Tuesday, Mar 25, 2025 // (IG): BB // GITHUB // SN R&D
China's Expanding Cyber Footprint in Latin America Sparks Espionage and Infrastructure Security Fears
Bottom Line Up Front (BLUF): Chinese state-sponsored cyber activity in Latin America has grown in scale and sophistication, targeting critical infrastructure, government systems, and pro-Taiwan nations. Cyber groups like Flax Typhoon and Volt Typhoon, linked to the Chinese Ministry of State Security, have executed persistent attacks in Costa Rica, Paraguay, and Brazil, aiming to steal sensitive data and destabilize regional economies. This activity coincides with expanding Chinese telecom infrastructure in the region, raising serious concerns about espionage and national security.
Analyst Comments: China’s cyber operations in Latin America appear strategically aligned with its broader geopolitical and economic ambitions, including retaliating against Taiwan-aligned states and leveraging post-attack vulnerabilities for market entry. Exploiting critical infrastructure and embedding surveillance capabilities through tech giants like Huawei and ZTE extend Beijing’s digital influence while compromising host nation sovereignty. In authoritarian regimes like Venezuela and Nicaragua, Chinese surveillance tech is being actively used for population control, signaling a dangerous fusion of cyber intrusion and political repression. As Chinese APTs exploit Belt and Road-linked infrastructure and digital ecosystems, regional and Western allies must consider a unified cybersecurity response.
FROM THE MEDIA: According to a joint U.S.-Costa Rica cybersecurity review in December 2024, Chinese-linked hackers infiltrated Costa Rican telecom and energy networks, including RECOPE’s oil pipeline operations. In Paraguay, Flax Typhoon executed a sophisticated APT against government systems, likely motivated by the country’s alliance with Taiwan. Paraguay’s cybersecurity expert Miguel Ángel Gaspar labeled the attack retaliatory, reflecting Beijing’s long-standing cyber focus on Taiwan and its allies. Meanwhile, Chinese firms like Huawei continue to expand their presence across Latin America, recently spearheading Nicaragua’s national digital transformation. Venezuela's Maduro regime employs Chinese-made surveillance tools, including ZTE’s “Fatherland Card,” to exert political control. In Brazil, Google reports that over 40% of state-sponsored phishing activity is China-linked, with past breaches including the ChamelGang attack on presidential systems.
READ THE STORY: Dialogo Americas
Criminal Syndicates Exploit Starlink for Scams in Myanmar, Thai Authorities Intervene
Bottom Line Up Front (BLUF): Thai law enforcement has seized 38 Starlink satellite internet devices allegedly destined for scam compounds in Myanmar, marking the second such interception this month. These scam operations, run by organized crime groups, rely on high-speed satellite connectivity to perpetrate large-scale online fraud. The use of Starlink is rising in response to regional telecom shutdowns aimed at disrupting criminal infrastructure.
Analyst Comments: The seizure of Starlink equipment in Thailand highlights the growing role of satellite internet in enabling transnational cybercrime. As governments crack down on terrestrial communications, threat actors are pivoting to alternative technologies like low-Earth orbit satellites. While Starlink’s terms prohibit illicit use and operation in countries like Myanmar where it lacks a license, enforcement remains weak. Satellite internet is now part of the cybercrime toolkit, and without stringent Know Your Customer (KYC) and geo-fencing controls, such platforms risk becoming vectors for fraud and human trafficking. Regulatory frameworks and vendor accountability must evolve to address the misuse of satellite infrastructure in high-risk regions.
FROM THE MEDIA: Thai security forces confiscated 38 Starlink terminals in Mae Sot district, near the Myanmar border. The devices were concealed in boxes in a white pickup truck and were allegedly en route to scam centers across the border. This follows a March 11 seizure of 10 similar units. These compounds, run by organized crime groups, use trafficked labor to conduct cryptocurrency scams and social engineering campaigns. Following Thai government crackdowns on power and internet access to Myanmar scam zones in February, operators began turning to Starlink for uninterrupted service. Lawmaker Rangsiman Rome directly criticized Elon Musk and Starlink, citing "solid proof" of the technology’s abuse by cybercriminals. A Wired investigation corroborated this, identifying eight scam centers using the terminals between November 2024 and February 2025.
READ THE STORY: The Record
US Scales Back Disinformation Defenses as Russia and China Escalate Influence Ops
Bottom Line Up Front (BLUF): The United States has dismantled key components of its disinformation countermeasures, including shutting down the Global Engagement Center (GEC) and defunding the US Agency for Global Media. Meanwhile, Russia and China are significantly expanding their state-backed propaganda and disinformation operations, investing billions to influence global narratives and undermine Western democracies.
Analyst Comments: The US drawdown of information warfare capabilities comes at a critical time, as adversaries adopt increasingly sophisticated techniques—leveraging AI-generated deepfakes, fake news outlets, and localized content. The erosion of institutional efforts like the GEC and Stanford Internet Observatory reflects growing political division over what constitutes disinformation and how to combat it. Without a cohesive national strategy or technical infrastructure, the US risks ceding the information domain to authoritarian influence, particularly in geopolitically sensitive regions like Southeast Asia and Africa.
FROM THE MEDIA: President Trump’s recent executive order dismantled the US Agency for Global Media, which oversees Voice of America and Radio Free Asia, key outlets countering authoritarian propaganda. This follows the December defunding of the GEC after Elon Musk and Republican lawmakers accused it of censorship. These moves reduce US capabilities at a time when Russia is increasing its propaganda budget to $1.6 billion and China is investing $10 billion in information control and amplification. Intelligence firms report rising domain registrations mimicking Western media—a sign of escalating online deception campaigns. Experts warn that legal challenges, lack of strategy, and underinvestment leave the US ill-equipped to counter global disinformation threats.
READ THE STORY: DR
23andMe Customers Rush to Delete Genetic Data Amid Bankruptcy Fears
Bottom Line Up Front (BLUF): Following its Chapter 11 bankruptcy filing and CEO resignation, DNA-testing company 23andMe has seen a surge in customer requests to delete sensitive genetic data. Concerns over data privacy, future ownership, and a prior breach affecting 6.9 million users have frustrated many customers with slow or uncertain deletion processes.
Analyst Comments: 23andMe’s financial collapse and uncertain future raise serious data governance concerns, particularly given the highly sensitive nature of genomic data. While the company promises its privacy policy will remain in place through bankruptcy, legal experts warn that a future buyer could seek changes. Without HIPAA protections, the fate of user data will largely rest on evolving state privacy laws and buyer discretion. This case underscores the importance of robust data deletion assurances and legislative clarity when consumer biotech firms fail.
FROM THE MEDIA: On March 24, a day after filing for Chapter 11, 23andMe’s website was inundated with data deletion requests from concerned users. Many faced technical issues, long wait times, and ambiguous confirmation messages. Customers reported fears over how their personal and family DNA information might be used or sold in bankruptcy proceedings. Although 23andMe’s privacy policy claims data won’t be shared with employers, law enforcement, or insurance firms, legal experts say future ownership could mean new policies requiring renewed consent. Attempts to delete data belonging to deceased relatives or retrieve stored results were also problematic. The company insists it will honor deletion requests, but users remain anxious over timelines and transparency.
READ THE STORY: WSJ
INTERPOL’s Operation Red Card Dismantles Major Cybercrime Networks in Africa
Bottom Line Up Front (BLUF): INTERPOL has arrested 306 individuals and seized over 1,800 devices across seven African nations in a cross-border cybercrime operation dubbed "Red Card." The sweep targeted mobile banking scams, phishing campaigns, social engineering attacks, and human trafficking tied to online fraud schemes, impacting more than 5,000 victims.
Analyst Comments: This large-scale international operation highlights the expanding footprint and growing coordination of cybercriminal operations across Africa, often involving advanced phishing tactics and mobile malware. The inclusion of human trafficking victims coerced into scam labor sheds light on the human exploitation dimension of cybercrime. The collaborative success of Operation Red Card suggests that regional partnerships and intelligence sharing—backed by global actors like INTERPOL and private-sector threat intel providers—are key to dismantling these digital crime syndicates. However, the persistent threat and rapid evolution of tactics signal an ongoing need for sustained investment in cyber policing, digital forensics, and legal frameworks in the region.
FROM THE MEDIA: Between November 2024 and February 2025, authorities in Benin, Côte d'Ivoire, Nigeria, Rwanda, South Africa, Togo, and Zambia collaborated with INTERPOL to execute Operation Red Card. Nigerian police arrested 130 individuals, including 113 foreign nationals, linked to online casino and investment scams. South African officials apprehended 40 suspects and seized over 1,000 SIM cards used in SMS phishing. Zambian authorities uncovered malware-assisted banking fraud schemes, while Rwandan police arrested 45 cybercriminals for social engineering scams, recovering over $100,000. Cybersecurity firms like Group-IB and Kaspersky supported the effort by providing malware analysis and threat intelligence.
READ THE STORY: THN
U.S. Port Fee Proposal on Chinese Ships Faces Strong Pushback from Industry Stakeholders
Bottom Line Up Front (BLUF): A sweeping coalition of American businesses, trade groups, and labor unions opposes the Trump administration’s plan to impose up to $1.5 million port fees on Chinese-built vessels. Critics warn the move will raise freight costs, reduce port activity, and ultimately burden U.S. consumers. The proposal stems from a bipartisan effort to counter China’s dominance in global shipbuilding and boost the U.S. maritime industry.
Analyst Comments: The proposed port fees represent a strategic but high-risk intervention to decouple the U.S. shipping sector from Chinese industrial capacity. While the policy aligns with broader efforts to bolster national security and domestic industry, it risks destabilizing critical supply chains. Key vulnerabilities include increased freight costs, job losses at U.S. ports, and reduced global competitiveness of American exports, particularly agriculture. A more phased or incentive-based approach may be required to build U.S. shipbuilding capabilities without undercutting domestic importers and exporters.
FROM THE MEDIA: The fees would vary based on the percentage of Chinese-made or Chinese-ordered ships in a carrier’s fleet. Industry leaders, including the National Retail Federation, Mediterranean Shipping Co., and the Agriculture Transportation Coalition, argue that the costs would translate to $600–$800 in additional fees per container—passed directly to consumers. The International Longshore and Warehouse Union warned the policy could divert cargo to Canadian or Mexican ports, threatening U.S. dockworker jobs. Although the fees are part of a broader goal to increase U.S.-flagged shipping, critics note that no U.S. yards can build large ocean-going container ships, making implementation and transition highly complex.
READ THE STORY: WSJ
Weaver Ant APT Maintains Four-Year Espionage Campaign Against Asian Telecom via Web Shell Tunneling
Bottom Line Up Front (BLUF): A Chinese-linked APT group, Weaver Ant, infiltrated an unnamed major Asian telecommunications provider and maintained covert access for over four years. Using encrypted variants of the China Chopper Web shell and a novel in-memory shell called INMemory, the group leveraged advanced tunneling techniques to pivot across internal networks undetected. The campaign demonstrates growing persistence and sophistication in China-nexus cyber espionage.
Analyst Comments: Weaver Ant exemplifies the long-term strategic threats state-backed actors pose when targeting telecom infrastructure. Despite remediation efforts and multiple compromised servers, the group’s ability to remain undetected for years underscores the inadequacy of perimeter-focused defenses against stealthy post-compromise persistence. The recursive tunneling techniques and use of end-of-life routers as ORB nodes reflect a hybrid approach combining sophisticated malware with physical infrastructure compromise. Telecom providers should reassess their exposure to similar tactics and prioritize deep network visibility and stealth detection techniques, particularly in Southeast Asia.
FROM THE MEDIA: According to reports from Sygnia, The Record, and Dark Reading, the Weaver Ant APT group used compromised Zyxel home routers to establish an entry point into the network of a prominent Asian telecommunications company. Once inside, they deployed a network of Web shells—most notably the encrypted China Chopper and an unnamed shell dubbed INMemory that runs entirely in memory—evading traditional endpoint detection. Their recursive Web shell tunneling methodology allowed lateral movement across internal segments using externally exposed hosts as relays. The operation, active since at least 2021, was discovered during a separate forensic investigation, where analysts found reactivated accounts and decades-old compromise points. Weaver Ant also employed ORB (Operational Relay Box) infrastructure built from vulnerable IoT and VPS nodes, enabling cross-provider targeting and obfuscation of command-and-control operations.
READ THE STORY: DR // GBhackers // The Record
California’s First Partner Slams 'Tech Oligarchy' Over Trump Ties and Child Safety Failures
Bottom Line Up Front (BLUF): Jennifer Siebel Newsom, California’s First Partner, accused Silicon Valley leaders of forming a “tech oligarchy” aligned with Donald Trump and using their unchecked power to evade accountability, particularly regarding children's online safety. Her comments align with a broader Democratic shift toward aggressive tech regulation, including bipartisan calls for restrictions on AI and social media targeting children.
Analyst Comments: Siebel Newsom’s remarks reflect intensifying political polarization over the tech industry’s influence, especially amid growing concerns over AI, algorithmic harm to minors, and corporate alignment with Trump-era deregulatory policies. While Democrats previously partnered with Big Tech, the latest rhetoric suggests a significant recalibration. If public pressure continues to mount—particularly over child safety and disinformation—California could lead a new wave of state-level tech regulations, which may eventually shape federal policy as well.
FROM THE MEDIA: At the Common Sense Summit in San Francisco, Jennifer Siebel Newsom criticized tech billionaires for embracing Trump-era deregulation, calling them an “unchecked” power with no transparency. Her comments come amid a Democratic rebranding of Trump’s alliance with figures like Elon Musk as an “oligarchy.” She joined other Democratic figures—such as Sen. Bernie Sanders, Rep. Alexandria Ocasio-Cortez, and Rep. Ro Khanna—in calling for greater tech accountability. The remarks also align with California’s push for tobacco-style warning labels on social media platforms and tighter controls on AI chatbots. Advocacy group Common Sense Media argued this political moment could finally shift momentum toward real tech regulation.
READ THE STORY: Politico
Chinese Hacker Group 'FishMonger' Linked to iSoon APT Espionage Operations
Bottom Line Up Front (BLUF): ESET researchers have attributed a global espionage campaign, dubbed FishMedley, to a Chinese state-linked threat group called FishMonger (aka Aquatic Panda), now confirmed to be operating under the private APT contractor iSoon. The group has targeted NGOs, think tanks, and government entities in the US, Europe, and Asia using well-known tools like ShadowPad and Spyder Loader, rather than sophisticated zero-days.
Analyst Comments: The FishMonger case illustrates China’s increasing reliance on a contractor-based cyber espionage model, where groups with limited sophistication are nonetheless effective at long-term infiltration. Using off-the-shelf tools like ShadowPad and SodaMaster, along with credential harvesting, suggests operational efficiency over technical novelty. As Chinese APT operations diversify through firms like iSoon, defenders should expect a broader ecosystem of persistent but lower-complexity threats capable of evading detection through stealth and dwell time rather than advanced exploits.
FROM THE MEDIA: Earlier this month, members of FishMonger were added to the FBI’s Most Wanted list. The group operates under the direction of Shanghai-based iSoon (Axun Information Technology), which masquerades as a cybersecurity training provider but conducts cyber espionage for Chinese state agencies. According to ESET’s report, FishMonger’s recent FishMedley campaign targeted high-profile organizations in Taiwan, the US, Hungary, Turkey, Thailand, and France. The group primarily used the modular backdoor ShadowPad, the Spyder loader, and a simple reverse shell dubbed RPipeCommander. Most intrusions involved previously compromised domain administrator accounts, suggesting social engineering or credential theft. The group's objective is long-term data exfiltration, mainly from institutions critical of or engaged in Chinese geopolitical issues.
READ THE STORY: DR
Items of interest
Nation-State Cyberattacks Surge Against OT Systems, Triggering Physical Disruption Worldwide
Bottom Line Up Front (BLUF): Operational Technology (OT) environments experienced a sharp rise in cyber incidents with physical consequences in 2024, with impacted sites jumping 146% year-over-year. Nation-state and hacktivist groups increasingly target critical infrastructure such as water systems, transportation, and manufacturing. High-profile campaigns by Chinese actors like Volt Typhoon and Salt Typhoon, and Russian group Sandworm, highlight the growing strategic use of cyber tools in global power competition.C
Analyst Comments: Cyberattacks on OT systems are now deeply intertwined with geopolitical tensions, with China and Russia leading the charge. Volt Typhoon’s stealthy “living off the land” operations and Salt Typhoon’s telecom interception campaign clearly aim to undermine national resilience and gather intelligence. The increased visibility of GPS jamming and spoofing, including fatal aviation incidents, further reveals the multi-domain nature of cyber interference. These developments signal that traditional OT defenses are insufficient against modern threats, and governments must bolster cyber-physical coordination and incident disclosure mechanisms—especially as underreporting may mask the true scope of global OT compromise.
FROM THE MEDIA: The water sector faced heightened threats, with five of seven major incidents attributed to Russia’s Sandworm group. Meanwhile, attacks on smart buildings in the hospitality sector emerged, and 69% of attacks impacted transportation and manufacturing overall. Only 13% of incidents directly affected OT systems; the rest stemmed from IT-side compromise with cascading physical effects. Major GPS-related cyber events also surged, including one attributed to Russia that disrupted 1,600 flights across Europe. Chinese state-linked groups Volt Typhoon and Salt Typhoon launched advanced attacks against U.S. and global infrastructure, including telecom and military-linked networks. Notably, three new ICS-capable malware variants were discovered in 2024, indicating a rising trend in purpose-built threats to industrial environments.
READ THE STORY: Helpnet
Episode 50 Safeguarding Operations The Role of Cybersecurity in IT and OT Environments (Video)
FROM THE MEDIA: In this episode, host Aaron Crow is joined by Peter Jackson, a seasoned expert from New Zealand with a robust background in industrial automation and cybersecurity. Together, they unravel the intricacies of balancing security with reliable operations and explore the evolving landscape of OT cybersecurity in critical infrastructure. Listen in as they discuss everything from the importance of safe operations and risk management to the nuances of vulnerability management in diverse industrial environments.
The Impact of FrostyGoop Modbus Malware Attacks on Connected OT Systems (Video)
FROM THE MEDIA: In the heart of winter, the reliability of our energy and heating systems isn’t just about comfort – it’s a matter of safety and security. This webinar will cover a recent cybersecurity incident where ICS malware targeting Modbus protocols and internet-connected devices within the energy sector was exploited, leading to significant disruptions in heating services during the coldest months.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.