A suspected Chinese threat actor conducted a four-month-long intrusion targeting a major U.S. organization from at least April to August 2024, with earlier activity suspected. Symantec reports lateral movement across the network, targeting Exchange Servers to harvest emails and deploying data exfiltration tools. Links to China are suggested by the use of DLL side-loading, open-source tools like FileZilla and Impacket, and tactics associated with state-sponsored groups like Crimson Palace and Daggerfly. Initial access remains unclear, but evidence indicates prior compromise of at least one machine. The attack underscores the role of fake enterprises and state-linked actors in China's cyber offensive ecosystem.

‍