Wednesday, Apr 23, 2025 // (IG): BB // GITHUB // SN R&D
China-Linked Billbug APT Breaches Multiple Government and Business Entities in Southeast Asia
Bottom Line Up Front (BLUF): The Chinese APT group Billbug has been linked to a cyber espionage campaign that compromised several high-profile organizations in a Southeast Asian country between August 2024 and February 2025. Targets included a government ministry, an air traffic control system, telecom operators, and a construction company.
Analyst Comments: Billbug’s sustained activity and use of custom and legitimate tools reflect a mature and stealthy APT capability. The group’s operations likely support Beijing’s broader objectives in asserting regional dominance, including over Taiwan and the South China Sea. As attribution improves and regional cooperation grows, more such campaigns may be exposed in the months ahead.
FROM THE MEDIA: Symantec researchers have identified the advanced persistent threat group Billbug—also known as Lotus Panda, Lotus Blossom, and Bronze Elgin—as responsible for breaching multiple key organizations in a single Southeast Asian nation. Active since at least 2009, Billbug targeted entities such as a government ministry, an air traffic control agency, a telecom provider, and a major construction firm from August 2024 through February 2025. The attackers used a mix of custom malware, including credential stealers, backdoors, and legitimate tools to mask their activities. One such tool manipulated file timestamps to hinder forensic analysis. Symantec confirmed the attribution to Billbug using evidence from Cisco Talos. The group previously gained attention for compromising a national certificate authority in Asia, allowing it to disguise malware as legitimate software.
READ THE STORY: The Record
Defense Secretary Pete Hegseth Under Scrutiny for Sharing Military Plans via Signal
Bottom Line Up Front (BLUF): U.S. Defense Secretary Pete Hegseth faces intense criticism after reports revealed he shared details about military operations, including strike plans in Yemen, over the encrypted messaging app Signal. The discussions included senior officials, family members, and even a journalist, raising alarms about the mishandling of sensitive national defense information. While Hegseth and the White House claim no classified material was shared, lawmakers and security experts have called for investigations.
Analyst Comments: Despite end-to-end encryption, Signal is not authorized for sensitive or classified defense communications. If the reports are accurate, Hegseth’s actions may have violated federal laws, including the Espionage Act and Federal Records Act. The political and legal fallout could deepen partisan divides over national security governance and potentially prompt tighter regulations on digital communication within the defense apparatus.
FROM THE MEDIA: Defense Secretary Pete Hegseth is under investigation for using Signal to discuss U.S. military operations, including two chats that revealed plans for strikes in Yemen. One chat included top officials like Vice President JD Vance and Secretary of State Marco Rubio, while another involved Hegseth’s wife, brother, and personal attorney. Although the administration insists no classified information was disclosed, critics argue the nature of the content—target details and weapon deployment—should have been confined to secure communication channels. Two aides, accused of leaking information, were dismissed last week. The Senate Armed Services Committee has called for the Pentagon’s inspector general to investigate. Meanwhile, cybersecurity experts caution that even encrypted apps like Signal are unsuitable for handling national defense information. Hogsett's use of such platforms could constitute legal violations under multiple statutes.
READ THE STORY: The Washington Post
Cloudflare Tunnel Abused to Deploy AsyncRAT in Complex Phishing Attacks
Bottom Line Up Front (BLUF): Hackers exploit Cloudflare Tunnel infrastructure to deliver remote access trojans (RATs), including AsyncRAT, through phishing campaigns, bypassing standard defenses. The campaign, observed since February 2024, uses multi-stage infection chains and sophisticated evasion techniques to gain persistence on victim systems.
Analyst Comments: Abusing tunneling services, layered scripting, and deceptive file types make detection and attribution more challenging for defenders. Organizations should consider this a warning to strengthen email gateway policies, enhance behavioral detection systems, and monitor outbound traffic to dynamic DNS and tunnel-based services.
FROM THE MEDIA: The attack begins with phishing emails mimicking business-related messages and contains “application/windows-library+xml attachments.” Once opened, a malicious LNK file initiates an HTML Application (HTA) file, which runs VBScript to set up Python and execute further payloads using PowerShell. This setup installs the RAT and ensures persistence through startup folder scripts while obscuring traces through file attribute changes and cleanup scripts. Detection of this campaign relies on behavioral rules that flag suspicious email attachments, PowerShell usage, and dynamic DNS contacts used for command-and-control communication. Indicators of compromise include multiple trycloudflare[.]com subdomains and malicious BAT scripts.
READ THE STORY: GBhackers
Docker Malware Campaign Exploits Teneo Web3 Node to Harvest Crypto via Fake Heartbeat Signals
Bottom Line Up Front (BLUF): Darktrace and Cado Security have uncovered a novel malware campaign targeting Docker environments. Unlike traditional cryptojacking attacks using XMRig, this campaign abuses the Teneo Web3 infrastructure to earn cryptocurrency through fake heartbeat signals, exploiting a decentralized reward system rather than directly mining crypto.
Analyst Comments: By exploiting Teneo’s Community Node mechanism, the attackers avoid conventional detection methods and demonstrate adaptability in the cryptojacking landscape. This emerging model could become increasingly attractive as traditional miners are more aggressively flagged by security tools. It also highlights how decentralized platforms can be manipulated in low-resource, high-yield fraud schemes. Organizations using Docker should prioritize container security and monitor for unauthorized image pulls.
FROM THE MEDIA: The campaign begins with the launch of a malicious Docker image, kazutod/tene:ten, which has been downloaded over 300 times. Upon execution, the container unpacks an obfuscated Python script that connects to Teneo’s WebSocket API and sends periodic "keep-alive" signals to simulate activity. These fake heartbeat pings are rewarded with Teneo Points, convertible to $TENEO tokens, without performing actual social media scraping. Darktrace observed that this indirect monetization technique may help attackers bypass detection. The campaign mirrors earlier abuses of Docker for bandwidth-sharing schemes, such as using 9Hits Viewer software. The associated account remains active while the Docker image has since been removed. In parallel, Fortinet reported a separate botnet campaign—RustoBot—targeting IoT devices in Asia and Latin America, underscoring the growing exploitation of underprotected endpoints.
READ THE STORY: THN
Ransomware Attack on Baltimore Schools Exposes Data of Over 25,000 Individuals
Bottom Line Up Front (BLUF): Baltimore City Public Schools disclosed a ransomware attack from February 2025 that exposed sensitive personal data of thousands of students, teachers, and staff. Officials confirmed that approximately 25,000 individuals, including 1,150 students, were affected but emphasized that no ransom was paid and core school operations were not significantly disrupted.
Analyst Comments: The attack on Baltimore is part of a broader trend, with at least 75 school-related ransomware attacks recorded in 2025 alone. Using personal identifiers and sensitive student data raises concerns about long-term identity theft. It underscores the need for improved incident response, data protection strategies, and cyber hygiene practices across educational institutions.
FROM THE MEDIA: While no ransom was paid, the Cloak ransomware gang is suspected of being behind the attack. The breach affected about 55% of the school’s employees and less than 1.5% of the student population, estimated to be more than 1,150 students. Compromised data included Social Security numbers, driver’s licenses, and sensitive student records. The district offers two years of credit monitoring and has reset passwords, implemented endpoint detection, and engaged law enforcement and cybersecurity experts. This is the second major cyberattack on Baltimore’s school system, following a costly 2020 incident.
READ THE STORY: The Record
Pentagon Cyber Official Warns of Escalating Threats to Space and Defense Infrastructure
Bottom Line Up Front (BLUF): John Garstka, Director for Cyber Warfare at the U.S. Department of Defense, emphasized the growing danger of cyberattacks on critical infrastructure during remarks at Space Systems Command Cyber Expo 2025. He warned that adversaries, particularly China, are increasingly targeting the defense industrial base (DIB) and commercial infrastructure vital to military space systems. The DOD is focusing on life-cycle cybersecurity and enhancing collaboration with industry partners to strengthen national defense resilience.
Analyst Comments: Garstka's emphasis on defending ground infrastructure and industrial partners highlights a more holistic view of cybersecurity beyond isolated systems. The linkage of cyberattacks to production line shutdowns further reflects the urgent need for better integration of cybersecurity into supply chain and design processes. The call to close the funding gap for protective measures suggests future budget realignments or policy directives could prioritize cyber resilience.
FROM THE MEDIA: Speaking virtually at the Space Force’s Cyber Expo 2025, John Garstka outlined the real-world implications of cyber conflict on U.S. defense capabilities, warning that cyberattacks increasingly threaten the infrastructure that supports space missions. Garstka, a senior official in the Office of the Deputy Assistant Secretary of Defense, likened cyberspace to the fifth domain of warfare and emphasized that attacks on utilities or industrial partners could immobilize space systems by severing power or fuel supplies. He stressed the importance of risk assessments across the whole system lifecycle and warned that adversaries, particularly China, are already targeting the defense industrial base to disrupt production lines. Garstka urged closer DOD-industry collaboration and highlighted the need for clearly defined requirements and funding to secure next-generation systems.
READ THE STORY: Defense
Zambia’s New Cyber Laws Spark Surveillance and Censorship Fears
Bottom Line Up Front (BLUF): Zambia's recently enacted Cyber Security and Cyber Crime Acts have triggered intense backlash from legal, civil society, and international observers. Critics argue the laws give the executive excessive surveillance powers, including the ability to intercept all electronic communications, and risk being used to suppress dissent. The U.S. Embassy in Zambia has issued a warning, and Zambia's legal community is petitioning the courts to review the legislation.
Analyst Comments: The concentration of authority within the presidency and the vague definition of “critical information” raise red flags for potential misuse. Although the government claims protections are in place, critics see insufficient oversight and weak human rights safeguards. The evolving regulatory landscape in Africa highlights a tension between national security and digital rights that will continue to shape the future of cyber governance across the continent.
FROM THE MEDIA: The Law Association of Zambia (LAZ) is petitioning the country’s highest court to review the laws, citing fears of political abuse due to the broad surveillance provisions and the placement of the Zambia Cyber Security Agency under direct presidential control. The U.S. Embassy in Lusaka also issued an advisory, warning that the law mandates proactive interception of all digital communications. The Zambian government defended the legislation, claiming it includes privacy protections and oversight mechanisms. However, critics—including Free Press Initiative and CIPESA—warn that the laws could be exploited to curtail online expression and dissent, calling for greater checks and balances in Zambia's cybersecurity regime.
READ THE STORY: DR
Google Abandons Cookie Prompt in Chrome, Plans IP Protection for Incognito Mode
Bottom Line Up Front (BLUF): Google has announced it will not introduce a new standalone prompt for third-party cookies in Chrome. Instead, the company will focus on strengthening privacy protections in Incognito mode, including adding a new IP Protection feature to limit cross-site tracking.
Analyst Comments: Google's decision not to deprecate third-party cookies—or even introduce a new opt-out prompt—suggests caution amid regulatory scrutiny and economic reliance on targeted ads. While promising, the upcoming IP Protection feature is only applied in Incognito mode, limiting its broader privacy impact. As pressure mounts from regulators and privacy-conscious users, further changes to Chrome’s privacy framework could emerge as Google seeks to defend its dominant market position.
FROM THE MEDIA: Instead, users will continue to manage cookie preferences through Chrome’s Privacy and Security Settings. The company cited conflicting feedback from advertisers, publishers, and regulators for halting the rollout. To enhance privacy, Chrome’s Incognito mode will soon include an IP Protection feature that masks users’ original IP addresses in third-party contexts, reducing tracking risks. This change aligns with Google’s broader Privacy Sandbox initiative, which is evolving to reflect the shifting regulatory and technological landscape. Unlike Safari and Firefox, which blocked third-party cookies by default years ago, Google’s staggered approach reflects its dual role as a platform provider and ad giant. The announcement also comes amid legal pressures, with U.S. regulators proposing structural remedies to reduce Google’s dominance in search and advertising markets.
READ THE STORY: THN
Google Abandons Privacy Sandbox as Chrome Keeps Third-Party Cookies
Bottom Line Up Front (BLUF): Google has officially ended its long-running plan to phase out third-party cookies in Chrome, marking a significant reversal in its Privacy Sandbox initiative. After years of development and regulatory scrutiny, Google will maintain the third-party cookie system, citing technological limitations, regulatory uncertainty, and competing industry interests. Critics warn this decision undermines privacy protections for billions of Chrome users.
Analyst Comments: The collapse of Google's Privacy Sandbox represents a significant concession to the advertising industry and regulators who accused Google of attempting to monopolize ad infrastructure under the guise of privacy. This retreat signals the complexity of reconciling privacy with ad revenue and the growing power of antitrust enforcement globally. While alternative privacy-preserving mechanisms like IP Protection may still roll out, the failure of Privacy Sandbox underscores the ongoing dominance of surveillance-based advertising and the industry's resistance to systemic change. Competing browsers like Safari and Firefox, which have long blocked third-party cookies by default, may now see increased adoption by privacy-conscious users.
FROM THE MEDIA: Originally launched in 2019, the Sandbox was meant to balance user privacy with the needs of advertisers. However, opposition from ad tech competitors and regulators, particularly in the UK, led to increasing compromises. In July 2024, Google shifted to an opt-in model, but by April 2025, it scrapped even that. The company will now keep third-party cookies in Chrome, though it will introduce limited privacy features like IP Protection in Incognito mode by Q3 2025. Reactions have been sharply critical: the Electronic Frontier Foundation condemned the decision as a betrayal of user privacy, while open web advocates claimed victory against what they saw as Google’s monopolistic ambitions. Google, meanwhile, framed the move as a response to evolving technological and regulatory landscapes.
READ THE STORY: The Register
Surge in ICS/OT Attacks Driven by Pro-Russian Hacktivists Marks 50% Spike in March
Bottom Line Up Front (BLUF): Cyble has revealed a significant 50% rise in cyberattacks targeting Industrial Control Systems (ICS) and Operational Technology (OT) during March 2025. Pro-Russian hacktivist groups, including NoName057(16), Hacktivist Sandworm, and others, are primarily responsible for this spike, shifting toward destructive tactics like ransomware and multi-vector campaigns aimed at critical infrastructure across NATO-aligned countries.
Analyst Comments: The escalation in ICS/OT targeting signals a strategic evolution in hacktivist behavior, blurring lines between politically motivated activism and cybercrime. The threat landscape has become more complex and potent with ransomware integrated into ideological attacks. Sectors such as energy, utilities, and telecommunications are particularly vulnerable, and the global dispersion of targets—from the U.S. to India—reflects the increasingly transnational nature of these threats. Governments and organizations must respond with layered defenses, incorporating threat intelligence, Zero Trust architectures, and hardened OT systems.
FROM THE MEDIA: Pro-Russian groups like NoName057(16), Z-pentest, and Sector 16 led the charge, deploying various disruptive tactics including ransomware, DDoS, and credential leaks. The report highlights that government, finance, telecommunications, and energy were the most targeted sectors. High-profile campaigns included a ransomware attack by Ukraine-aligned BO Team on a Russian defense manufacturer, encrypting 300TB of data. Other incidents involved large-scale data theft from Russian government systems and industrial networks. Notably, hacktivist tactics have become more technical, incorporating SQL injection, brute-force access, and exploitation of web vulnerabilities. Cyble concludes that the growing technical proficiency of these groups is making them increasingly resemble state-backed actors, intensifying cyber risks amid ongoing geopolitical conflicts.
READ THE STORY: Industrial Cyber
Fog Ransomware Gang Trolls Victims with Elon Musk-Inspired Demands
Bottom Line Up Front (BLUF): A ransomware campaign attributed to the relatively new Fog gang has emerged with a satirical twist, mimicking a directive from Elon Musk's Department of Government Efficiency (DOGE). Victims are pressured to submit five work accomplishments or pay a trillion-dollar ransom. Researchers believe the note is a deliberate jab at both victims and the U.S. government.
Analyst Comments: By parodying real-world government policies and personalities, ransomware gangs like Fog seek to demoralize and confuse victims while garnering media attention. The tactic also raises concerns about deeper ties between politically charged narratives and cybercrime. The inclusion of DOGE-related references and potential links to a former tech executive adds complexity, suggesting cybercriminals may be exploiting both current events and insider knowledge for social engineering leverage.
FROM THE MEDIA: Victims are mockingly instructed to submit a weekly summary of accomplishments or face a trillion-dollar ransom demand. The note references a real policy Musk implemented across federal departments under President Trump’s directive. The campaign may also allude to Edward Coristine, a DOGE staffer reportedly tied to past cybercrime support activities, including alleged services to a data leak site linked to the defunct EGodly group. While Fog’s exact origins remain unclear, the group targets both Windows and Linux environments. Indicators of compromise (IoCs) and technical details have been released by Trend Micro to assist in mitigation efforts. Meanwhile, speculation continues over Musk’s political future and DOGE's faltering performance in achieving its original reform promises.
READ THE STORY: The Register
Russian Bulletproof Host Proton66 Facilitates Global Malware Campaigns, Credential Theft, and Exploitation
Bottom Line Up Front (BLUF): A surge in malicious cyber activity has been traced to the Russian bulletproof hosting provider Proton66, whose infrastructure is being used for mass scanning, brute-force attacks, malware delivery, and phishing campaigns. Since January 2025, this threat has targeted victims globally with malware families like XWorm, StrelaStealer, SpyNote, GootLoader, and a new ransomware variant named WeaXor.
Analyst Comments: Proton66 exemplifies how bulletproof hosting providers remain critical enablers of cybercrime, offering resilient infrastructure for malware operators, phishing networks, and exploit delivery. The involvement of dormant or previously clean IPs complicates traditional blocklisting approaches, underscoring the need for behavior-based threat detection. The linkage to malware-as-a-service models (e.g., WeaXor ransomware, APK phishing redirects, and initial access brokers like Mora_001) suggests a professionalized and scalable cybercrime operation. Security teams must continuously monitor emerging IPs and domain associations tied to Proton66 and affiliated networks like Chang Way Technologies.
FROM THE MEDIA: Trustwave SpiderLabs identified a significant increase in malicious activity from IP addresses associated with the Russian bulletproof hosting provider Proton66. The attacks, active since early January, included mass scanning, credential brute-forcing, and exploitation of recent high-impact vulnerabilities such as CVE-2025-0108 (Palo Alto PAN-OS), CVE-2024-41713 (Mitel MiCollab), CVE-2024-10914 (D-Link NAS), and two Fortinet FortiOS flaws (CVE-2024-55591 and CVE-2025-24472). These Proton66-linked IPs have also been used to host and distribute multiple malware families, including XWorm, StrelaStealer, SpyNote, GootLoader, and a new ransomware variant known as WeaXor. Some campaigns employed compromised WordPress sites to redirect Android users, particularly in France, Spain, and Greece, to fake Google Play pages, delivering malicious APK files via obfuscated JavaScript. In other cases, Korean-speaking users were infected with XWorm through a multi-stage attack chain initiated by a malicious shortcut file and PowerShell commands. Meanwhile, phishing emails targeting German users deployed StrelaStealer, and WeaXor ransomware was observed communicating with command-and-control servers hosted within the Proton66 network. Trustwave noted that these operations align with malware-as-a-service and initial access broker activity, further emphasizing the growing threat of Proton66 infrastructure.
READ THE STORY: THN
SpaceX Dragon CRS-32 Docks at ISS with Crew Supplies, Delays Some Science Payloads
Bottom Line Up Front (BLUF): SpaceX’s CRS-32 cargo mission has successfully docked with the International Space Station, delivering essential crew supplies and select experiments. Due to delays with Northrop Grumman’s Cygnus NG-22, the Dragon manifest was altered, deferring several scientific payloads to future missions. Key equipment like ESA's Atomic Clock Ensemble in Space (ACES) was retained.
Analyst Comments: While the successful docking of CRS-32 reinforces SpaceX’s reliability as NASA's key logistics partner, the reshuffling of science payloads reveals the tight logistics margin aboard the ISS. The shift underscores how supply chain disruptions—even those stemming from other contractors—can impact the prioritization of experimental research. The deployment of ESA's ACES payload remains a significant win, enabling ultra-precise space-based timekeeping that could refine global navigation systems and deepen our understanding of relativity.
FROM THE MEDIA: The mission was reprioritized due to damage sustained by Northrop Grumman’s Cygnus NG-22, resulting in the deferral of several science payloads. NASA remained vague about the postponed items but confirmed that critical supplies, such as food and life-support consumables, were prioritized, including a humorous note that 1,262 tortillas were part of the manifest. One major experiment that made the trip was ESA’s ACES, a dual atomic clock system capable of losing only one second every 300 million years. Scheduled for installation on April 25 via the ISS’s robotic arm, ACES will enable cutting-edge research in time synchronization and fundamental physics. The cargo’s successful delivery ensures ISS crews remain well-supplied through summer, even if the next resupply mission (CRS-33) is delayed.
READ THE STORY: The Register
Dutch Intelligence Warns of Russian Cyber Sabotage Against Critical Infrastructure
Bottom Line Up Front (BLUF): The Dutch military intelligence agency MIVD has confirmed the first instance of a Russian cyber sabotage attack against Dutch critical infrastructure, marking an alarming escalation in hybrid threats. The agency reports a surge in hostile cyber operations targeting the Netherlands and European allies, aimed at mapping and disrupting vital systems like water, energy, and communications.
Analyst Comments: Using cyber as a pre-kinetic tool to gain footholds in infrastructure systems suggests preparation for broader geopolitical confrontations. The Netherlands' strategic importance to NATO and its vocal support for Ukraine make it a prime target for these campaigns. Similar activities have been reported across NATO countries, and this incident underscores the growing need for collective cyber defense initiatives and faster military-industrial scaling within Europe.
FROM THE MEDIA: While the direct impact was limited, one case involved compromising a control system, representing the first such attempt in the Netherlands. The report outlines a wider cyber mapping and espionage campaign, likely aimed at enabling future sabotage. Intelligence also revealed that Russia has used mobile phone vulnerabilities to locate Ukrainian military units, a tactic likely to be expanded. Russia’s broader offensive includes disinformation and hybrid attacks coordinated through a "whole-of-society" model involving state and private actors. Defense Minister Ruben Brekelmans emphasized the urgency to bolster NATO and Dutch defense capabilities, warning that Europe exists in a "gray zone between war and peace."
READ THE STORY: DevDiscourse // The Record
Hackers Weaponize Microsoft’s Mavinject.exe to Deliver Stealthy Malicious DLLs
Bottom Line Up Front (BLUF): Cybercriminals are leveraging Microsoft’s legitimate system utility, mavinject.exe, to inject malicious DLL payloads into trusted processes, allowing advanced persistent threat (APT) groups like Earth Preta and Lazarus Group to evade detection. This abuse of a signed executable underscores the challenges of distinguishing malicious use from legitimate activity.
Analyst Comments: The exploitation of mavinject.exe demonstrates a growing trend where attackers co-opt trusted tools (a tactic known as "living off the land") to avoid triggering security alerts. This technique enables malware to blend into regular system activity and persist undetected. Defenders must adapt by deploying behavioral detection techniques that monitor for suspicious process injection patterns rather than relying solely on static file signatures. Blocking mavinject.exe in non-App-V environments and monitoring its usage could be critical for stopping these attacks.
FROM THE MEDIA: Two notable groups using this technique are Earth Preta (Mustang Panda), a Chinese state-sponsored APT, and the North Korea-linked Lazarus Group. These actors initiate attacks via phishing emails that deliver deceptive attachments, triggering a chain of execution that ultimately uses mavinject.exe to load malware undetected. The process involves using Windows API calls such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread to manipulate the memory of legitimate processes and load malicious code. Security researchers recommend monitoring for unusual use of mavinject.exe, especially outside of Application Virtualization contexts, and adopting proactive defenses like endpoint detection rules and memory behavior analytics.
READ THE STORY: GBhackers
Items of interest
Putin Offers Ceasefire Along Current Front in Ukraine Amid U.S.-Led Peace Talks
Bottom Line Up Front (BLUF): Russian President Vladimir Putin has proposed halting military operations in Ukraine along current front lines, marking his first public indication of willingness to compromise on territorial ambitions. The U.S., under President Trump, is exploring a peace framework that includes recognizing Russian control over Crimea and potentially establishing a demilitarized zone monitored by a European peacekeeping force.
Analyst Comments: A strategic shift in Russia’s posture is likely motivated by battlefield stalemates, economic strain, and the opportunity to exploit a more favorable diplomatic environment under the Trump administration. However, any agreement that legitimizes Russian territorial gains—especially Crimea—would face strong resistance from Kyiv and potentially fracture Western unity. Putin may be testing Western resolve and using the ceasefire proposal to cement de facto gains without fully disengaging militarily. The potential withdrawal of U.S. involvement, should talks falter, would add urgency to the negotiations.
FROM THE MEDIA: Vladimir Putin offered to cease hostilities along the current battlefronts in Ukraine during a meeting with Trump’s envoy, Steve Witkoff, in early April 2025. Sources indicate Russia is prepared to relinquish claims to Ukrainian-held parts of four contested regions—Donetsk, Luhansk, Kherson, and Zaporizhzhia—while retaining control over occupied territory and seeking U.S. recognition of Crimea. The U.S. has floated terms involving a demilitarized zone, a European peacekeeping force, and mutual commitments not to retake territory by force. Ukrainian President Volodymyr Zelenskyy acknowledged ongoing discussions but denied receiving a formal proposal. U.S. Secretary of State Marco Rubio and Witkoff pulled out of a London summit on the proposal, while negotiations are set to continue in Moscow. Despite the Kremlin’s public overtures, European officials remain skeptical, warning that the proposal may be a tactic to pressure Kyiv into concessions that benefit Moscow.
READ THE STORY: FT
Putin declares unilateral Easter ceasefire in Ukraine (Video)
FROM THE MEDIA: President Putin has announced an “Easter truce” during which Russia will cease all “military operations” in Ukraine.
Truce' as Putin orders sudden ceasefire in Ukraine - is it too good to be true? (Video)
FROM THE MEDIA: Today, after the unexpected announcement by Vladimir Putin of a 30-hour truce for Easter we assess what it might mean for the war, how likely it is to hold and discuss what comes next. Having rejected Donald Trump’s proposal for an unconditional ceasefire 39 days ago, what does Putin hope to gain by this latest gamble? Francis Dearnley and Dom Nicholls offer their thoughts.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.