Wednesday, Mar 26, 2025 // (IG): BB // GITHUB // SN R&D
China's Cyber Aggression Intensifies Amid South China Sea Disputes
Bottom Line Up Front (BLUF): China has increasingly leveraged cyber operations as a strategic tool in its gray-zone tactics surrounding the South China Sea (SCS) dispute. Cyber espionage, disinformation, and infrastructure-targeted attacks have been used against claimant countries such as the Philippines and Vietnam, often coinciding with periods of heightened maritime tension.
Analyst Comments: Cyber operations are becoming integral to China’s broader SCS strategy, blending digital coercion with traditional maritime assertiveness. Threat actors such as APT41 (also known as Earth Longzhi), Salt Typhoon, and Mustang Panda are enhancing Beijing’s ability to gather intelligence, manipulate public perception, and weaken the cyber resilience of its adversaries. Notably, while the Philippines and Vietnam experience repeated intrusions, Malaysia appears to have avoided heavy targeting—likely due to stronger cybersecurity readiness and more cautious diplomatic positioning. The evolving threat landscape necessitates enhanced regional coordination and investment in both defensive and offensive cyber capabilities.
FROM THE MEDIA: China’s cyber threat actors are actively targeting Southeast Asian countries involved in territorial disputes in the South China Sea. Groups such as APT40, Naikon, and emerging clusters like Unfading Sea Haze and Earth Longzhi have engaged in espionage, ransomware, and disinformation campaigns. Recent examples include a deepfake audio targeting Philippine President Marcos Jr. and the defacement of critical government websites. Vietnam and the Philippines remain frequent targets due to their assertive positions in the SCS. In contrast, Malaysia has experienced fewer incidents, attributed to a combination of strong cyber infrastructure and diplomatic pragmatism. The report highlights the convergence of cyber and geopolitical domains, underscoring the need for more robust national cybersecurity strategies in the region.
READ THE STORY: ORF
Alibaba Warns of AI Datacenter Investment Bubble Amid Global Infrastructure Surge
Bottom Line Up Front (BLUF): Alibaba Group chairman Joe Tsai has warned that the global race to build AI-ready datacenters may be heading into a speculative bubble. Speaking at the HSBC Global Investment Summit, Tsai cautioned that current levels of investment—especially from U.S. tech giants—could exceed actual demand for AI workloads in the near term.
Analyst Comments: Datacenter spending has skyrocketed in response to surging interest in AI, but Alibaba’s caution signals growing concern over sustainability. While demand for AI compute is real, speculative builds with no guaranteed tenants pose long-term financial risks, especially if AI adoption plateaus or slows. The comments echo earlier industry signals—including Microsoft reportedly scaling back leases—suggesting a potential recalibration is looming. Organizations should weigh AI infrastructure expansion against real-world use cases and ROI, avoiding overextension in anticipation of unproven demand.
FROM THE MEDIA: At the HSBC Global Investment Summit in Hong Kong, Tsai noted that billions are being funneled into datacenter projects—some without confirmed customers. He pointed to massive commitments by Microsoft ($80B), Meta ($60–65B), and Stargate Project ($500B over four years) as examples of possibly overheated investment. Meanwhile, Alibaba is also increasing its infrastructure spend but did not disclose figures. Industry reports reveal datacenter server revenue rose 91% in 2024, and IDC forecasts hyperscale capex growth of over 30% in 2025. However, analysts like Omdia suggest figures may be inflated by double-counted spending. The warning comes amid reports of power shortages, record-low datacenter vacancies, and mounting questions about long-term AI ROI.
READ THE STORY: The Register
Clio Logging Platform Enhances Red Team Operations with Real-Time Collaboration and Security
Bottom Line Up Front (BLUF): Clio is a newly released open-source logging tool designed for red team assessments, offering real-time collaborative logging with built-in security features. Developed with a focus on operational integrity, Clio introduces row-level locking, audit trails, user authentication, and integration capabilities that support modern offensive and defensive cybersecurity workflows.
Analyst Comments: As red team operations grow in scale and complexity, tools like Clio fill a critical operational need—offering both transparency and traceability in live environments. Its secure design supports compliance-driven assessments while maintaining the agility required for offensive security testing. The addition of API access and evidence tracking further bridges the gap between manual testing and automated security pipelines. Clio’s release under the MIT license also promotes open-source development, customization, and broader adoption across cybersecurity teams.
FROM THE MEDIA: The tool includes role-based access control, CSRF protection, and secure password policies to maintain session security. It allows multiple users to log and visualize attack data simultaneously, with row-level locking to prevent data collisions. Clio’s architecture supports relationship analysis between entities like IPs, domains, and user commands and offers evidence file uploads for incident tracking. It also promotes Docker-based deployment with Node.js and provides detailed documentation for setup and usage. Clio is licensed under MIT, making it freely available for commercial and community use.
READ THE STORY: GBhackers
China’s Expanding Cyber Capabilities Highlight Gaps in U.S. Cybersecurity Posture
Bottom Line Up Front (BLUF): Recent reports from U.S. intelligence agencies and multiple media outlets emphasize China’s growing cyber capabilities, particularly in espionage and critical infrastructure infiltration. At the same time, operational errors and leadership transitions in the U.S. cybersecurity landscape have highlighted persistent vulnerabilities.
Analyst Comments: China’s cyber strategy has evolved significantly over the past decade, shifting from noisy, broad intrusions to more targeted and stealthy operations. With state-backed actors such as the Ministry of State Security (MSS) and the People’s Liberation Army (PLA), China is actively expanding its influence in both digital and physical domains. Meanwhile, U.S. cybersecurity infrastructure is under pressure to modernize and coordinate effectively amid leadership changes, policy debates, and high-profile operational lapses. The challenge for the U.S. is not just technical but also organizational—ensuring secure communication, clear doctrine, and consistent execution of cyber policy.
FROM THE MEDIA: A Senate Intelligence Committee hearing addressed an accidental disclosure of classified military planning in a Signal group chat involving top U.S. officials. The incident, dubbed “Signalgate,” raised concerns over secure communication practices at senior government levels. Concurrently, The Economist detailed China's increasingly sophisticated cyber operations, citing PLA-linked Volt Typhoon and MSS-linked Salt Typhoon as examples of long-term access campaigns against U.S. infrastructure and telecom providers. A U.S. intelligence report published by Reuters labeled China as the top cyber and military threat, citing ambitions to lead in AI and concerns over the potential use of disinformation, space assets, and conventional cyberattacks in a Taiwan conflict scenario.
READ THE STORY: Reuters // The Economist // FP
Google Patches Chrome Zero-Day Exploited in Russian Espionage Campaign
Bottom Line Up Front (BLUF): Google has issued an emergency security update for Chrome to address CVE-2025-2783, a high-severity vulnerability that has been exploited in the wild. The flaw was used in a targeted phishing campaign—dubbed Operation ForumTroll—against Russian organizations, likely by a state-sponsored advanced persistent threat (APT) group.
Analyst Comments: This Chrome zero-day marks a significant escalation in browser-based espionage tactics. The use of personalized phishing lures, short-lived exploit links, and a sandbox bypass suggests the involvement of a highly sophisticated threat actor. Although the campaign targeted Russian entities, the exploitation method impacts all Chrome users on Windows, reinforcing the critical need for timely patching and layered browser security. The collaboration between Google and Kaspersky also highlights the growing cross-border cooperation in cybersecurity, even in politically sensitive contexts.
FROM THE MEDIA: Google released an out-of-band update for Chrome versions 134.0.6998.177/.178 to fix CVE-2025-2783, a zero-day vulnerability in the Mojo IPC framework on Windows. The bug, discovered by Kaspersky researchers Boris Larin and Igor Kuznetsov, was exploited in a phishing campaign targeting Russian government, academic, and media institutions. The phishing emails, disguised as invitations to the “Primakov Readings” forum, delivered malware via Chrome that required no user interaction beyond clicking the link. Kaspersky described the attacks as highly sophisticated and attributed them to a likely state-sponsored APT group. The exploit enabled attackers to bypass Chrome’s sandbox protections and potentially execute arbitrary code.
READ THE STORY: THN
Palantir Urges UK to Adopt ‘Common Operating System’ for Government Data Amid COVID-19 Inquiry
Bottom Line Up Front (BLUF): Palantir Technologies has proposed a centralized “common operating system” for UK government data, citing lessons learned from its involvement in the pandemic response. The suggestion comes during the UK’s ongoing COVID-19 Inquiry, where the company emphasized the importance of cross-agency data integration before another crisis occurs.
Analyst Comments: Palantir's push reflects a broader trend of tech firms seeking long-term government contracts post-crisis by offering data platforms as public infrastructure. While centralized data environments can improve response efficiency and procurement optimization, they also raise legal and ethical concerns around data privacy, vendor lock-in, and oversight. The company's deep ties to U.S. intelligence and prior controversies—particularly regarding NHS contracts—may complicate its positioning in the UK’s evolving public sector digital landscape.
FROM THE MEDIA: Palantir executive Louis Mosley, in a statement to the UK COVID-19 Inquiry, proposed the immediate deployment of a unified data platform across departments such as the DWP and local councils. Palantir has played a central role in UK health data infrastructure since 2020, starting with a nominal £1 COVID contract that grew to a £330 million Federated Data Platform agreement. Critics have questioned the lack of consultation and legal basis for the data processing. Mosley argued the platform could streamline logistics and procurement, but public health advocates and privacy groups remain wary of the long-term implications of embedding Palantir technology in UK public services.
READ THE STORY: The Register
Raspberry Robin Malware Linked to 200+ C2 Domains and Russian Threat Actors
Bottom Line Up Front (BLUF): Researchers from Silent Push and Team Cymru have identified nearly 200 unique command-and-control (C2) domains tied to the Raspberry Robin malware. Known for its role as an initial access broker, Raspberry Robin is linked to a wide array of financially and politically motivated cybercriminal groups, including those with ties to the Russian state.
Analyst Comments: Raspberry Robin continues to evolve as a significant threat within the cybercriminal ecosystem, particularly as an enabler of high-impact ransomware and espionage operations. Its infrastructure's use of fast-flux, short-lived domains, and Tor-based relays underscores a deliberate effort to maintain resilience and evade takedowns. The malware's affiliation with Russian-linked actors, including Cadet Blizzard, suggests a growing convergence between financially motivated IABs and the objectives of nation-states. Defenders should closely monitor C2 domain patterns, USB-based propagation, and Discord-delivered scripts.
FROM THE MEDIA: The Hacker News reported the discovery of over 180 C2 domains linked to Raspberry Robin, also known as Roshtyak or Storm-0856. The malware, which has been active since 2019, functions as an initial access broker for ransomware operators and APT groups, including LockBit, Evil Corp, and the Clop Gang. It propagates via USB drives and phishing campaigns that leverage Discord-hosted payloads, utilizing one-day exploits for privilege escalation. Silent Push and Team Cymru identified a Tor-connected IP in the EU that serves as a data relay for Raspberry Robin’s C2 infrastructure. The campaign employs short, fast-flux domains with top-level domains such as .wf, .pm, .eu, and .tw, many of which are hosted through ClouDNS. The malware's persistent use by Russian actors reinforces its strategic importance in both cybercrime and geopolitical cyber operations.
READ THE STORY: THN
Trump Nominates Cyber Command Advisor Katherine Sutton for Top Pentagon Cyber Policy Role
Bottom Line Up Front (BLUF): President Donald Trump has nominated Katherine Sutton, chief technology adviser at U.S. Cyber Command, to serve as the Assistant Secretary of Defense for Cyber Policy. Sutton, a former Senate cybersecurity staff leader, would become only the second person confirmed by the Senate for this key civilian cybersecurity position within the Department of Defense.
Analyst Comments: Sutton’s nomination signals the Trump administration’s intention to accelerate cybersecurity leadership appointments amid growing digital threats and the rollout of Cyber Command’s modernization strategy. Her experience in both operational and legislative cybersecurity roles could strengthen interagency collaboration and policy alignment. With “Cyber Command 2.0” in motion and the Pentagon pushing for faster implementation, Sutton's confirmation would likely be pivotal in aligning strategic cyber operations with broader defense goals.
FROM THE MEDIA: Her nomination comes as Cyber Command prepares to launch its “Cyber Command 2.0” modernization initiative, which has recently been fast-tracked by Defense Secretary Pete Hegseth. Sutton would succeed Ashley Manning, who has served in an acting capacity since the administration change, following the tenure of Michael Sulmeyer under President Biden. Additionally, Laurie Buckhout, a retired Army colonel and recent congressional candidate, has been appointed as Deputy Assistant Secretary for Cyber Policy, a role that does not require Senate confirmation.
READ THE STORY: The Record
Albabat Ransomware Evolves to Target Windows, Linux, and macOS Using GitHub Infrastructure
Bottom Line Up Front (BLUF): Trend Micro researchers have uncovered that the Albabat ransomware family has expanded its operations to target Windows, Linux, and macOS systems. Versions 2.0.0 and 2.5 of the malware use GitHub to manage configuration files, indicating a shift toward more centralized and scalable attack infrastructure.
Analyst Comments: Albabat’s cross-platform capability represents a growing trend in ransomware development, where threat actors aim to maximize their reach and impact by expanding beyond Windows. The use of GitHub’s REST API for configuration management is a clever exploitation of trusted infrastructure, allowing for rapid updates and circumvention of certain security filters. This tactic also mirrors trends in supply chain attacks, underscoring the importance of monitoring seemingly benign developer services. As ransomware groups become more agile, defenders must shift toward proactive threat detection and enhanced endpoint hardening across all operating system environments.
FROM THE MEDIA: Albabat ransomware has added support for Linux and macOS, in addition to Windows, in its latest versions (2.0.0 and 2.5). Trend Micro researchers found that the malware retrieves configuration settings from GitHub using a custom “Awesome App” User-Agent string. These settings control behaviors such as target file types, directories to exclude, and post-infection operations. Albabat terminates system utilities and productivity applications to avoid detection or mitigation, encrypts a wide range of file types, and stores victim data in a PostgreSQL backend. The campaign highlights GitHub’s role as a command-and-control layer and reflects the attacker’s focus on operational efficiency. Organizations are urged to implement strict access controls, monitor API traffic, and educate users to defend against phishing and malicious scripts.
READ THE STORY: GBhackers
Items of interest
$13 Million Stolen in Abracadabra Finance Crypto Heist via Exploited Lending Product
Bottom Line Up Front (BLUF): Abracadabra Finance, a decentralized crypto lending platform, suffered a security breach on March 25, 2025, resulting in the theft of approximately $13 million worth of Ethereum. The exploit was traced to the platform’s “cauldron” lending products, and blockchain investigators have linked the attack to funds initially routed through Tornado Cash.
Analyst Comments: This incident underscores the growing risk of smart contract vulnerabilities in decentralized finance (DeFi) ecosystems. Despite security audits, the attacker was able to exploit multiple transactions before detection, suggesting a gap between audit assurance and real-world behavior. The use of Tornado Cash to obfuscate the attack’s origin reflects ongoing challenges in tracking crypto-based laundering, especially after recent U.S. sanctions against the mixer were lifted. The attack may renew calls for tighter smart contract security, increased real-time monitoring, and improved governance in DeFi protocols.
FROM THE MEDIA: The attacker manipulated the smart contract logic and withdrew funds undetected for several transactions. The incident was acknowledged publicly by Abracadabra, which stated that the affected products had been previously audited by Guardian, a security firm. Blockchain analysts, including Slow Mist and Chainalysis, traced the attacker’s funding source back to Tornado Cash, a mixer service recently unsanctioned by U.S. authorities. In response, Abracadabra offered a bug bounty to the hacker, promising 20% of the stolen funds for their return. The platform’s front end was taken offline during the investigation. GMX, a related exchange, clarified it was not impacted.
READ THE STORY: The Record
Abracadabra.money Review. Scam or Legit? (Video)
FROM THE MEDIA: In this video, we dive deep into Abracadabra.money, a platform that's been raising eyebrows in the online investment world.
What is Abracadabra.Money? | De-Fi Platform | Stable Coin | Magic Internet Money (Video)
FROM THE MEDIA: What is Abracadabra.Money? In this Abracadabra.Money intro video, watch this Abracadabra.Money explainer. We get right to the point in this short Abracadabra.Money video. Check out this Abracadabra.Money overview on MarketSquare, the new homepage for the decentralized Web.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.