Sunday, Apr 20, 2025 // (IG): BB // GITHUB // SN R&D
Swedish Probe Finds No Conclusive Evidence Chinese Vessel Deliberately Cut Baltic Cables
NOTE:
The Arelion (Sweden–Lithuania) and C-Lion 1 (Finland–Germany) undersea cables are vital to Northern Europe’s digital infrastructure, linking the Baltic and Finland directly to Western Europe while supporting NATO command, financial systems, and industrial data flows. Their strategic value lies in bandwidth, redundancy, and their role as secure, sovereign routes bypassing vulnerable land-based networks. If an adversary—such as Russia—were to disrupt or sever these cables, it could cripple military communications, delay NATO coordination, paralyze financial and energy systems, and isolate frontline states from Western support. This form of asymmetric sabotage offers high strategic payoff with plausible deniability, making these cables critical in peacetime deterrence and wartime resilience planning.
Bottom Line Up Front (BLUF): Sweden's Accident Investigation Authority (SHK) has found no definitive proof that the Chinese vessel Yi Peng 3 intentionally damaged two subsea telecommunications cables in the Baltic Sea in November 2024. The report leaves open both accidental and deliberate sabotage scenarios, amid broader regional concerns over hybrid threats following Russia's invasion of Ukraine.
Analyst Comments: While the SHK's findings do not assign culpability, the lack of transparency and delayed access to ship data complicate attribution. In the context of increasing hybrid threats in the Baltic—especially with Sweden and Finland now NATO members—subsea cable security is becoming critical in both cyber and kinetic defense strategies. Expect NATO to push for tighter surveillance and incident attribution capabilities in maritime zones.
FROM THE MEDIA: Swedish investigators concluded that while the Yi Peng 3—a Chinese-flagged bulk carrier—was responsible for dragging an anchor that severed two Baltic Sea subsea cables, there is no conclusive evidence that the act was deliberate. The damage occurred on November 17 and 18, 2024, impacting the Arelion cable (Sweden to Lithuania) and the C-Lion 1 cable (Finland to Germany). Investigators considered both accidental anchor loosening and intentional sabotage, but cited operational risk and absence of vessel damage as complicating factors. Swedish authorities were granted access to the ship and crew only a month after the incident, and received no electronic logs. While SHK did not determine intent, Swedish police have not ruled out criminal sabotage.
READ THE STORY: Spacewar
Canadian PM Mark Carney Labels China as Top National Security Threat Ahead of Election
Bottom Line Up Front (BLUF): Canadian Prime Minister Mark Carney has declared China the foremost national security threat to Canada, citing cyber activity, foreign interference, and strategic ambitions in the Arctic. His comments during a televised debate and subsequent campaign events mark a significant shift in Canada’s foreign policy tone just days before the federal election.
Analyst Comments: Carney’s hardline position reflects an emerging consensus among Western allies on the multifaceted threat of China’s cyber and geopolitical ambitions. His focus on cyber interference and subnational influence aligns with U.S. concerns around foreign access to critical infrastructure, political systems, and sensitive data. As cyber-espionage and disinformation tactics evolve, nations like Canada will likely adopt more aggressive policies on data sovereignty, foreign investment screening, and tech supply chain security, potentially inviting retaliatory measures from Beijing. Expect China-related cybersecurity to become a cornerstone of Canadian national defense strategy if Carney is re-elected.
FROM THE MEDIA: Canadian PM Mark Carney named China as the country's top geopolitical threat during a televised election debate, citing cyber intrusions, political interference, and Arctic ambitions. He warned that Chinese actions directly endanger Canadian sovereignty and democratic institutions. Speaking in Niagara Falls, he vowed that his national security platform would prioritize Arctic defense and countering foreign cyber threats. Beijing has not officially responded, but Chinese experts called the remarks politically motivated. The announcement comes as Canada faces escalating trade tensions with the U.S., with tariffs recently imposed on Canadian metals and autos.
READ THE STORY: The Tribune
SpyCast Video Dissects 900 Cases of Chinese Espionage, Highlights MSS Evolution and Global Targeting
Bottom Line Up Front (BLUF): A new SpyCast video analyzed over 900 Chinese espionage cases, revealing China’s “whole-of-society” intelligence model, the central role of the Ministry of State Security (MSS), and a growing focus on cyber, political, and subnational infiltration efforts. The video underscores China’s unique blend of traditional philosophy, modern tech, and systemic state-mandated cooperation to pursue its strategic objectives
Analyst Comments: China's expansive and integrated intelligence strategy represents a long-term challenge for Western nations, particularly the U.S. As the MSS grows in sophistication and extends influence via proxies like the United Front Work Department, cyber operations and economic espionage are becoming more decentralized and difficult to track. The targeting of local U.S. government bodies and critical technologies suggests that national cybersecurity frameworks must adapt beyond federal focus, extending to municipalities, academia, and private-sector R&D. Western defenses must account for technical threats and cultural and ideological levers used to compel insider access.
FROM THE MEDIA: In a SpyCast video reviewed by Small Wars Journal on April 19, 2025, experts examined China's espionage operations through a dataset of 900 cases. The analysis emphasized how China's MSS, under Xi Jinping, has shifted toward more assertive global intelligence collection, often outsourcing cyber tasks to security firms. State-owned enterprises and national laws compel private actors into state service. The report identifies the U.S. and Taiwan as top targets, followed by European nations. Espionage case studies—such as the Kevin Mallory LinkedIn recruitment and the Su Jan Fun radiation chip theft—highlight technical vulnerabilities and human lapses. The video also draws on strategic Chinese concepts like Confucianism and Sun Tzu’s Art of War to explain how non-kinetic influence operations are used to secure long-term geopolitical advantage.
READ THE STORY: SWJ
XorDDoS Malware Expands to Docker and IoT as New VIP Controller Emerges
Bottom Line Up Front (BLUF): Security researchers have discovered a new version of the XorDDoS malware infrastructure, featuring a central "VIP" controller and sub-controller hierarchy, enabling more extensive and more coordinated DDoS attacks. The malware, which primarily targets Linux systems, has recently expanded to infect Docker and IoT devices, with the United States accounting for over 71% of observed attacks.
Analyst Comments: XorDDoS’s evolution demonstrates how legacy malware families can remain persistent threats by continuously adapting to new environments and distribution methods. Adding Docker environments and an advanced controller-builder toolkit signals professionalization, possibly aligned with malware-as-a-service (MaaS) models. Its command structure and language indicators point toward Chinese-speaking operators, raising concerns about the intersection of financially motivated and geopolitically aligned cyber actors. Enterprises running Linux-based infrastructure—especially exposed Docker environments—must harden SSH configurations and monitor outbound DNS traffic for anomalies.
FROM THE MEDIA: The malware, which has been active for over a decade, uses SSH brute-force attacks to gain access and installs itself with cron jobs and init scripts for persistence. The most recent campaign unveiled a “VIP” sub-controller system and a builder toolkit capable of managing multiple botnets through layered infrastructure. Researchers identified the use of a static XOR decryption key and noted the Chinese language in the tool's interface, suggesting its origins. The infrastructure is likely being commercialized on underground forums.
READ THE STORY: THN
Soyuz MS-26 Safely Returns U.S. and Russian Astronauts After 7-Month ISS Mission
Bottom Line Up Front (BLUF): The Soyuz MS-26 spacecraft successfully landed in Kazakhstan on April 20, 2025, bringing back NASA astronaut Donald Pettit and Russian cosmonauts Alexey Ovchinin and Ivan Wagner after a 220-day mission aboard the International Space Station (ISS). The return marks a continued instance of U.S.-Russia space cooperation amid broader geopolitical tensions.
Analyst Comments: Despite deteriorating diplomatic relations and sanctions stemming from Russia’s war in Ukraine, space exploration remains a rare channel of collaboration between the U.S. and Russia. Missions like MS-26 highlight how scientific goals, especially those tied to the ISS, can transcend political divides, though these cooperative efforts face increasing scrutiny. With U.S. astronauts still relying on Soyuz spacecraft for specific missions, any escalation in geopolitical hostilities or cyber incidents targeting space infrastructure could jeopardize future joint operations or astronaut safety.
FROM THE MEDIA: The spacecraft carried U.S. astronaut Donald Pettit, who celebrated his 70th birthday the same day, along with Russian cosmonauts Alexey Ovchinin and Ivan Wagner. Their mission lasted 220 days, during which they orbited the Earth 3,520 times and traveled more than 93 million miles. Pettit researched metal 3D printing, water sanitation, and plant growth in microgravity. This was Pettit’s fourth spaceflight, accumulating 590 days in orbit, while Ovchinin and Wagner now total 595 and 416 days, respectively. Despite tensions from the Ukraine war, U.S.-Russia cooperation in space continues, with another joint crew recently launched aboard Soyuz MS-27.
READ THE STORY: Reuters // Aljazeera
China’s U.S. Envoy Urges End to Tariff War, Warns Beijing “Ready to Fight”
Bottom Line Up Front (BLUF): China’s ambassador to the U.S., Xie Feng, publicly called for renewed diplomacy and an end to the escalating trade war, warning that China is fully prepared to retaliate against additional U.S. tariffs. His remarks highlight the economic and geopolitical stakes as trade, technology, and national security tensions continue to mount between the two global powers.
Analyst Comments: As tariffs exceed 100% on both sides, the risk of broader retaliatory actions, including in cyber and technology sectors, grows. Beijing's language suggests it may use regulatory, economic, and possibly cyber tools to respond asymmetrically if provoked. This posture could influence supply chain security, digital trade frameworks, and cyber threat levels in critical sectors like semiconductors, logistics, and defense tech.
FROM THE MEDIA: Speaking in Washington, Xie emphasized the need for peaceful coexistence between the two nations, invoking traditional Chinese medicine to illustrate balance in global relations. He criticized U.S. protectionist policies, comparing them to 1930s tariffs that worsened the Great Depression. While Trump officials claimed “nice conversations” are ongoing, Beijing has stated that respect must precede negotiations. Meanwhile, other Asian economies, including Japan and Taiwan, are engaging with the U.S. to negotiate exemptions from the "Liberation Day" tariffs, while China remains firmly opposed.
READ THE STORY: Reuters
Chinese Smishing Kit Fuels Massive Toll Fraud Campaign Targeting U.S. Mobile Users
Bottom Line Up Front (BLUF): A large-scale smishing campaign using a Chinese-developed phishing kit is targeting toll road users across eight U.S. states. Victims receive SMS or iMessages posing as unpaid toll alerts, redirecting them to fake E-ZPass websites to steal personal and financial data. Researchers attribute the operation to multiple threat actors using tools created by a Chinese developer known as Wang Duo Yu.
Analyst Comments: With over 60,000 domains involved, the scale of this attack presents serious challenges for mobile OS-level defenses and telecom providers. The reuse and resale of phishing infrastructure also complicate attribution, enabling a broad ecosystem of financially motivated actors to participate. Expect continued abuse of mobile messaging platforms and increased demand for AI-driven detection tools at the telecom and endpoint level.
FROM THE MEDIA: The attack leverages a phishing kit created by Chinese developer Wang Duo Yu, sending fake toll alerts that redirect victims to credential-harvesting websites. Victims are tricked into solving CAPTCHAs before entering personal information and card data. The operation is connected to the “Smishing Triad,” an organized group previously known for impersonating postal services in over 100 countries. The phishing kits are also backdoored, sending stolen data to the operator and the kit creator — a tactic known as "double theft." Kits are sold via Telegram for as little as $50. Resecurity estimates that the attackers used over 60,000 domains to bypass detection and scale their campaign.
READ THE STORY: THN
DHL Suspends Global Shipments Over $800 to U.S. Amid Customs Crackdown
Bottom Line Up Front (BLUF): DHL Express will temporarily suspend all global business-to-consumer shipments valued over $800 to the United States due to recent U.S. customs regulatory changes. The decision follows a rule change that lowers the threshold for requiring formal entry processing from $2,500 to $800, significantly increasing administrative burdens and delays.
Analyst Comments: As trade routes tighten and customs scrutiny intensifies, logistics providers may reassess U.S. operations and pass rising compliance costs on to consumers. The situation also underscores the broader impact of geopolitical conflict on e-commerce, where customs policies may now serve as indirect economic weapons. Supply chain resilience planning should now account for sudden shifts in customs enforcement and cross-border thresholds.
FROM THE MEDIA: This action directly addresses a recent U.S. customs regulation change that mandates formal entry processing for lower-value packages. Previously, only packages above $2,500 required such procedures. While business-to-business shipments remain active, they may face delays. Shipments under $800 are unaffected. This follows similar tensions involving the Hong Kong Post, which accused the U.S. of “bullying” after tariff-free provisions for Hong Kong exports were revoked. DHL emphasized the suspension is temporary and promised to help customers adapt before further changes take effect on May 2.
READ THE STORY: Reuters
Chinese APT IronHusky Revives MysterySnail RAT in Targeted Attacks on Russia and Mongolia
Bottom Line Up Front (BLUF): Chinese advanced persistent threat (APT) group IronHusky has reemerged with a revamped version of the MysterySnail remote access trojan (RAT), targeting government entities in Russia and Mongolia. The new modular version exhibits enhanced persistence, stealth, and command capabilities, signaling renewed and potentially state-aligned cyberespionage activity.
Analyst Comments: IronHusky’s revival of MysterySnail highlights how APT groups continually iterate on dormant or abandoned malware to meet current operational goals. DLL sideloading and WebSocket-based command-and-control (C2) communication shows an evolution in sophistication and stealth. Notably, targeting Russia — a rare move by a Chinese APT — may signal shifting intelligence priorities or inter-bloc surveillance within an uneasy strategic alliance. Defenders should treat MysterySnail as an active threat, especially in government and defense sectors, and bolster defenses against DLL injection and signed binary abuse.
FROM THE MEDIA: The malware was delivered via a malicious Microsoft Management Console (MMC) script disguised as a document from Mongolia’s land agency. Once opened, the script downloaded a ZIP archive containing a legitimate binary (CiscoCollabHost.exe) and a malicious DLL (CiscoSparkLauncher.dll) for DLL sideloading. The RAT supports over 40 commands, including file manipulation, process control, and network access. A lighter version named MysteryMonoSnail has also been observed, using WebSocket for C2 and supporting 13 core commands. The malware achieves persistence through services and encrypted payloads loaded via DLL hollowing.
READ THE STORY: HackRead
China Halts Rare Earth Exports, Deepening U.S.-China Trade War and Threatening Tech Supply Chains
Bottom Line Up Front (BLUF): China has suspended exports of rare earth elements, intensifying the ongoing trade war with the United States. The move jeopardizes global supply chains for critical industries like electric vehicles, defense, and high-tech manufacturing, triggering a surge in rare earth prices and escalating geopolitical tensions.
Analyst Comments: The U.S. reliance on Chinese-sourced dysprosium, terbium, and other rare earths highlights the urgent need for supply diversification and domestic mining initiatives. In the near term, expect elevated cyber and economic espionage activity as nations scramble to secure new sources. This crisis may also accelerate the reshoring of critical materials and the development of recycling programs or synthetic substitutes.
FROM THE MEDIA: The freeze affects critical minerals like dysprosium and terbium, essential for electric vehicles, missiles, and consumer electronics. With nearly 90% of rare earth production from China, global industries are bracing for material shortages. Ports in China are reportedly jammed with unshipped cargo, and inconsistent enforcement across regions has exacerbated delays. The Ministry of Commerce has not approved new export licenses, leaving companies in limbo. Prices have surged in response, with dysprosium oxide hitting $204/kg in Shanghai. Analysts view this as China’s calculated response to U.S. tariffs, leveraging rare earths as an economic pressure point.
READ THE STORY: Sustainability Times
Market Volatility Highlights Cyber and Economic Risk Under Erratic Policy Leadership
Bottom Line Up Front (BLUF): President Trump's unpredictable tariff decisions in early 2025 triggered significant volatility across financial and bond markets. While not a cybersecurity incident per se, the instability underscores how erratic political behavior can create systemic risk, sow confusion among institutional investors, and elevate the threat landscape for critical infrastructure and global economic resilience.
Analyst Comments: While traditionally outside the scope of cyber threats, market instability tied to policy mismanagement intersects with information warfare and national security. Conflicting and rapidly shifting announcements from the White House can serve as fertile ground for disinformation campaigns and financial market manipulation, both favored tools of state-sponsored threat actors. In this environment, even non-cyber policy moves can generate cyber risk by increasing uncertainty, disrupting corporate decision-making, and eroding trust in institutions. Security teams should monitor for a rise in fraud, phishing, or insider threats during such unstable windows.
FROM THE MEDIA: President Donald Trump's announcement of sweeping tariffs in April 2025, later rolled back, then reintroduced with modifications, caused the S&P 500 to fall by more than 10% in two days. Analysts and economists compared the scope and suddenness of the tariff plans to the infamous Smoot-Hawley Tariff Act of 1930. The bond market’s unusual reaction — selling off Treasuries and the U.S. dollar — signaled a deeper concern about governmental unpredictability. The FT’s Tim Harford compared Trump's behavior to “Mr Market,” a metaphor for volatile investor psychology, and warned of potential long-term damage to U.S. credibility and financial stability. Amid this backdrop, corporate investment decisions have stalled, adding to economic and operational uncertainty.
READ THE STORY: FT
Multi-Stage Malware Campaign Deploys Agent Tesla, Remcos RAT, and XLoader via .JSE and PowerShell
Bottom Line Up Front (BLUF): Security researchers at Palo Alto Networks have uncovered a multi-stage phishing campaign leveraging deceptive emails and complex scripting to deliver Agent Tesla, Remcos RAT, and XLoader malware. The attack utilizes .JSE (JavaScript Encoded) files and PowerShell scripts to evade detection and achieve persistent access on target systems.
Analyst Comments: By combining multiple scripting languages (.JSE, PowerShell, AutoIt, and .NET) and execution paths, attackers increase the resilience of their payloads against security tools. Such layered approaches are especially concerning as they complicate forensic analysis, enabling prolonged data exfiltration or surveillance. Organizations should reevaluate their endpoint detection strategies and focus on detecting behavioral anomalies rather than static indicators.
FROM THE MEDIA: These archives deployed.JSE files, which downloaded and executed PowerShell scripts from remote servers. These scripts decoded embedded payloads, eventually leading to malware execution through .NET or AutoIt-compiled droppers. Depending on the execution path, the malware was injected into legitimate Windows processes such as RegAsm.exe or RegSvcs.exe, avoiding detection. Agent Tesla, XLoader, and Remcos RAT have previously been used for keylogging, credential theft, and remote access in espionage and financially motivated attacks. Palo Alto’s Unit 42 noted that the attackers preferred stacking simple executable stages to create a robust and evasive malware chain.
READ THE STORY: THN
Items of interest
OpenAI, Startups Accelerate AI Coding Tools in Race to Reshape Software Industry
Bottom Line Up Front (BLUF): OpenAI, Anthropic, Google, and other AI leaders are rolling out advanced models designed for code generation, marking a significant shift in the software development landscape. OpenAI's latest releases, including GPT-4.1 and Codex CLI, signal a competitive push to automate programming tasks at scale, while startups like Reflection AI and Cursor draw significant venture capital.
Analyst Comments: AI-powered code generation is quickly becoming one of the most commercially viable applications of large language models (LLMs). With some models now solving over 69% of benchmark coding problems, the role of software developers is evolving from coding line-by-line to guiding and validating AI output. The proliferation of tools like Codex CLI and Claude Code could lower barriers to entry in software development, democratize innovation, and simultaneously threaten legacy coding roles. However, success hinges on AI’s ability to produce reliable, secure, context-aware code in real-world applications.
FROM THE MEDIA: Benchmark data shows significant gains in problem-solving, with SWE-bench results jumping from 4.4% in 2023 to over 69% this year. Anthropic’s Claude Code, Meta’s Code Llama, and startups like Reflection AI and Anysphere also push the frontier. GitHub research notes 92% of U.S. developers already use AI coding tools, which are significantly cutting development costs and timelines. Industry leaders argue that developers will transition into orchestration and systems integration roles rather than becoming obsolete.
READ THE STORY: FT
Will AI replace programmers? (Video)
FROM THE MEDIA: ThePrimeagen (aka Michael Paulson) is a programmer who has educated, entertained, and inspired millions of people to build software and have fun doing it.
Will AI replace programmers? The BRUTAL truth (Video)
FROM THE MEDIA: Is it still worth learning coding even with the threat of artificial intelligence, AI, taking all our jobs? Or is AI or Large Language Models (LLMs) all hype and fear-mongering? I talk about the possibility of AI replacing the jobs of software developers, and my answer might surprise you. I talk about what AI can and can’t do regarding software development. There’s also evidence that software engineering is projected to grow in demand over the next decade, and I’ll walk through strategies on how to future-proof your career if you want to learn to code and become a software engineer.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.