As the United States and China prepare for a pivotal diplomatic call on September 19, 2025, tensions between the two global giants are running high—not just at the negotiating table, but also in cyberspace. The upcoming conversation between President Donald Trump and President Xi Jinping is expected to tackle hot-button issues like TikTok, tariffs, and technology transfers, all while a shadowy cyber-espionage campaign unfolds in the background, targeting the very institutions shaping U.S.-China policy.
According to a recent report by Proofpoint, a leading cybersecurity firm, a Chinese state-aligned hacking group known as TA415 has launched a sophisticated spearphishing campaign against U.S. government agencies, academic institutions, and think tanks. The timing is no coincidence. As the two nations inch closer to a deal on contentious trade issues, TA415’s digital offensive appears aimed at gathering intelligence on the evolving economic relationship. Proofpoint assesses, “A primary objective of these campaigns is likely the collection of intelligence on the trajectory of U.S.-China economic ties. This activity aligns with recent reporting by the Wall Street Journal.”
TA415, also tracked as APT41, Brass Typhoon, or Wicked Panda, is no stranger to U.S. authorities. The group was indicted by the U.S. government in 2020 and is believed to operate as a private contractor based in Chengdu, China, with reported links to the Ministry of State Security. Their latest campaign, observed in July and August 2025, has taken on new urgency and technical sophistication. Instead of relying on traditional malware, TA415 has shifted to leveraging legitimate developer tools—specifically, Visual Studio (VS Code) Remote Tunnels—to maintain persistent, covert access to compromised systems.
Proofpoint’s research reveals that TA415’s phishing emails impersonated both the U.S.-China Business Council and Representative John Moolenaar, the Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party. These lures referenced trade and sanctions policy, targeting individuals and departments directly involved in U.S.-China relations. The emails included links to password-protected archive files hosted on public cloud services, adding a layer of difficulty for detection by standard security protocols.
Once an unsuspecting recipient downloaded and opened the archive, they found a Microsoft Shortcut (LNK) file and other hidden files. Executing the shortcut triggered a batch script, which launched a custom Python loader dubbed WhirlCoil. This loader downloaded the VS Code Command Line Interface from Microsoft, extracted it, and registered a scheduled task for persistence—set to run every two hours, often with administrative privileges. WhirlCoil would then collect system and directory data, sending it to a public request logging service. This allowed TA415 to obtain a verification code for authenticating a VS Code Remote Tunnel via GitHub, effectively granting the group access to the compromised computer’s file system and the ability to execute arbitrary commands.
In a statement, Proofpoint explained, “The TA415 phishing campaigns delivered an infection chain that attempts to establish a Visual Studio (VS Code) Remote Tunnel, enabling the threat actor to gain persistent remote access without the use of conventional malware… This is likely a concerted effort from TA415 to blend in with existing legitimate traffic to these trusted services.” The attackers also used Cloudflare’s WARP VPN service to mask the origin of their phishing attempts, further complicating efforts to track and block their activities.
The campaign’s targets were not random. Proofpoint found that the phishing correspondence predominantly reached high-profile government, academic, and policy organizations focused on international trade and economic relations—precisely those entities at the heart of the ongoing U.S.-China negotiations. The timing of the attacks, coinciding with heightened uncertainty in trade relations, suggests a deliberate attempt to gather actionable intelligence just as the two countries approach a potential breakthrough.
Meanwhile, on the diplomatic front, the upcoming Trump-Xi call is being closely watched by markets and policymakers alike. According to reporting from BBC and other outlets, the conversation is expected to focus on three main areas: reducing tariffs, securing access to technology, and reaffirming the U.S. One-China policy regarding Taiwan. The stakes couldn’t be higher. Trade experts, such as Shaun Rein of the China Market Research Group, emphasize that “high tariffs are damaging both China and the US economy,” with Americans paying more for Chinese imports and Chinese exporters feeling the pinch of slower trade.
Elizabeth Freund Larus, adjunct senior fellow at the Pacific Forum, echoed these concerns, noting, “Both sides recognize that the trade war is not beneficial for their citizens. Americans are paying more for Chinese imports, negatively affecting consumers and businesses, while the slowdown in trade is harming Chinese exports and impacting China’s economy.” The economic pain has prompted both sides to seek common ground, with negotiators holding a fourth round of talks in Spain earlier this year and signaling progress toward a deal on TikTok—a social media app at the center of U.S. national security concerns.
China, for its part, has demonstrated flexibility, reportedly willing to make concessions on technology and algorithms to U.S. firms while insisting on retaining control over its intellectual property. TikTok faces a potential ban in the U.S. if not sold to American companies, though President Trump has postponed the penalty three times. At the same time, China has moved to diversify its supply chain, replacing U.S. suppliers with imports from Brazil (soybeans), Australia (beef), and Canada (oil), and ramping up domestic chip production.
Despite progress on smaller trade issues, larger geopolitical challenges remain unresolved. These include the status of Taiwan, China’s support for Russia, and ongoing tensions in the South China Sea. Analysts suggest that while the Trump-Xi call may yield agreements on tariffs and technology, the broader strategic rivalry between the two nations is likely to persist.
Proofpoint’s report underscores the evolving nature of this rivalry, highlighting how state-aligned cyber actors are adapting their tactics to evade detection and compromise trusted organizations. “Within the phishing threat landscape, shifts in established targeting patterns by state-aligned threat actors often raise interesting analytical questions… The timing of TA415’s pivot toward these targets is particularly noteworthy given the ongoing complex evolution of economic and foreign policy relations between China and the United States,” Proofpoint’s researchers observed.
As the world’s two largest economies inch toward a possible détente—or at least a temporary truce—the digital battlefield is heating up. The convergence of high-stakes diplomacy and covert cyber operations serves as a stark reminder: in today’s interconnected world, the front lines of international relations are as likely to run through server rooms and inboxes as they are through embassies and conference halls.
With the Trump-Xi call looming and cyber threats on the rise, policymakers and security experts alike will be watching closely to see not just what is agreed upon at the negotiating table, but what secrets may have already been stolen behind the scenes.
