Wednesday, Apr 02, 2025 // (IG): BB // GITHUB // SN R&D
Coordinated Login Scans Hit PAN-OS GlobalProtect: Nearly 24,000 IPs Involved in Suspicious Campaign
NOTE:
Chinese-linked threat actors such as Volt Typhoon (also known as Salt Typhoon) have a documented history of using large-scale, coordinated login scanning to identify vulnerable perimeter systems like PAN-OS GlobalProtect, often as a precursor to credential harvesting and stealthy network access. Their tactics typically involve living-off-the-land (LOTL) techniques, avoiding malware and instead relying on valid credentials, PowerShell scripts, and native Windows tools for internal reconnaissance. In past campaigns, Volt Typhoon has targeted VPN appliances and firewalls by probing login portals for weak or reused credentials, and they often rotate through massive IP infrastructures—frequently leveraging compromised edge devices across global networks—to obscure attribution and avoid detection. The current activity, which used nearly 24,000 unique IPs to scan GlobalProtect login pages without triggering known exploits, strongly mirrors Volt Typhoon’s known approach of pre-exploitation reconnaissance to establish persistence while evading early detection, suggesting the possibility of a China-linked reconnaissance operation.
Bottom Line Up Front (BLUF): A coordinated login scanning campaign targeting Palo Alto Networks PAN-OS GlobalProtect gateways has been detected, involving nearly 24,000 unique IP addresses over a 10-day span in March 2025. While most IPs are not currently flagged as malicious, researchers warn the activity may precede future exploitation attempts.
Analyst Comments: This campaign reflects an increasingly common trend in cyber threat activity: broad, systematic reconnaissance of widely deployed technologies. The high volume of probing IPs suggests either a large-scale botnet or multiple coordinated threat actors. Organizations relying on GlobalProtect should assume they are being targeted and take proactive steps—such as tightening access controls and monitoring authentication logs. If this pattern follows historical precedents, new exploits or zero-days may emerge in the coming weeks.
FROM THE MEDIA: Threat intelligence firm GreyNoise reported a surge in login scanning activity beginning March 17, 2025, and peaking with 23,958 unique IP addresses involved. The scans primarily targeted internet-facing GlobalProtect instances, with the U.S. and Canada as leading traffic sources. While only 154 IPs were identified as malicious, the broader campaign is seen as a likely reconnaissance effort. GreyNoise noted such behavior often precedes the discovery or exploitation of new vulnerabilities. Palo Alto Networks has been contacted for comment.
READ THE STORY: THN
X Corp Petitions U.S. Supreme Court to Block Warrantless User Data Access
NOTE:
Elon Musk’s dual role as both the head of major private tech ventures—such as X (formerly Twitter) and xAI—and a central figure in the government-led Department of Government Efficiency (DOGE) raises serious concerns about conflicts of interest and accountability. While Musk’s X is filing briefs with the Supreme Court defending user privacy against government overreach, DOGE under his leadership is reportedly canceling programs, altering federal cybersecurity operations, and reshaping digital infrastructure—all with limited transparency. This contradiction between advocating for civil liberties and exerting sweeping influence over public systems consolidates power in troubling ways. As DOGE disrupts oversight structures and Musk’s companies move deeper into financial services and AI integration, the risk grows that these efforts will operate without sufficient checks, potentially undermining both democratic norms and data protections.
Bottom Line Up Front (BLUF): Elon Musk’s social media company X has filed a legal brief urging the U.S. Supreme Court to restrict government access to user data without warrants. The move aligns with a broader privacy rights case involving the IRS’s acquisition of Coinbase user information and reflects Musk’s ongoing campaign against state overreach in digital surveillance.
Analyst Comments: X Corp’s intervention signals growing tension between tech platforms and government surveillance authorities, particularly in an era of increasing political scrutiny of social media and crypto platforms. By supporting a case that challenges the “third-party doctrine,” X is positioning itself as a defender of digital civil liberties — while also protecting its commercial interests in user trust and upcoming financial products like “X Money.” With X recently acquired by Musk’s AI firm, the case may have broader implications for how tech conglomerates resist data requests, especially as regulatory scrutiny intensifies globally.
FROM THE MEDIA: The case questions the constitutionality of collecting user data without probable cause, citing the Fourth Amendment. X warned that such practices could lead to mass government surveillance across social and financial platforms. The platform argued that warrantless data access violates trust and risks chilling user expression. This comes as Musk’s X faces international pressure over content moderation and prepares to launch “X Money,” a financial service requiring sensitive user data. The case could redefine how platforms handle government data demands in the U.S.
READ THE STORY: FT
Brazil Emerges as Strategic Winner in U.S.-China Trade Tensions
Bottom Line Up Front (BLUF): As the Trump administration reimposes tariffs on China and other trading partners, Brazil is capitalizing on the moment. With U.S. agricultural products targeted by Chinese retaliatory tariffs, Chinese buyers are turning to Brazilian soybeans, beef, and poultry, fueling an export boom and strengthening Brazil-China trade ties. Brazil is also positioning itself as an alternative supplier to the U.S. and other global markets affected by new tariffs.
Analyst Comments: Brazil's ability to pivot and fill gaps left by U.S. trade disruptions highlights a broader geopolitical realignment. By deepening economic ties with China—its top trade partner since 2009—Brazil is increasing its global influence, especially as Chinese infrastructure investments grow across Latin America. This shift also raises concerns in Washington, where officials warn of strategic implications as Chinese companies build ports, railroads, and even satellite tracking stations in the region. With trade and currency alignment already tilting toward China, Brazil’s growing economic independence could complicate future U.S. influence in the hemisphere.
FROM THE MEDIA: Premiums on Brazilian soy rose 70% last month after China imposed new tariffs on U.S. crops. Meanwhile, exports of Brazilian chicken and eggs are up 9% and 20% respectively, bolstered by bird flu outbreaks elsewhere. Brazil's commodities-driven Ibovespa index is up 9% year-to-date, compared to a 4.2% drop in the S&P 500. Beyond agriculture, Brazil’s footwear and steel industries are seeking to replace Chinese goods in the U.S. market, while Chinese state firms like China Railway expand infrastructure investment across Brazil. Leaders in São Paulo and Brasília see the trade turmoil as an opportunity to redefine Brazil’s role in the global economy—potentially at the expense of U.S. dominance.
READ THE STORY: WSJ
Earth Alux Deploys VARGEIT and COBEACON in Sophisticated Multi-Stage Cyber Intrusions
Bottom Line Up Front (BLUF): A newly identified China-linked threat actor, Earth Alux, has been targeting critical sectors across the Asia-Pacific (APAC) and Latin America (LATAM) regions since 2023. Utilizing a sophisticated malware toolkit—including VARGEIT, COBEACON, and MASQLOADER—the group conducts multi-stage cyber intrusions, leveraging fileless techniques, DLL side-loading, and covert C2 channels.
Analyst Comments: Earth Alux’s operations reflect the increasing technical sophistication of state-aligned APT groups, which are focused on long-term espionage. Its use of modular loaders, stealth techniques such as time-stomping and anti-API hooking, and abuse of legitimate services (e.g., Microsoft Outlook/Graph API) demonstrates a high degree of operational maturity. The malware’s adaptability across various stages and vectors suggests a well-funded, persistent threat that is likely to continue evolving. Organizations in the APAC and LATAM regions, particularly in the government and tech sectors, should expect sustained targeting and prioritize the detection of fileless persistence mechanisms.
FROM THE MEDIA: The group targets sectors such as government, telecommunications, and logistics using a complex infection chain that begins with exploiting internet-facing applications to deploy the Godzilla web shell. This enables the delivery of VARGEIT—a fileless, multi-channel backdoor capable of data exfiltration and lateral movement—and COBEACON, a variant of Cobalt Strike Beacon. These payloads are launched through MASQLOADER or RSBINJECT, with the former using anti-hooking techniques to bypass endpoint security. Supporting tools RAILLOAD and RAILSETTER ensure persistence through DLL side-loading and timestamping. Notably, VARGEIT communicates over up to 10 C2 channels, including Microsoft Outlook’s Graph API, making detection extremely difficult.
READ THE STORY: THN
UK Unveils Cyber Resilience Bill to Expand Incident Reporting and Supply Chain Security
Bottom Line Up Front (BLUF): The UK government has outlined its forthcoming Cyber Security and Resilience Bill, which will expand incident reporting requirements for critical infrastructure operators and digital service providers. The bill aims to align with the EU’s NIS2 Directive and introduces stronger powers for regulators, including mandatory 24-hour breach notifications and new oversight for high-impact suppliers.
Analyst Comments: This proposed legislation reflects the UK’s strategic pivot toward a more proactive and adaptive cybersecurity framework, particularly amid rising threats from nation-state actors and ransomware groups. By broadening reporting thresholds and supply chain obligations, the bill closes long-standing loopholes in the 2018 NIS-derived framework. Designating data centers and managed service providers (MSPs) as critical infrastructure is a notable shift that may reshape procurement and compliance expectations across industries. The inclusion of emergency powers for the Secretary of State also signals a growing national security posture in cyber policy.
FROM THE MEDIA: The new legislation will require critical infrastructure operators and digital service providers to report any cyber incident that affects the confidentiality, integrity, or availability of their systems within 24 hours to regulators and the National Cyber Security Centre (NCSC). The law also designates data centers as critical national infrastructure and proposes new powers for regulators to enforce compliance. Additionally, it introduces obligations for regulated entities to implement cybersecurity standards throughout their supply chains and allows the government to issue directives to entities in the interest of national security. The bill is expected to be introduced in Parliament later this year.
READ THE STORY: The Record
Cybercom Hunt-Forward Operations Uncover Chinese Malware in South America
Bottom Line Up Front (BLUF): U.S. Cyber Command (Cybercom) has identified Chinese malware on multiple networks in Latin America through its hunt-forward operations, according to Lt. Gen. Dan "Razin" Caine during his confirmation hearing as nominee for Chairman of the Joint Chiefs of Staff. These operations, conducted at the invitation of foreign governments, are designed to detect and mitigate cyber threats on partner networks while strengthening U.S. cyber defenses.
Analyst Comments: The revelation not only highlights the strategic value of hunt-forward operations in projecting cyber defense capabilities abroad, but also serves as a warning that Chinese threat actors are broadening their geopolitical influence via persistent access to foreign infrastructure. This move could also incentivize more regional cooperation with U.S. cyber forces, while increasing pressure on adversaries to conceal or evolve their tactics.
FROM THE MEDIA: These revelations came during his Senate confirmation hearing and were based on Cybercom's hunt-forward missions in the U.S. Southern Command area. The operations, led by the Cyber National Mission Force (CNMF), are conducted in host nations by request and aim to identify advanced persistent threats. Although specific countries were not named due to operational sensitivities, these missions have been credited with exposing foreign malware and enhancing allied cybersecurity. Cybercom did not confirm details but reaffirmed the value of such missions in protecting both U.S. and partner infrastructure from hostile actors like China.
READ THE STORY: Defense Scoop
China Sees Strategic Advantage in Trump-Era U.S. Disruption, Says FT Columnist
NOTE:
While the article paints China as the more stable and strategic global power, the reality is more complicated. China is facing significant economic challenges, including a severe real estate crisis, declining consumer confidence, and a rapidly aging population. Youth unemployment remains high—so high that the government stopped publishing the numbers for months in 2023. On top of that, concerns about censorship, lack of transparency, and political repression continue to worry foreign investors and governments alike. Meanwhile, the U.S.—despite its political drama—still has key strengths: a more innovative economy, stronger institutions, and long-standing global alliances. Even during periods of political turbulence, the U.S. remains a major hub for scientific research, higher education, and technological leadership. It's not as simple as one country rising while another falls—both face significant challenges, just of very
Bottom Line Up Front (BLUF): China’s leadership sees the political instability and inward focus of the Trump administration as a strategic opening to expand its global influence. According to Financial Times columnist Martin Wolf, Chinese policymakers believe the erosion of U.S. credibility is creating space for Beijing to present itself as a more stable and reliable global partner, especially to countries disillusioned with Washington’s unpredictability.
Analyst Comments: This perspective suggests a potential power rebalancing in which China positions itself not through aggression, but by contrasting itself with U.S. unpredictability. Beijing’s confidence is bolstered by its growing technological capabilities, including breakthroughs in AI (e.g., DeepSeek), and dominance in clean energy manufacturing. While China's economic vulnerabilities remain — particularly weak domestic demand and an aging population — the belief that Trump's foreign policy alienates allies gives China space to increase its global influence, particularly in Europe and the Asia-Pacific. This perception could encourage China to double down on soft power diplomacy and trade expansion while avoiding direct conflict.
FROM THE MEDIA: Martin Wolf reported that during his recent trip to Beijing and Hong Kong, Chinese policy elites drew parallels between Trump’s “cultural revolution” in America and Mao Zedong’s radical purges in the 1960s. While many Chinese elites despise their own history of political upheaval, they recognize strategic gains from U.S. self-destruction. With alliances fraying and America turning inward, China is increasingly seen by global partners as a more dependable actor. Wolf noted that Chinese strategists now believe they can achieve regime stability and technological self-sufficiency even in a more hostile global climate. Despite internal economic challenges, China views Trump's retreat from global leadership as an opportunity to assert its own.
READ THE STORY: FT
General Paul Nakasone Warns China Has Surpassed Russia as America’s Top Cyber Threat
Bottom Line Up Front (BLUF): In a recent interview, former NSA and U.S. Cyber Command chief Gen. Paul Nakasone declared China the most sophisticated and dangerous cyber adversary facing the United States. He emphasized that Chinese nation-state actors, particularly groups like Volt Typhoon and Salt Typhoon, have shifted from espionage to embedding persistent access in critical infrastructure, suggesting a capability for future sabotage.
Analyst Comments: Nakasone’s remarks confirm a growing consensus in the intelligence community that Chinese operations are not merely espionage-driven but are pre-positioning for potential conflict. The strategic shift—toward implanting malware in utilities, telecoms, and water systems—indicates preparation for crisis scenarios, such as a Taiwan-related conflict, where digital disruption could neutralize U.S. responses. Additionally, China's integration of AI tools for targeting and analysis adds a new dimension of speed and precision to its cyber operations, making them harder to detect and counter. This evolution underscores the urgency of recalibrating U.S. deterrence and defense in cyberspace.
FROM THE MEDIA: Speaking to the Click Here podcast, Nakasone pointed to groups like Volt Typhoon embedding malware in U.S. critical infrastructure with no clear intelligence value—indicating intent to cause disruption during future geopolitical tensions. He highlighted a recent incident involving the discovery of Chinese code in the water utility of Littleton, Massachusetts, which supports broader fears of widespread but undetected intrusions. Nakasone noted that Salt Typhoon has targeted telecom providers and U.S. federal agencies using advanced credential theft and AI-driven targeting. These campaigns mark a shift in Chinese cyber tactics from passive surveillance to active threat implantation. Nakasone stressed the need for a more aggressive U.S. posture and broader partnerships across government, private industry, and academia to close the cyber defense gap.
READ THE STORY: The Record
Items of interest
Russia Enacts Sweeping Cybersecurity Law as Financial Fraud Surges to Record High
Bottom Line Up Front (BLUF): Amid an unprecedented surge in financial cybercrime, Russian President Vladimir Putin has signed a new law aimed at strengthening cybersecurity and reducing data leaks. The law bans the use of foreign messaging apps in state institutions and mandates new caller ID protections while creating a centralized database to track cyber offenders.
Analyst Comments: Russia's latest legislation represents a significant shift toward digital sovereignty, presented under the guise of cybersecurity. While addressing real threats such as fraud and massive data leaks, the law also reinforces the Kremlin’s agenda to sever reliance on foreign tech and increase surveillance capabilities. The move aligns with a broader pattern of digital isolationism, advocating for state-controlled infrastructure while restricting access to international tools such as GitHub and Cloudflare. This approach may bolster control but risks hindering innovation and cybersecurity collaboration, potentially increasing exposure to sophisticated attacks.
FROM THE MEDIA: The legislation follows a 74% rise in cyber fraud in 2024, with 27.5 billion rubles ($300 million) stolen through tactics like phishing, SMS scams, and mobile malware. Russian authorities also reported over 750 cyber incidents affecting banks, predominantly DDoS attacks. Lawmakers cited extensive data breaches, including a leak of 286 million phone numbers and 96 million email addresses, as a key driver behind the law. The move builds on earlier restrictions banning tech from "unfriendly" countries and further isolates Russia’s digital ecosystem.
READ THE STORY: The Record
Assessing the Material Shaping of EU Digital Sovereignty in Response to the War in Ukraine (Video)
FROM THE MEDIA: The war in Ukraine is known to have informed and inspired the acceleration of EU legislations aimed at strengthening the EU’s capacity to protect its “cyberspace” against the spread of disinformation and foreign interference, which the European Commission now equates to “ European digital sovereignty”.
Estonia | The Digital State (Video)
FROM THE MEDIA: Estonia is a Baltic country that in recent years has been embarking on reform programs that are intended to change this. Estonia is a “Paperless state” meaning a state that has effectively removed all paper from it’s bureaucracy and replaced it with a digital state structure. In this short video I would like to introduce you to the digital state and argue for it.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.