Monday, Apr 14, 2025 // (IG): BB // GITHUB // SN R&D
China Admits to Volt Typhoon Cyberattacks on U.S. Critical Infrastructure
NOTE:
China’s cyber operations are split between two powerful state organs: the People’s Liberation Army (PLA) and the Ministry of State Security (MSS). The PLA’s cyber forces, likely behind Volt Typhoon, focus on wartime preparation— pre-positioning inside critical infrastructure to enable sabotage during military conflict, particularly around Taiwan. In contrast, the MSS, tied to Flax Typhoon and Salt Typhoon campaigns, specializes in long-term espionage, targeting foreign governments, military communications, and commercial secrets.
Bottom Line Up Front (BLUF): In a secret meeting in Geneva in December 2024, Chinese officials indirectly acknowledged their role in cyberattacks against U.S. critical infrastructure linked to the Volt Typhoon campaign. This admission validates long-standing fears that China's cyber operations are designed to deter American intervention in Taiwan and highlights the escalating threat to vital U.S. systems. It also suggests a broader Chinese strategy: using cyber operations both for wartime preparation and to distract from ongoing espionage efforts like Flax and Salt Typhoon.
Analyst Comments: Volt Typhoon represents a notable shift from cyber espionage to battlefield preparation, specifically targeting civilian infrastructure critical to U.S. national resilience. Operated likely by PLA units, Volt Typhoon underscores the integration of cyber capabilities into China’s military strategy. In response, the U.S. is expected to ramp up proactive cyber defense measures, such as expanding hunt-forward deployments and fortifying key sectors. This could also lead to more aggressive countermeasures against Chinese cyber operators and a reassessment of U.S. critical infrastructure protection strategies.
FROM THE MEDIA: During the closed-door Geneva meeting, Chinese delegates cautiously acknowledged Volt Typhoon operations while denying direct responsibility, according to diplomatic sources. The discussion also revealed new details about Salt Typhoon, an MSS-led operation that compromised U.S. telecommunications systems and accessed sensitive government communications. U.S. intelligence agencies have differentiated the two campaigns: Volt Typhoon as pre-attack staging and Salt Typhoon as traditional espionage. Together, they showcase China's dual-track cyber strategy: preemptive disruption capabilities for conflict scenarios and continuous intelligence collection during peacetime. This acknowledgment marks a rare moment of transparency in international cyber diplomacy and could trigger stronger U.S. and allied cybersecurity responses.
READ THE STORY: The Register // CN
U.S. Department of Justice Launches Data Security Program to Counter Foreign Exploitation of Americans’ Sensitive Information
Bottom Line Up Front (BLUF): The U.S. Department of Justice (DoJ) has unveiled the Data Security Program (DSP) under Executive Order 14117 to block China, Russia, Iran, and other adversaries from accessing sensitive American data through legal commercial channels. Effective since April 8, 2025, the program imposes strict controls over transactions involving personal, financial, genomic, and geolocation data. A 90-day grace period allows businesses to adapt compliance measures before stringent enforcement begins in July.
Analyst Comments: The DSP represents a significant evolution in U.S. national security policy, treating sensitive personal and corporate data as a controlled strategic asset. By closing loopholes exploited through commercial acquisitions, the initiative aims to blunt foreign surveillance and AI-driven threat vectors. Businesses across sectors—especially tech, healthcare, and finance—must now urgently map data flows, vet partners, and update contracts. As enforcement tightens after July, expect an increase in compliance scrutiny, government audits, and possibly, retaliatory moves from targeted foreign entities.
FROM THE MEDIA: The DoJ formally launched the Data Security Program to prevent sensitive American data from falling into the hands of foreign adversaries. The program mandates that U.S. companies audit and secure their data practices, aligned with guidance from the National Security Division (NSD) and CISA standards. A 90-day enforcement leniency period runs until July 8, 2025, after which civil penalties will apply for non-compliance. Businesses have until October 6, 2025, to fulfill due-diligence obligations, including setting up robust monitoring systems. The program underscores the Biden administration’s broader strategy of weaponizing regulatory tools to counter cyber and economic threats from rival nations.
READ THE STORY: GBhackers
China’s New Semiconductor Tariff Policy Threatens Intel’s Global Business, Favors TSMC and Taiwan-Based Supply Chains
Bottom Line Up Front (BLUF): China’s Semiconductor Industry Association (CSIA) announced a major policy shift exempting up to 125% tariffs for chips sourced from Taiwan and other non-U.S. suppliers. This move pressures companies dependent on American chipmakers, like Intel, while favoring Taiwanese suppliers such as TSMC. The policy intensifies the semiconductor trade war, signaling China’s intent to weaken U.S. chip dominance and secure its own supply chains.
Analyst Comments: By targeting U.S. chipmakers through punitive tariffs while easing trade with Taiwan-based suppliers, China is reshaping the global semiconductor landscape. Firms like Intel and GlobalFoundries could face significant supply chain disruptions and market share losses in China, while TSMC and others may gain even greater leverage. This policy forces multinational tech companies, including Apple and NVIDIA, to reassess supplier relationships and long-term manufacturing strategies. In the broader context, expect escalating retaliatory measures from the U.S., further destabilizing the global tech supply chain.
FROM THE MEDIA: CSIA issued a notice amending China’s semiconductor import rules, exempting tariffs for chips sourced from Taiwan and non-U.S. suppliers while imposing tariffs up to 125% on others. This adjustment applies to both packaged and unpackaged semiconductors, determined by the wafer fabrication facility’s location. As a result, major companies like NVIDIA, AMD, and Apple, which heavily source from TSMC, are shielded from the tariffs. However, U.S.-based chipmakers, including Intel, now face a grim outlook for their business in China. Analysts suggest that this move is part of China’s broader effort to secure domestic supply chains amid rising geopolitical tensions and ongoing tariff wars.
READ THE STORY: WCCFTECH
HelloKitty Ransomware Resurfaces, Targeting Windows, Linux, and ESXi with Enhanced Encryption and Global Reach
Bottom Line Up Front (BLUF): The HelloKitty ransomware group has reemerged with new variants capable of attacking Windows, Linux, and ESXi systems, showcasing advanced encryption techniques and expanded global targeting. Originally linked to Ukraine, new indicators suggest a possible Chinese influence or multinational operation. HelloKitty’s latest tactics, techniques, and procedures (TTPs) reveal significant evolution aimed at evading modern defenses and increasing operational sophistication.
Analyst Comments: The shift towards stronger encryption methods, stealthier infection chains, and possible obfuscation of origin points to a highly adaptive threat group. With historic ties to critical infrastructure attacks and now a refined cross-platform capability, HelloKitty could pose serious threats to global enterprises. Organizations should anticipate more aggressive ransomware campaigns and prioritize hardening defenses across hybrid IT environments, including cloud and on-premises ESXi deployments.
FROM THE MEDIA: New variants employ RSA-2048 public key encryption, SHA256 hashing for victim ID creation, and a hybrid encryption approach using Salsa20 and AES. The group's geographic footprint has expanded, with samples linked to China, though attribution remains murky. Historically tied to attacks on CD Projekt Red and a Brazilian power plant, HelloKitty’s evolving tactics now include sophisticated system reconnaissance and cross-platform malware deployment. Analysts note the group’s ongoing recalibration, hinting at a potential large-scale campaign in the near future.
READ THE STORY: GBhackers
Pakistan-Linked Hackers Deploy New CurlBack and Spark RATs to Target Indian Infrastructure
Bottom Line Up Front (BLUF): A Pakistan-linked threat actor, likely associated with SideCopy (a sub-cluster of Transparent Tribe/APT36), has expanded its cyber operations in India, deploying new malware families CurlBack RAT and Spark RAT. The campaign, observed by SEQRITE from December 2024, has targeted Indian railway, oil and gas, and external affairs ministries, signaling an escalation beyond traditional government and defense sectors. Attackers use phishing emails with MSI installers to stage multi-step infections.
Analyst Comments: The introduction of CurlBack RAT and the cross-platform Spark RAT shows the group’s increasing technical maturity and flexibility. By shifting from HTA files to MSI packages and leveraging advanced techniques like DLL side-loading and AES decryption via PowerShell, the attackers are refining their stealth and persistence capabilities. Given SideCopy’s focus on Windows and APT36’s historical Linux targeting, this dual-platform strategy could increase the threat surface significantly across Indian critical infrastructure. Further phishing, credential theft, and lateral movement activities are likely in the coming months.
FROM THE MEDIA: The group has adopted Microsoft Installer (MSI) packages as the new primary infection vector, replacing older HTA-based methods. Phishing campaigns impersonating trusted Indian institutions deliver payloads leading to the deployment of Spark RAT and the newly identified CurlBack RAT. These tools enable system information gathering, privilege escalation, remote command execution, and credential theft. The attackers continue to evolve, integrating customized versions of open-source malware and exploiting compromised domains for distribution and persistence.
READ THE STORY: THN
New ‘Goffee’ Malware Campaign Targets Russian Flash Drives in Stealthy Espionage Operation
Bottom Line Up Front (BLUF): A newly tracked hacking group, dubbed Goffee (also known as Paper Werewolf), is actively stealing sensitive data from Russian flash drives using custom malware tools like PowerModul and FlashFileGrabber. Researchers at Kaspersky report that the campaign, active since at least 2022, is primarily focused on cyber-espionage against Russian government, telecom, media, construction, and energy sectors. The malware spreads via phishing emails disguised as trusted Russian institutions.
Analyst Comments: Goffee’s use of USB-based malware highlights the persistent value of physical media infections in modern cyber-espionage campaigns, especially in tightly controlled or air-gapped environments. The campaign's evolution from secondary loaders to standalone backdoors suggests growing sophistication and autonomy. Although no direct attribution to nation-states like China has been made, the overlap with tactics seen in Chinese cyber operations raises questions about possible indirect links. This development underscores the critical need for improved endpoint security and removable media controls in sensitive sectors.
FROM THE MEDIA: Cybersecurity researchers from Kaspersky disclosed that a group named Goffee is targeting Russian organizations by spreading malware through flash drives. Their custom toolset includes FlashFileGrabber, which silently copies documents from USB drives, and USB Worm, which propagates the malware. Initially underestimated as a secondary loader, PowerModul is now recognized as a standalone backdoor with its own command-and-control infrastructure. Goffee primarily uses phishing emails impersonating Russian regulatory agencies to deliver malicious payloads. While espionage remains the main focus, occasional operational disruptions have also been recorded.
READ THE STORY: The Record
Trump’s Tech Tariff Strategy Wobbles: Semiconductor Exemptions Reveal Economic Risks Amid U.S.–China Trade War
Bottom Line Up Front (BLUF): Despite escalating tariffs against China, the Trump administration quietly exempted certain electronics, including semiconductors, from new duties under Executive Order 14257. While framed as temporary, these exemptions aim to curb inflation and protect the U.S. consumer tech market. Meanwhile, China both called for an end to the tariffs and retaliated with new export bans on critical minerals, deepening tensions.
Analyst Comments: The exemptions on semiconductors, CPUs, smartphones, and computers reveal the complexity of balancing economic stability with geopolitical pressure. While aiming to "reshore" tech manufacturing, the U.S. risks short-term inflation and disruption to major industries. China's export bans and strategic signaling suggest Beijing is both offering limited diplomatic off-ramps and preparing for prolonged economic confrontation. Expect more volatility in supply chains, further export restrictions, and intensified cybersecurity threats tied to the "Typhoon" cyber campaigns in parallel to trade battles.
FROM THE MEDIA: Following the blanket tariff announcement on April 2, 2025, the Trump administration updated its position late on April 11, exempting specific electronics under Executive Order 14257. New exemptions cover semiconductors, laptops, smartphones, CPUs, and memory chips, crucial to preventing price spikes in U.S. consumer markets. While Commerce Secretary Howard Lutnick confirmed on ABC's This Week that these are temporary, future "sectoral tariffs" on tech and pharmaceuticals are imminent. China responded with critical mineral export bans while simultaneously signaling a willingness to negotiate, indicating the dual-track strategy of retaliation and diplomacy.
READ THE STORY: The Register // The Times of India
Germany Signals Shift: Incoming Chancellor Merz Supports Sending Taurus Missiles to Ukraine
Bottom Line Up Front (BLUF): Friedrich Merz, Germany’s chancellor-in-waiting, announced readiness to supply Ukraine with Taurus long-range cruise missiles in coordination with European allies. This marks a major policy shift from outgoing Chancellor Olaf Scholz, who had long resisted such deliveries over escalation concerns. The move responds to recent Russian attacks on Ukrainian civilians, notably in Sumy, and aims to boost Ukraine’s ability to strike deep into Russian-occupied territory.
Analyst Comments: Merz’s stance suggests a more assertive German role in supporting Ukraine militarily, aligning with British, French, and American missile deliveries. The Taurus missiles’ extended range could enable Ukraine to target key Russian infrastructure, including the Kerch Bridge, escalating battlefield dynamics. While this bolsters Ukrainian capabilities, it also risks provoking a stronger Russian response and political tension within Germany’s governing coalition. Watch for potential delays or conditions placed on the missile transfer as internal debates continue.
FROM THE MEDIA: Friedrich Merz confirmed Germany's willingness to send Taurus missiles to Ukraine, contingent on European coordination. Merz criticized Russian President Vladimir Putin's recent attacks as "war crimes" and stressed the need to help Ukraine "get ahead" militarily. The Taurus KEPD 350 missiles, developed by MBDA and Saab, boast a range exceeding 500km—longer than the Storm Shadow missiles supplied by the UK and France. Although Scholz had previously warned of escalation risks, Merz’s comments suggest a departure toward a more aggressive policy. Final coalition approval and logistical preparations remain pending.
READ THE STORY: FT
Modern Hacktivism Blurs Lines with State-Sponsored Cyber Operations, Targeting Critical Infrastructure
Bottom Line Up Front (BLUF): Hacktivist activity has resurged globally, but experts warn that many attacks—especially those targeting critical infrastructure—are now often state-backed operations in disguise. Groups like BlackJack, Killnet, and CyberArmyofRussia_Reborn1 present themselves as independent activists but are increasingly linked to national cyber units, using “hacktivism” for plausible deniability. Recent incidents include attacks on water systems in Texas and Russian municipal networks, highlighting escalating risks.
Analyst Comments: The use of hacktivism as a cover for state-sponsored cyber operations marks a troubling evolution in cyber conflict. While historically hacktivists sought publicity, today's actors often aim for disruption or strategic influence aligned with national interests. Expect continued attacks on soft targets like utilities and public services, creating psychological impacts even if technical damage remains limited. Defenders must treat politically motivated cyberattacks with the same seriousness as nation-state threats and build resilience against both DDoS and operational technology breaches.
FROM THE MEDIA: The Register reported on the growing sophistication of hacktivist groups tied to national governments. Notable events include the 2024 compromise of Moscow’s municipal infrastructure by the pro-Ukraine BlackJack crew using OT-specific malware "Fuxnet," and Russia-linked hacktivist attacks against Texas water facilities. Analysts from Dragos, Google’s Threat Intelligence Group, and others highlight that many so-called hacktivist groups now operate with state support or tolerance. Experts emphasize that the visibility of these attacks often masks more dangerous, stealthier cyber operations aimed at espionage and critical infrastructure disruption.
READ THE STORY: The Register
Items of interest
Ukraine’s Trojan Horse Drones Signal Bold New Era of Cyber-Physical Warfare
NOTE:
Ukraine’s integration of malware into its drones represents a significant and relatively unique development in modern cyberwarfare, creating an entirely new attack vector within their broader guerrilla cyber efforts against Russia. Unlike traditional cyberattacks that target networks or infrastructure remotely, this tactic physically embeds malicious code into hardware that the enemy must interact with — turning captured drones into Trojan Horses. This approach blurs the line between kinetic and cyber operations, allowing Ukraine to extend its influence deep into Russian systems without needing sustained network access. It reflects the ingenuity of Ukraine’s tech-savvy defense sector and highlights a future where cyber capabilities are seamlessly woven into battlefield assets. The tactic's success could inspire other nations and non-state actors to adopt similar hybrid strategies, fundamentally altering how cyber warfare is conducted in contested environments.
Bottom Line Up Front (BLUF): Ukraine has embedded malware into its military drones to sabotage captured units and disrupt Russian forces, pioneering a new form of cyber-physical warfare. These drones employ multi-layered malware strategies to destroy hardware, lock out systems, or covertly collect intelligence. The tactic raises urgent global concerns over drone cybersecurity and the risks inherent in vulnerable supply chains.
Analyst Comments: Ukraine’s innovation marks a significant evolution in integrating cyber operations directly into battlefield tools, accelerating the convergence of digital and physical warfare. This approach not only hampers Russian counter-drone efforts but could also set a precedent for broader adoption of weaponized malware in future conflicts. Global drone manufacturers and military planners will now be under pressure to harden devices against such embedded threats, while adversaries are likely to replicate or escalate these tactics.
FROM THE MEDIA: Three types of malware are deployed: burning out USB ports, locking drone firmware to block reuse, and covert espionage programs that reveal operator locations or hijack repurposed drones. A video circulated on social media and cited by sources showed Russian warnings about these infected drones. Analysts note this strategy not only delays Russian countermeasures but also gives Ukraine a temporary technological edge in the drone arms race. Broader implications include increased cybersecurity demands across the global drone sector and an intensification of cyber-physical warfare tactics.
READ THE STORY: Techi // Done Life // Forbes
Ukraine using drones loaded with malware to disrupt Russian operations (Video)
FROM THE MEDIA: Ukrainian forces are embedding malware into drones to sabotage Russian efforts to reuse captured drones or study their internal systems. The malware can cause physical damage to USB ports, block reprogramming or allow remote hijacking.
Ukrainian Drones: The Digital Ambush (Video)
FROM THE MEDIA: With US tariffs on the rise, experts warn that ASEAN will face increased ChiIn a groundbreaking twist to modern warfare, Ukrainian drones are now equipped with self-infecting malware designed to spread chaos behind enemy lines. When captured or downed, these drones activate a hidden cyber weapon — a virus that infiltrates and disrupts Russian digital systems. What was once just a physical threat becomes a digital ambush, turning every crash into a silent, invisible counterattack.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.