US Probes Malware Targeting US-China Trade Negotiations via Email Impersonating Lawmaker
Published
- Fake email: Several entities reported receiving an email impersonating China committee chair Representative John Moolenaar.
- The lure: An attachment purported to be draft legislation contained malware that would spy on U.S. trade groups, law firms, and government agencies.
- Chinese hackers: Reports say the attack was linked to APT41, a threat actor believed to be connected to China.
U.S. authorities have launched an investigation into a sophisticated malware operation allegedly targeting trade talks with Beijing via fraudulent emails impersonating a senior Republican lawmaker, Representative John Moolenaar, to deploy malware. Reports say the cyber analysts have traced the attack to the China-linked APT41 hacking group.
Espionage Campaign Details
The incident came to light after multiple U.S. trade groups, law firms, and government agencies received emails in July that appeared to be from Representative John Moolenaar, chairman of the House committee focused on strategic competition with China.Â
The emails requested input on proposed sanctions against Beijing and included an attachment purported to be draft legislation, according to a Sunday Wall Street Journal report.
Cybersecurity analysts have determined that opening this attachment would install malware, giving attackers extensive access to the target's systems.
The timing of the attack coincided with contentious U.S.-China trade negotiations in Sweden, the Journal said.Â
The FBI has confirmed its awareness of the situation and working to identify those responsible. "While we are not commenting on any specific information, the FBI is aware of the situation, and we are working with our partners to identify and pursue those responsible," the FBI told Reuters.
APT41 Cyber Espionage Link
Forensic analysis has reportedly linked the malware to APT41 (also known as HOODOO), the Journal said. The U.S. government believes APT41 is comprised of Chinese nationals, as it's based primarily on overlaps in TTPs, infrastructure, and malware families exclusive to Chinese APTs.
This connection suggests the campaign may have been a state-sponsored cyber espionage operation designed to gather intelligence on U.S. trade strategies and policy recommendations being provided to the White House, reports say. The investigation is ongoing.
Representative Moolenaar condemned the attack as another example of Chinese cyber operations aimed at stealing U.S. strategic information, Reuters said.Â
In October 2024, GTIG discovered an exploited government website distributing spear phishing emails with links to ZIP archives containing a disguised LNK file and a directory of ostensibly benign JPG images. In August 2025, APT41 targeted the Taiwanese Research Institute with Cobalt Strike and ShadowPad.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular