Saturday, Mar 22, 2025 // (IG): BB // GITHUB // SN R&D
FishMonger APT Group Linked to I-SOON in Global Espionage Campaigns
Bottom Line Up Front (BLUF): The FishMonger advanced persistent threat (APT) group has been directly linked to I-SOON (Anxun Information Technology Co., Ltd.), a Chinese cybersecurity contractor accused of conducting state-backed cyber-espionage. Evidence from threat intelligence firms and leaked internal documents confirm that FishMonger operates as I-SOON’s hacking division, targeting governments, NGOs, and international organizations on behalf of Beijing. Recent U.S. Department of Justice (DOJ) indictments against I-SOON employees reinforce the group's deep connections to China’s Ministry of Public Security (MPS) and Ministry of State Security (MSS).
Analyst Comments: The confirmation that FishMonger is I-SOON’s operational hacking team further illustrates China’s growing reliance on private contractors to execute state-directed cyber operations. This outsourcing strategy offers Beijing plausible deniability while enabling large-scale, persistent cyber-espionage campaigns. FishMonger’s use of well-established malware like ShadowPad and its involvement in operations such as the 2022 "Operation FishMedley" campaign underscores its role in global intelligence gathering. The recent leaks revealing I-SOON’s internal workings expose the structure of China’s “hacker-for-hire” ecosystem, which is likely much more significant than previously known. While the DOJ indictment and FBI sanctions may disrupt I-SOON’s operations temporarily, China’s ability to shift tactics and restructure such entities suggests that FishMonger or its personnel may reappear under a different guise.
FROM THE MEDIA: ESET researchers and intelligence firms like Recorded Future and SentinelOne have identified FishMonger as an APT group operated directly within I-SOON. The group, also tracked under aliases like Earth Lusca, TAG-22, and Aquatic Panda, has been active since at least 2019, initially targeting pro-democracy groups in Hong Kong. It later expanded to broader geopolitical targets, including governments in Taiwan, Thailand, and France, NGOs, and academic institutions in the U.S. and Europe. In 2022, the group executed Operation FishMedley, compromising at least seven organizations worldwide using malware implants such as ShadowPad and Spyder Loader. On March 5, 2025, the DOJ unsealed an indictment charging ten Chinese nationals—eight I-SOON employees and two government officials—for conducting cyber intrusions on behalf of the Chinese government from 2016 to 2023. The FBI also added several individuals to its Cyber’s Most Wanted list. The indictment, combined with previous leaks of over 500 internal I-SOON documents, provides extensive evidence that I-SOON functioned as a contractor for Chinese intelligence agencies.
READ THE STORY: InfoSec Mag // THN
European Semiconductor Industry Pushes for ‘Chips Act 2.0’ to Address Supply Chain Gaps
Bottom Line Up Front (BLUF): European semiconductor companies are calling for expanding the €43 billion European Chips Act, finalized in 2023, to include more support for R&D, materials, and design rather than just manufacturing. Industry leaders argue that current policies do not address the entire supply chain, leaving Europe vulnerable to geopolitical uncertainties and global trade tensions, particularly in light of the second Trump administration's protectionist policies. The proposal has gained momentum as nine EU Member States launched the Semiconductor Coalition to reinforce Europe’s technological competitiveness.
Analyst Comments: While the European Chips Act has driven investment in manufacturing, industry leaders warn that it lacks a long-term strategy to sustain the sector’s growth. A broader, more flexible approach that includes R&D and semiconductor design could help Europe compete with the U.S. and China, which are aggressively funding their own chip industries. However, bureaucratic delays and the need for centralized EU approval remain significant hurdles. The call for additional funding and streamlined policies also highlights concerns over Europe’s dependency on U.S. technology, with some policymakers pushing for digital sovereignty to reduce reliance on American firms. If the EU fails to act quickly, Europe risks falling further behind in semiconductor innovation.
FROM THE MEDIA: During a roundtable discussion at the European Parliament, European chip firms, including Infineon, Bosch, NXP, STMicroelectronics, and ASML, argued for a revised strategy to support the semiconductor sector beyond fabrication plants. SEMI Europe and the European Semiconductor Industry Association (ESIA) emphasized three key priorities: increasing funding for R&D and design, streamlining trade and foreign policy, and accelerating administrative processes to attract investment. A significant concern driving this push is the uncertainty caused by U.S. trade policies, with industry leaders fearing that Trump's “America First” stance could disrupt global semiconductor supply chains. Meanwhile, Reuters reported that while the Chips Act has spurred investment, slow EU bureaucracy has delayed projects. Critics argue that European semiconductor policy now resembles the UK’s strategy, which focuses on R&D rather than large-scale fabrication, albeit with mixed results.
READ THE STORY: The Register
Taiwan’s Critical Infrastructure Targeted by Hackers Linked to Volt Typhoon
Bottom Line Up Front (BLUF): Hackers with potential ties to Chinese state-backed groups, including Volt Typhoon and Flax Typhoon, have been targeting Taiwan’s critical infrastructure in an ongoing cyber campaign. Cisco Talos researchers identified the group, dubbed UAT-5918, which has been active since at least 2023. The attackers exploit unpatched web servers to establish persistent access, steal credentials, and enable long-term espionage. This campaign is part of broader Chinese cyber activities aimed at Taiwan and other global targets.
Analyst Comments: The increasing sophistication of cyberattacks on Taiwan’s infrastructure underscores China’s strategic use of cyber operations to weaken potential adversaries before conflicts arise. The overlap between UAT-5918 and known Chinese APTs, such as Volt Typhoon and Flax Typhoon, indicates a coordinated effort to infiltrate critical industries, likely in preparation for geopolitical escalations. UAT-5918’s reliance on open-source tools and credential theft mirrors China’s broader cyber espionage tactics, prioritizing stealth and long-term intelligence gathering. Given recent U.S. sanctions against a Chinese cybersecurity firm linked to Flax Typhoon, further diplomatic and cybersecurity measures may be necessary to counter these intrusions effectively.
FROM THE MEDIA: Cisco Talos researchers reported that UAT-5918 has targeted Taiwan’s telecommunications, healthcare, IT, and other critical infrastructure sectors. The group gains access by exploiting vulnerabilities in unpatched internet-facing servers. It uses open-source tools to move laterally within networks, steal credentials, and create administrative accounts for persistent access. UAT-5918’s tactics closely resemble Volt Typhoon and Flax Typhoon, both known for Chinese state-sponsored cyber espionage. The attackers use tools such as Mimikatz, LaZagne, and BrowserDataLite to extract login credentials and access sensitive systems via RDP and other remote protocols. The group also deploys web shells like Chopper and SparrowDoor to maintain long-term access. In addition to Taiwan, Flax Typhoon has previously been implicated in attacks against critical infrastructure across Southeast Asia, North America, and Africa, with Microsoft identifying its focus on long-term network infiltration. Meanwhile, Volt Typhoon has drawn increasing concern in the U.S. due to its targeting of critical infrastructure, prompting lawmakers to push for enhanced government oversight of cybersecurity defenses.
READ THE STORY: The Record // THN
China’s State-Owned Enterprises Pose Growing Cyber and Economic Threats
Bottom Line Up Front (BLUF): China’s state-owned enterprises (SOEs) are at the center of cyber espionage and economic warfare targeting U.S. industries and government agencies. Chinese-sponsored hackers have breached the U.S. Treasury Department and infiltrated critical infrastructure, while SOEs continue intellectual property theft to enhance China’s military and technological capabilities. The Trump administration is expected to take a hardline stance against China’s SOEs, leveraging sanctions, regulatory oversight, and legal action.
Analyst Comments: China’s aggressive cyber and economic tactics reveal a coordinated strategy to weaken U.S. competitiveness while strengthening its industrial and military power. The recent Treasury Department breach and ongoing theft of trade secrets illustrate how Chinese SOEs operate as extensions of state intelligence. The Trump administration’s proposed countermeasures, including enhanced trade enforcement and exposing Chinese cyber activities, could curb China’s economic advantage and escalate tensions in U.S.-China relations. Effective countermeasures will require international cooperation, stronger cybersecurity policies, and proactive legal action against Chinese corporate espionage.
FROM THE MEDIA: The U.S. Treasury Department’s systems specifically target the Committee on Foreign Investment in the United States (CFIUS), which oversees foreign investments for national security risks. Earlier in the year, the Chinese state-sponsored group Volt Typhoon compromised U.S. critical infrastructure, allegedly preparing to disrupt national communications in a crisis. Meanwhile, Chinese state-owned enterprises (SOEs), such as the Aviation Industry Corporation of China (AVIC), have been accused of intellectual property theft, including stealing U.S. aerospace designs to enhance China's military capabilities. In response, the Trump administration is ramping up efforts to counteract Chinese cyber and trade aggression, proposing tighter regulations on PRC investments, automatic sanctions for intellectual property theft, and legal protections for U.S. businesses targeted by China’s economic warfare.
READ THE STORY: DarkReading
Cloudflare Launches AI "Labyrinth" to Trap Unauthorized Web Scrapers
Bottom Line Up Front (BLUF): Cloudflare has developed an AI-driven tool called "AI Labyrinth" to combat unauthorized web crawlers that scrape content for AI training datasets. Instead of blocking these bots outright, Cloudflare traps them in a maze of AI-generated junk content, wasting their resources and deterring future scraping attempts. The system also helps Cloudflare fingerprint and identify rogue scrapers, adding them to a blacklist.
Analyst Comments: This innovative approach shifts the AI data-scraping fight from prevention to deception, creating a significant obstacle for AI model developers who rely on unauthorized content harvesting. By redirecting bots into a content trap, Cloudflare reduces resource strain on legitimate websites and gathers intelligence on unauthorized scrapers. However, this tactic could lead to an AI arms race, where scraper developers refine their detection techniques to avoid the trap. The ethical concerns of generating misleading content, even for defensive purposes, could also spark debates about the broader implications of AI-generated misinformation.
FROM THE MEDIA: Cloudflare researchers reported that nearly 1% of all web traffic they monitor originates from AI scrapers, ignoring robots.txt restrictions and CAPTCHA barriers. To combat this, the AI Labyrinth creates realistic but fake web pages filled with scientifically accurate but nonsensical information to lure crawlers deeper into the system. Since no human would navigate multiple levels into junk content, this tactic also serves as a bot-detection mechanism, enhancing Cloudflare’s anti-bot defenses. Cloudflare has assured that AI-generated content will not negatively affect search engine rankings or website reputations. The company also hinted at future enhancements to make the AI Labyrinth harder for bots to detect, ensuring long-term effectiveness. The tool is now available for Cloudflare customers, signaling a new era of AI-driven cybersecurity tactics against web scrapers.
READ THE STORY: The Register
Russian Hackers Target Ukraine’s Defense Sector with Dark Crystal RAT
Bottom Line Up Front (BLUF): Ukraine’s CERT-UA has identified a new cyber-espionage campaign targeting defense-sector organizations with the Dark Crystal RAT (DCRat), a Russian-developed remote access Trojan. The UNC-200 threat group is using Signal messaging app to trick victims into downloading malware disguised as meeting documents. Once executed, DCRat enables remote access, data theft, and command execution on infected devices.
Analyst Comments: This campaign highlights Russia’s continued use of cyber espionage to undermine Ukraine’s defense infrastructure. The deployment of DCRat through social engineering tactics via a widely trusted app like Signal demonstrates an increasingly sophisticated approach to targeting high-value individuals. Ukraine’s request for Signal to intervene and limit misuse has gone unanswered, raising concerns over the platform’s role in mitigating cyber threats. As Russian cyber operations intensify, Ukraine and its allies must enhance their threat intelligence sharing and endpoint protection strategies.
FROM THE MEDIA: Victims received malicious Signal messages containing archive files disguised as official meeting documents. The files included a PDF decoy and an executable ("Dark Tortilla"), which decrypted and launched DCRat in a second-stage attack. The malware grants attackers complete remote control, allowing them to steal data, execute arbitrary commands, and monitor compromised systems. Ukraine’s National Security and Defense Council (NSDC) has condemned Signal’s inaction, while Signal CEO Meredith Whittaker denied cooperation with any government.
READ THE STORY: DarkReading // THN
U.S. Scales Back Efforts Against Russian Cyber Threats, Raising NATO Concerns
Bottom Line Up Front (BLUF): The U.S. has halted counter-sabotage and cyber defense operations against Russia, reducing coordination with NATO allies and pausing intelligence-sharing efforts. This shift aligns with President Donald Trump’s diplomatic outreach to Moscow and may serve as a bargaining tool in ceasefire negotiations over Ukraine. However, the move has alarmed European security officials, who warn it leaves Ukraine and NATO nations more vulnerable to Russian hybrid warfare.
Analyst Comments: The de-prioritization of cybersecurity efforts against Russia marks a significant shift in U.S. foreign policy, signaling a willingness to engage diplomatically with Moscow at the expense of existing security measures. This raises concerns among NATO allies, who have long depended on U.S. intelligence-sharing to counter Russian disinformation, cyberattacks, and sabotage. While the Trump administration may see this as a strategic move to ease tensions, adversaries like Russia could interpret it as a green light to escalate their operations across Europe, Ukraine, and beyond. If NATO countries pursue independent cybersecurity initiatives, the lack of U.S. leadership could create gaps in intelligence coordination.
FROM THE MEDIA: According to a Reuters report, U.S. National Security Council (NSC) efforts to counter Russian cyber threats and sabotage have been paused, and cooperation with European intelligence agencies has been significantly reduced. The FBI and Department of Homeland Security (DHS) have scaled back operations to disrupt Russian covert activities. European allies, particularly Germany, France, Poland, and the Baltic states, are considering independent cybersecurity and counter-sabotage strategies in response to Washington’s shift. Meanwhile, Russian cyberattacks on Ukraine’s power grid and critical infrastructure have continued despite Trump’s diplomatic engagement with Putin.
READ THE STORY: Kyiv Post
Six Governments Suspected of Using Israeli Paragon Spyware for Surveillance
Bottom Line Up Front (BLUF): A new Citizen Lab report reveals that the governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of Paragon Solutions, an Israeli spyware firm co-founded by former Prime Minister Ehud Barak. Paragon’s flagship spyware, Graphite, exploits zero-day vulnerabilities in messaging apps like WhatsApp to harvest sensitive data. The spyware has reportedly targeted journalists, activists, and civil society members across two dozen countries, raising significant privacy and human rights concerns.
Analyst Comments: Paragon Solutions is positioning Graphite as a "restrained" alternative to NSO Group’s Pegasus, limiting its capabilities to intercept messaging app data rather than taking complete control of devices. However, its deployment against journalists and activists suggests that commercial spyware firms continue to be a tool for digital repression. The involvement of democratic governments in using such spyware raises ethical and legal questions, especially as global scrutiny of mercenary spyware intensifies. With Apple and WhatsApp already patching exploits used by Graphite and Meta actively blocking its attacks, the spyware industry is facing growing resistance—but without stricter regulations, new tools will likely emerge to fill the void.
FROM THE MEDIA: Citizen Lab’s investigation traced server infrastructure linked to Graphite deployments, identifying six governments as likely customers. This follows Meta’s December 2024 disclosure, which revealed that 90 individuals, including journalists and civil society members, had been targeted by Graphite via zero-click WhatsApp exploits. Attackers lured victims into group chats and sent them malicious PDFs, now patched in iOS 18, that triggered a zero-day vulnerability. Forensic analysis also discovered BIGPRETZEL, an artifact believed to identify Graphite infections on Android devices uniquely. Separately, an Italy-based activist's iPhone was reportedly compromised using Graphite in mid-2024, further highlighting its use in targeting human rights defenders. Apple and WhatsApp have since bolstered security measures and issued threat notifications to affected users.
READ THE STORY: The Register
Former Michigan Football Coach Indicted for Hacking Athlete Databases
Bottom Line Up Front (BLUF): Matthew Weiss, a former University of Michigan assistant football coach, has been indicted on 24 federal charges for hacking athlete databases from over 100 colleges. Prosecutors allege he accessed 150,000 student medical records, stole login credentials, and hacked social media and cloud storage accounts, primarily targeting female athletes. Weiss allegedly exploited password vulnerabilities and previous data breaches to gain access.
Analyst Comments: Universities rely heavily on third-party platforms like Keffer Development Services to store sensitive health and personal information, making them prime targets for cybercriminals. The unauthorized access and stalking of female athletes raise concerns about data protection, privacy laws, and cybersecurity protocols within educational institutions. Moving forward, colleges must strengthen access controls, implement multi-factor authentication (MFA), and conduct routine security audits to prevent similar breaches.
FROM THE MEDIA: The Justice Department announced the indictment, detailing Weiss’s multi-year hacking campaign (2015-2023). Investigators say he targeted athletes based on their school, sport, and physical characteristics, maintaining detailed records on his victims. He allegedly used cracked passwords, social engineering, and exploited university authentication processes to access medical, personal, and private media files. Weiss, who previously worked for the Baltimore Ravens, was fired by Michigan in January 2023 after an internal investigation. He faces up to five years per hacking charge and two years per identity theft charge. The FBI’s Detroit Cyber Task Force and University of Michigan Police led the investigation.
READ THE STORY: The Record
Baidu Denies Data Breach After Executive’s Daughter Leaks Personal Info
Bottom Line Up Front (BLUF): Chinese tech giant Baidu has denied reports of an internal data breach after the teenage daughter of Baidu VP Xie Guangjun allegedly posted private user information online. The company claims the leaked data came from illegal doxing databases on foreign platforms rather than from Baidu’s internal systems. Despite Baidu’s denial, the incident has raised concerns about data security, leading to a 4% drop in its stock price.
Analyst Comments: While Baidu asserts that no internal breach occurred, the controversy highlights ongoing concerns about China’s data security environment. The incident comes amid Beijing’s tightened data privacy laws, which have cracked down on unauthorized data access and leaks. However, the fact that a high-level executive’s family member had access to sensitive personal data, regardless of the source, raises serious governance and security questions. The adverse market reaction suggests that investor confidence in Baidu’s data protection measures has been shaken. This incident may prompt stricter internal controls and regulatory scrutiny for China’s major tech firms.
FROM THE MEDIA: The controversy began when users accused the teenager of sharing private information, including phone numbers, after an online argument. Baidu stated that no employee or executive had access to user data and that the leaked information came from foreign doxing databases. Xie Guangjun, Baidu’s vice president in the cloud division, apologized for his daughter’s actions, claiming she obtained the data from overseas social media sites. Baidu has since filed a police report regarding the spread of false information. The controversy, however, has negatively impacted Baidu’s stock, which fell over 4% in Hong Kong trading.
READ THE STORY: Reuters
NYPD’s Drone Expansion Sparks Privacy Concerns
Bottom Line Up Front (BLUF): The New York Police Department (NYPD) has significantly expanded its use of drones as "first responders" (DFRs), deploying them over 3,700 times in the second half of 2024 alone. Officials claim the technology improves response times and public safety, but privacy advocates warn that the program lacks transparency and could lead to mass surveillance. Concerns include the integration of drone footage with facial recognition, license plate readers, AI-driven analytics, and the potential for abuse in law enforcement practices.
Analyst Comments: The rapid deployment of drones in urban policing raises profound civil liberties questions, particularly in a city as densely populated as New York. While the NYPD maintains that drone usage is limited to “priority public safety calls,” reports suggest they have been used for routine surveillance, including over private residences and public gatherings. The lack of apparent oversight and potential integration with AI and facial recognition mirrors concerns seen in other large-scale surveillance programs. The debate underscores a broader trend of law enforcement adopting advanced technologies faster than legal and ethical frameworks can adapt. If transparency and accountability measures are not established, public trust in policing could be eroded, setting a dangerous precedent for warrantless aerial surveillance.
FROM THE MEDIA: Since launching its DFR program in mid-2024, the NYPD has used drones extensively, citing benefits such as rapid response times and improved situational awareness. DFRs can stay airborne for up to 40 minutes, travel at speeds of 45 mph, and identify people and vehicles from nearly a mile away. However, critics argue that the department has failed to disclose key details about its drone program, including its integration with other surveillance tools. Reports indicate that NYPD drones have been used to monitor public events, including protests, and that footage is stored for at least 30 days, with some retained indefinitely for criminal investigations. The NYPD Inspector General’s December 2024 report criticized the department’s lack of transparency. It noted that it had withheld key details about the drones’ capabilities, including night vision, thermal imaging, and object manipulation tools. Defense attorneys have also raised concerns about the lack of proper documentation in cases where drone footage has been used as evidence. Despite policies prohibiting routine drone patrols, a senior NYPD official suggested that drones should be deployed proactively, further fueling fears of excessive surveillance.
READ THE STORY: The Record
Items of interest
China’s Aggressive Space Maneuvers Resemble Aerial Combat, Says US Space Force General
Bottom Line Up Front (BLUF): A senior U.S. Space Force official has warned that China is practicing coordinated satellite maneuvers that resemble traditional aerial combat. General Michael Guetlein emphasized that these activities directly challenge U.S. space superiority and indicate China's growing militarization of space. The warning underscores the urgency for the U.S. to prepare for potential off-planet conflicts.
Analyst Comments: China’s increasing focus on space warfare tactics aligns with its broader strategy of achieving technological and military dominance beyond Earth’s atmosphere. The reported satellite maneuvers suggest an evolution in counter-space capabilities, possibly involving electronic warfare, orbital interception, or kinetic operations. If China continues developing refueling stations and advanced maneuvering satellites, it could gain a significant operational advantage in maintaining and deploying space-based assets. This escalation underscores the need for the U.S. and its allies to enhance space situational awareness, defense strategies, and countermeasures against potential threats.
FROM THE MEDIA: During the McAleese Defense Programs Conference in Washington, U.S. Space Force Vice Chief of Space Operations General Michael Guetlein highlighted China's aggressive advances in space operations. He noted that China's satellites are executing coordinated movements reminiscent of aerial dogfighting, raising concerns about their potential military applications. China has made no secret of its space ambitions, with plans for approximately 100 orbital launches in 2025. In January, China launched a refueling station into geosynchronous equatorial orbit, enabling long-term satellite operations. These developments indicate a strategic push to establish a dominant space presence and challenge U.S. superiority in orbit.
READ THE STORY: CyberNews
China Preparing for Space War? Chinese Satellites 'Dogfight' in Space (Video)
FROM THE MEDIA: Is China practicing war in space? According to a top U.S. Space Force official, Chinese satellites have been observed conducting coordinated combat maneuvers with its satellites, describing it as “dogfighting in space."
Space Force Gen WARNS China's Space Operation A 'CREDIBLE THREAT'(Video)
FROM THE MEDIA: Team Rising discusses whether military action is necessary to counter China's influence in space.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.