Saturday, Mar 29, 2025 // (IG): BB // GITHUB // SN R&D
SHELBY Malware Uses GitHub as Command-and-Control in Targeted Attacks on Iraqi Telecoms
Bottom Line Up Front (BLUF): China has introduced strict new regulations banning the use of facial recognition technology without explicit user consent. The rules mandate specific consent, alternative authentication methods, data minimization, and strong security measures, including bans on use in sensitive public and private areas. However, the law notably excludes government surveillance from these restrictions.
Analyst Comments: The use of GitHub as a covert C2 channel represents an increasingly common tactic among advanced persistent threats (APTs), blending malicious activity with legitimate traffic to evade detection. SHELBY's modular design, sandbox evasion, and dynamic payload loading point to a highly adaptable threat actor. However, the inclusion of a static PAT introduces a notable operational security weakness that defenders could exploit. The targeting of regional infrastructure, including telecom firms and an airport in the UAE, suggests strategic geopolitical motivations and the likelihood of continued activity in the region.
FROM THE MEDIA: Elastic Security Labs detailed the discovery of SHELBY, a two-stage malware framework comprising SHELBYLOADER and SHELBYC2, both delivered via phishing emails. Once deployed, the loader uses extensive anti-sandbox checks before establishing persistence via Windows Registry edits. The backdoor component communicates through GitHub’s API using a hardcoded PAT, allowing the actor to retrieve commands, upload stolen data, and load further payloads. The campaign has already compromised telecom targets in Iraq and is believed to be linked to broader regional espionage operations. Elastic has released YARA rules to aid detection, and noted signs that the malware is still under development, with unused code and flexible .NET-based features hinting at future upgrades.
READ THE STORY: GBhackers
Hacktivist Wave Hits France: Cyberattacks Surge Against Critical Infrastructure Amid Rising Tensions
Bottom Line Up Front (BLUF): France is facing an unprecedented spike in cyberattacks targeting its critical infrastructure, driven by geopolitical tensions and military support for Ukraine. Pro-Russian and ideologically motivated hacktivist groups have executed widespread Distributed Denial of Service (DDoS) and Industrial Control Systems (ICS) attacks across key regions and sectors, with 845 incidents reported in the first quarter of 2025.
Analyst Comments: The sophistication of some ICS breaches, particularly those targeting hydroelectric and wastewater systems, suggests growing capabilities among hacktivist collectives. With SCADA access demonstrated and control system screenshots leaked, the risk of physical disruption is no longer theoretical. France will need to bolster its critical infrastructure cybersecurity defenses, particularly around energy and water management systems, while engaging in more aggressive public-private threat intelligence sharing.
FROM THE MEDIA: The escalation coincided with France’s announcement of Mirage 2000-5 fighter jet deliveries to Ukraine and the use of frozen Russian assets to fund additional aid. Hacktivist groups such as NoName057(16), Z-Pentest, and Sector16 have claimed responsibility for multiple attacks, including breaches of SCADA systems at hydroelectric power plants and wastewater treatment monitoring platforms. Screenshots posted online show access to sensitive operational parameters. The Île-de-France region, home to Paris and major economic hubs, has been hit particularly hard, along with Grand Est, Normandy, and Provence-Alpes-Côte d’Azur.
READ THE STORY: CyberNews
Russian Intelligence Uses Phishing Sites to Arrest Anti-War Citizens Seeking to Join Ukraine
Bottom Line Up Front (BLUF): A phishing campaign orchestrated by Russian intelligence or state-linked actors is tricking Russian citizens into revealing personal details through fake websites posing as Ukrainian military recruitment and intelligence platforms. Victims who interact with these fraudulent sites are being arrested and charged under anti-terrorism and anti-war laws in Russia.
Analyst Comments: By mimicking entities like the CIA and Ukrainian paramilitary groups, Russian intelligence is effectively weaponizing online search behavior against its own citizens. The use of SEO manipulation on domestic platforms like Yandex adds another layer of control, ensuring these traps reach the intended audience. As geopolitical tensions persist, such operations are likely to expand in scope and sophistication, posing risks not only to activists but also to unsuspecting users seeking information online.
FROM THE MEDIA: Security researchers at Silent Push have uncovered a state-linked phishing operation targeting Russians sympathetic to Ukraine’s defense. Dozens of spoofed domains impersonate Ukrainian military recruitment portals, including the Freedom of Russia Legion, the Russian Volunteer Corps, and even the CIA’s website. One such fake site, legiohliberty[.]army, mimics the real legionliberty[.]army, collecting detailed personal data via deceptive forms. Arrests have been reported among Russians who searched for ways to join anti-Kremlin forces or sought information through these fraudulent sites. Silent Push also reports search engine manipulation on platforms like Yandex, where fake sites appear higher than legitimate ones. The Freedom of Russia Legion has publicly warned supporters to avoid these phishing traps.
READ THE STORY: Cyber News
China Enacts Sweeping Ban on Private Sector Facial Recognition Without Consent
Bottom Line Up Front (BLUF): China has introduced strict new regulations banning the use of facial recognition technology without explicit user consent. The rules mandate specific consent, alternative authentication methods, data minimization, and strong security measures, including bans on use in sensitive public and private areas. However, the law notably excludes government surveillance from these restrictions.
Analyst Comments: While the new rules represent a surprising move by China toward privacy protection, they appear narrowly focused on the private sector. The absence of limitations on state surveillance suggests a dual strategy: control private misuse while preserving expansive government monitoring capabilities. This could serve both to ease public concern and to rein in commercial overreach, all while maintaining China's surveillance-state objectives. Internationally, this step may be used to portray leadership in ethical AI, despite systemic contradictions in practice.
FROM THE MEDIA: The 20-article directive outlines clear requirements: consent must be voluntary and informed, alternate non-biometric options must be available, and data must remain localized, encrypted, and retained for minimal necessary periods. Face recognition is banned in sensitive locations such as hotel rooms, locker rooms, and public restrooms. The rules emphasize data protection measures such as intrusion detection, access control, and security audits. Critics note the regulations do not apply to state surveillance, raising concerns about the government’s continued deployment of facial recognition for domestic security. Despite this gap, China has now formalized privacy protections for facial data collection in the commercial sphere—steps many Western countries have yet to fully implement.
READ THE STORY: WPN
Yandex Maps Becomes OSINT Weapon for Ukraine, Forces Russian Censorship of Strategic Sites
Bottom Line Up Front (BLUF): Russia’s Yandex Maps has emerged as an unexpected open-source intelligence (OSINT) tool for Ukrainian forces. Publicly accessible satellite images and user-contributed content have revealed sensitive Russian infrastructure, including military airfields, oil refineries, and ammunition depots. Ukraine and OSINT analysts have exploited these visuals to identify high-value targets for drone and missile strikes, prompting a sweeping effort by Russian authorities and Yandex to censor or blur critical imagery.
Analyst Comments: Ukraine’s success in leveraging Yandex Maps underscores the growing role of OSINT in warfare, especially when commercial services outpace traditional intelligence feeds. Ironically, Russia’s efforts to censor Yandex have further signaled which sites are strategic, providing additional cues to analysts. As map censorship increases, the cat-and-mouse dynamic between analysts and platforms will likely intensify, with blurred imagery itself becoming a new vector for inference and targeting.
FROM THE MEDIA: Ukrainian and international analysts have shown that high-resolution satellite imagery on Yandex Maps exposed numerous Russian military installations, fueling successful long-range drone attacks. For example, a Rosneft oil refinery in Ryazan, targeted multiple times in 2024, was clearly visible on Yandex Maps, prompting a Moscow court in January 2025 to order the platform to remove or blur images of the facility. This marked the first formal legal action compelling Yandex to censor strategic content. Similar imagery aided Ukrainian strikes on the Engels and Dyagilevo air bases, with analysts noting runway and air defense layouts visible on Yandex even after major attacks. Ammunition depots, fuel storage sites, and newly built logistics hubs in occupied territories have also been uncovered via Yandex before appearing on Western mapping platforms. The Russian government, citing national security concerns, has pressured Yandex into retroactively degrading map resolution across dozens of sensitive sites.
READ THE STORY: Intelligence Online // Kyiv Independent
PJobRAT Malware Campaign Targets Taiwan via Fake Messaging Apps
Bottom Line Up Front (BLUF): A long-running cyber-espionage campaign has targeted users in Taiwan with the PJobRAT malware, delivered through fake messaging apps SangaalLite and CChat. The campaign, active for nearly two years, appears to have ended or paused, but highlights ongoing risks from targeted Android-based malware operations.
Analyst Comments: The reemergence of PJobRAT, previously linked to India-focused operations, suggests a possible shift in targeting strategies, perhaps in line with evolving geopolitical tensions. While the operation was limited in scope, it was likely highly targeted, reinforcing concerns about persistent threats against individuals of interest. Security professionals should expect future iterations of this malware with refined delivery and obfuscation techniques.
FROM THE MEDIA: PJobRAT, first identified in 2019, has evolved to provide attackers with enhanced device control capabilities while shedding features like WhatsApp message exfiltration. Once installed, the apps requested extensive permissions and ran continuously in the background, disguised with basic chat functions. The campaign lasted nearly two years and affected a limited number of individuals, likely chosen for targeted surveillance. While it’s unclear how the apps were distributed in this case, previous campaigns used phishing pages, fake personas, and third-party app stores.
READ THE STORY: The Record
Firefox Patches Critical Sandbox Escape Vulnerability Similar to Chrome Zero-Day
Bottom Line Up Front (BLUF): Mozilla has patched CVE-2025-2857, a critical sandbox escape vulnerability in Firefox for Windows. This flaw resembles a recently exploited zero-day in Google Chrome (CVE-2025-2783), used in an espionage campaign targeting Russian entities. While there is no evidence of in-the-wild exploitation of the Firefox bug, the similarity has raised concerns that advanced threat actors may leverage cross-browser vulnerabilities.
Analyst Comments: The rapid disclosure of two related sandbox escape vulnerabilities in major browsers highlights the evolving capabilities of state-sponsored adversaries. While Chrome’s flaw has been actively exploited, Firefox’s issue appears to have been caught in time. However, the shared technical characteristics may point to a broader campaign or toolkit used across browsers. This highlights the importance of continuous patching and threat hunting in critical applications, such as web browsers, particularly in high-risk regions and sectors.
FROM THE MEDIA: Mozilla addressed CVE-2025-2857 on March 28 after learning about a similar Chrome vulnerability exploited in a high-level cyber-espionage campaign uncovered by Kaspersky. The Chrome flaw (CVE-2025-2783) enabled attackers to bypass browser sandbox protections with high stealth, targeting Russian media and academic institutions. Researchers suspect that state-sponsored actors were behind the operation but have not definitively attributed it. Following Google's disclosure, Mozilla engineers identified and resolved the Firefox counterpart, which had not yet been exploited. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added CVE-2025-2783 to its catalog of Known Exploited Vulnerabilities, reinforcing the urgency for patching.
READ THE STORY: The Record // THN
Solar Inverter Vulnerabilities Expose Critical Risks to Electric Grid Stability
Bottom Line Up Front (BLUF): Security researchers at Forescout have discovered 46 vulnerabilities in solar inverters from major vendors, including China's Sungrow and Growatt and Germany’s SMA Solar Technology. The flaws could allow remote attackers to access user data, disable equipment, or even overwrite firmware — posing a risk to electric grid stability. All vendors have issued patches, but the incident highlights growing cyber risks in the renewable energy sector.
Analyst Comments: As geopolitical tensions escalate and China is accused of probing U.S. critical infrastructure, the presence of insecure foreign-made tech in the energy supply chain is increasingly alarming. Exploitable flaws, such as insecure APIs, hardcoded credentials, and inadequate encryption, present nation-state actors with potential footholds in the grid. Organizations must prioritize segmentation, visibility, and secure procurement practices to mitigate this expanding attack surface.
FROM THE MEDIA: Growatt’s cloud platform exhibited some of the most severe issues, including cross-site scripting and direct object reference flaws, which could let attackers hijack user accounts and control inverter functionality without authentication. Sungrow’s Android app utilized insecure encryption, making it vulnerable to man-in-the-middle attacks, while SMA Solar’s web interface permitted unauthorized code execution. Researchers warned that such vulnerabilities could lead to self-reinforcing load imbalances on the grid, resulting in widespread power outages.
How CISOs Can Counter Nation-State Cyber Espionage in the AI Era
Bottom Line Up Front (BLUF): Nation-state cyber threats—especially those linked to China—are escalating, with advanced AI-powered espionage campaigns increasingly targeting critical infrastructure, corporate IP, and sensitive data. The rise of tools like DeepSeek raises alarm due to privacy concerns and potential links to Chinese intelligence operations. Cybersecurity leaders must urgently adopt strategic defenses to protect against industrial espionage and unauthorized access to sensitive data.
Analyst Comments: DeepSeek exemplifies how foreign-made tools may embed data exfiltration risks, particularly when subject to foreign data laws. CISOs must respond with adaptive strategies, embracing zero-trust principles, rigorous supply chain audits, and AI governance frameworks. Future-forward cybersecurity requires constant vigilance—not just of threat actors but of the very tools employees use daily.
FROM THE MEDIA: Concerns around DeepSeek, a Chinese AI platform, include the potential for state surveillance and misuse of user data due to its storage practices and embedded data transmission technology. In response, CISOs are advised to implement zero-trust architectures, secure AI adoption policies, and enhance threat detection with AI-assisted analytics and rigorous vendor risk management. Further, user education and rehearsed incident response plans are critical to building resilience against increasingly sophisticated, state-sponsored attacks.
READ THE STORY: Computer Weekly
Massive JavaScript Injection Campaign Compromises 150,000 Sites to Promote Chinese Gambling Platforms
Bottom Line Up Front (BLUF): A widespread JavaScript injection campaign has compromised approximately 150,000 websites, redirecting visitors to Chinese-language gambling platforms via full-screen browser overlays. The campaign relies on obfuscated client-side scripts and iframe injections, primarily targeting WordPress sites through malicious plugin modifications.
Analyst Comments: The widespread use of Traffic Direction Systems (TDS) and traffic brokers, such as VexTrio, underscores the industrial scale of cybercriminal affiliate marketing operations. Although the infrastructure is partially disrupted, the attackers’ swift pivot to alternative monetization channels indicates ongoing risk. Web administrators should proactively monitor for unauthorized script injections and audit plugin integrity to mitigate exposure.
FROM THE MEDIA: The injected scripts utilize iframe overlays and impersonate betting platforms, such as Bet365, to deceive users. A second, related campaign—linked to the "DollyWay World Domination" malware operation and uncovered by GoDaddy—has impacted over 20,000 sites since 2016, with 10,000 WordPress sites compromised as of early 2025. The redirection infrastructure includes TDS nodes hosted on hacked websites and links from broker networks like VexTrio and LosPollos. These attacks often begin by injecting PHP into vulnerable plugins, disabling security features, and stealing admin credentials. Although some infrastructure was dismantled in late 2024, attackers continue to adapt, leveraging alternative platforms like Telegram for redirect distribution.
READ THE STORY: THN
Morphing Meerkat PhaaS Platform Abuses DNS MX Records to Mimic 100+ Email Brands
Bottom Line Up Front (BLUF): Researchers have identified a phishing-as-a-service (PhaaS) platform called Morphing Meerkat, active since at least January 2020, that dynamically generates brand-specific phishing pages by querying DNS MX records. The platform can convincingly impersonate over 100 email providers and services, increasing the success rate of credential theft.
Analyst Comments: Morphing Meerkat’s exploitation of DNS infrastructure—particularly MX record lookups over DoH—is a novel technique that enhances the contextual believability of phishing lures. Its multilingual support and automated delivery of dynamic templates make it highly scalable and dangerous across geographic regions. This campaign illustrates how phishing operations are evolving toward automation and personalization. Organizations must adapt with improved DNS filtering, browser-level phishing detection, and comprehensive user training.
FROM THE MEDIA: The Morphing Meerkat platform utilizes DNS-over-HTTPS queries to retrieve the MX records of victims' domains, allowing it to deliver login pages that precisely replicate those of popular email providers. This real-time customization is supported by a template library of at least 114 brand impersonations. The attackers host these phishing pages on compromised WordPress sites and free hosting services while leveraging adtech redirect infrastructure and script obfuscation to evade detection. Additional evasion tactics include inflating script size and using client-side APIs to exfiltrate stolen credentials. With built-in support for multiple languages, the campaign has achieved global reach and continues to pose a significant threat to organizations worldwide.
READ THE STORY: GBhackers
Items of interest
Chinese Surveillance Tech Threatens US Critical Infrastructure, Experts Warn
Bottom Line Up Front (BLUF): US cybersecurity leaders are raising the alarm over the growing presence of Chinese-made surveillance technologies within critical infrastructure systems. In a recent Defense Disruptors episode, experts emphasized the national security risks these foreign components pose, especially in light of AI-driven threats and aging digital infrastructure.
Analyst Comments: The integration of foreign surveillance tech into critical US networks poses a silent but significant cybersecurity threat. These components, often embedded deep within public and private systems, offer adversaries potential backdoors for espionage or sabotage. With geopolitical tensions rising and cyber capabilities of state actors like China evolving rapidly, the need for domestic sourcing and tighter supply chain vetting is critical. Strengthening public-private partnerships, enhancing threat intelligence sharing, and modernizing outdated infrastructure are immediate priorities if the US aims to stay ahead of cyber-enabled sabotage.
FROM THE MEDIA: Sean Tufts of cybersecurity firm Optiv discussed the increasing risks posed by Chinese-made surveillance technology embedded in American infrastructure. He highlighted how such technologies may already exist in energy grids, transportation systems, and communication networks. Coupled with artificial intelligence and advanced persistent threats (APTs), these technologies could be weaponized for reconnaissance or disruption. The discussion underscored the urgent need for smarter defense strategies and greater collaboration across federal, state, and private entities to mitigate the evolving threat landscape.
READ THE STORY: The Defense Post
US bans Chinese tech equipment sales over security risk (Video)
FROM THE MEDIA: The US banned the import or sale of new communications equipment from Chinese tech firms, citing security reasons. The US FCC banned the sale or import of equipment made by big tech giants. FCC said it has adopted new rules prohibiting communications equipment that is deemed to pose a risk to national security. The new rules prohibit the authorization of equipment through the FCC’s certification process. Chinese equipment cannot be authorised under the Supplier’s Declaration of Conformity process.
US-China Trade War 2025: Are We Heading Toward Economic Collapse (Video)
FROM THE MEDIA: As the US-China trade war approaches its seventh year, patience is growing thin in Beijing. In the last few weeks, President Trump has introduced new tariffs on China and doubled them after Beijing retaliated.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.