape\EFT Server\GoogleDriveClientHelper.dll
Further forensics review of the files reveals that malicious code was injected into these binaries while keeping their original functions intact. A specific functionality was found in which the attacker could trigger the backdoor through a crafted POST request to “favidon.ico” through the public-facing webpage of the SFTP server.
Additional persistence was deployed on the Ivanti appliances, which we assess with high confidence was achieved via web shells. Logs reveal strong indicators that files on the appliances were tampered with (see Figure 6). Mismatched files serve as a significant indicator of compromise.
Figure 6: Ivanti Connect Secure Integrity Checker Tool (ICT) reveals abnormal files
Why Does This Matter?
These tactics reveal the threat actor’s sophistication and determination to maintain long-term access. By rewriting Globalscape binaries with malicious code that mimicked legitimate functions, they ensured their backdoor would remain operational even if patches were applied. Covert POST requests to “favidon.ico” bypassed authentication, while web shells on Ivanti appliances ensured long-term remote access.
Step Up Your Defenses
Segment access to critical systems, such as the SFTP server, from the rest of the network via secure jump hosts that enforce multifactor authentication and monitor all activity on the network pathway. This stops attackers moving laterally if initial access is achieved.
Key Takeaways and What’s Next
This attack exemplifies the hallmarks of a highly capable and well-resourced adversary, likely tied to a Chinese nation-state actor. The comparatively long breakout time of 21 hours indicates a deliberate and patient approach, emphasizing stealth over speed—a calculated strategy designed to evade detection and ensure operational success. The attackers demonstrated advanced technical expertise, employing a sophisticated blend of initial access methods, lateral movement techniques, and defense evasion strategies, all aimed at maintaining long-term persistence within the environment. Their relentless focus on accessing sensitive data, combined with their ability to re-compromise the network after removal, underscores their tenacity and strategic intent. This was not just an opportunistic intrusion; it was a methodical, espionage-driven operation with clear objectives aligned with China's documented goals of technological dominance and military advancement.
Given the escalating political tensions between China and the US, it is highly likely that other organizations will face similar threats from China-affiliated threat actors in the near future (within three months). These cyber threats are unfolding against the backdrop of a rapidly intensifying trade war. This economic friction not only fuels competition over trade but also heightens China's motivation to engage in cyber espionage to offset the economic impact of recent tariffs and maintain its trajectory toward technological dominance. For US organizations—especially those in defense, manufacturing, and high-tech industries—the stakes are higher than ever. These sectors have become prime targets for nation-state actors seeking to acquire intellectual property and gain a competitive edge in the global economy.
John Dilgen, James Xiang, and Alexa Feminella are the principal authors of this report.
