Wednesday, Apr 30, 2025 // (IG): BB // GITHUB // SN R&D
Earth Kurma APT Hits Southeast Asian Governments and Telecoms with Cloud-Backed Espionage Campaign
Bottom Line Up Front (BLUF): Trend Micro has revealed that the Earth Kurma APT group is actively targeting Southeast Asian government and telecommunications sectors using advanced rootkits, custom malware, and cloud services like Dropbox and OneDrive. The cyberespionage campaign has remained undetected for years, enabling persistent data exfiltration and network compromise.
Analyst Comments: Earth Kurma’s operations highlight a growing trend among APT groups: using public cloud services to bypass detection and move exfiltrated data unnoticed. Their use of rootkits like KRNRAT and MORIYA suggests a deliberate strategy to maintain long-term access while evading conventional endpoint security. While connections to known APT groups like ToddyCat and Operation TunnelSnake exist, Earth Kurma’s distinct toolset and operations warrant its independent classification. The campaign also reflects a persistent vulnerability in Southeast Asia’s cybersecurity posture, particularly in governmental and telecom infrastructure, raising regional and international security concerns.
FROM THE MEDIA: The campaign primarily targets government and telecommunications sectors in countries like the Philippines, Vietnam, and Malaysia. Earth Kurma uses stealthy, cloud-based data exfiltration methods and deploys rootkits and custom loaders (e.g., TESDAT, DMLOADER) to gain persistent access. Tools such as SIMPOBOXSPY, KRNRAT, and MORIYA are used to collect and transmit sensitive documents (.pdf, .docx, .xlsx, etc.) to cloud storage platforms. Although similar tools have been observed in campaigns attributed to ToddyCat and Operation TunnelSnake, Trend Micro concluded that Earth Kurma operates as a distinct group due to differences in post-exploitation behavior and tool usage.
READ THE STORY: Industrial
Meta Unveils LlamaFirewall to Defend AI Systems from Jailbreaks and Code Vulnerabilities
Bottom Line Up Front (BLUF): Meta has launched LlamaFirewall, an open-source security framework designed to defend AI systems against prompt injections, jailbreaks, and unsafe code generation. The modular architecture includes PromptGuard 2 for real-time prompt filtering, Agent Alignment Checks for reasoning validation, and CodeShield for secure code analysis.
Analyst Comments: By tackling common attack vectors like prompt injections and unsafe code, LlamaFirewall positions itself as a crucial tool for AI system hardening. Adding tools like AutoPatchBench to evaluate LLM-driven patching also highlights industry trends toward automating vulnerability management. As AI systems are increasingly integrated into critical infrastructure and enterprise workflows, frameworks like this could become a new baseline for trustworthy AI deployment. However, their effectiveness will depend heavily on continued open collaboration and third-party validation.
FROM THE MEDIA: Meta announced the release of LlamaFirewall, a new AI security framework to mitigate known vulnerabilities in large language model (LLM) deployments. The framework includes PromptGuard 2 to stop prompt injection and jailbreak attempts, Agent Alignment Checks to detect goal manipulation in autonomous agents, and CodeShield to block insecure code outputs. Meta also released CyberSecEval 4, which now features AutoPatchBench, a benchmark for testing LLMs' ability to fix C/C++ bugs found via fuzzing. The Llama for Defenders program was also introduced to support AI developers in tackling real-world abuse, including fraud and phishing. The move follows broader concerns over the safety of emerging AI systems. It signals Meta’s commitment to building more resilient AI ecosystems. Aries, most notably Israel, further heightens regional cyber conflict dynamics.
READ THE STORY: THN
Iran Claims to Thwart Major Cyberattack Targeting National Infrastructure
Bottom Line Up Front (BLUF): Iranian officials report successfully stopping a “widespread and complex” cyberattack aimed at the country's critical infrastructure, according to a statement from the head of Iran's Telecommunication Infrastructure Company. While the source and full scope of the incident remain undisclosed, it marks another high-profile cyber incident against Iran in recent years.
Analyst Comments: The claim aligns with a pattern of escalating cyber hostilities in the Middle East, where Iran is both a frequent target and a known actor. This incident follows previous attacks, such as the 2023 petrol station breach linked to the group 'Predatory Sparrow,' which Tehran attributes to Israel. As tensions rise across the region, critical infrastructure will remain a prime target for politically motivated cyber operations, often timed alongside or in response to physical or diplomatic crises.
FROM THE MEDIA: Iran’s Telecommunication Infrastructure Company announced via the IRGC-linked Tasnim News Agency that it had identified and neutralized one of the most complex cyberattacks against its infrastructure. The attack reportedly occurred the day prior and was mitigated by national cybersecurity teams. Officials described the assault as widespread, but have not provided technical specifics or identified the perpetrators. The announcement comes shortly after a deadly explosion at Iran’s Shahid Rajaei port, though no connection has been publicly drawn. Iran has previously attributed high-impact infrastructure attacks to foreign adversaries, most notably Israel, further heightening regional cyber conflict dynamics.
READ THE STORY: TechRadar
Chinese-Made Electric Vehicles Raise Espionage Fears Among UK Defense Contractors
Bottom Line Up Front (BLUF): UK defense firms have reportedly warned staff not to connect mobile devices to Chinese-manufactured electric vehicles (EVs) over concerns they could be used for espionage. Security experts note that modern EVs, with their extensive sensors and connectivity, could potentially be repurposed as surveillance tools.
Analyst Comments: Electric vehicles represent a new frontier in cyber-espionage due to their increasing integration of sensors, connectivity features, and mobile app integrations. While there's no direct evidence of Chinese EVs being used for spying, the risk stems from China’s 2017 National Intelligence Law, which mandates corporate cooperation with state intelligence. These vehicles could become passive data collection platforms, especially with mobile devices. As state-backed surveillance evolves beyond traditional endpoints, critical sectors should reevaluate supply chain trust and establish clear guidelines for interactions with foreign technology platforms, particularly those capable of persistent data exfiltration.
FROM THE MEDIA: Several British defense firms advised employees to avoid connecting work phones to Chinese-made EVs like those produced by BYD and XPeng. Concerns center around over-the-air update capabilities, onboard sensors, and Bluetooth/mobile data synchronization that could expose sensitive personal or professional information. Experts like Rafe Pilling (Secureworks) and Joseph Jarnecki (RUSI) noted that EVs have the hardware to act as surveillance devices, and users rarely consider the data they leave behind, especially in rental vehicles. Although the UK Ministry of Defence has no centralized ban, individual organizations may enforce stricter site-level policies. Chinese manufacturers insist they comply with UK and EU privacy laws, but scrutiny continues as geopolitical tensions reshape the cybersecurity landscape.
READ THE STORY: The Guardian
Germany Reassesses Critical Infrastructure Security Amid Rising Hybrid Threats
Bottom Line Up Front (BLUF): In light of the recent massive blackout in Spain and Portugal and ongoing cyber incidents, Germany is intensifying efforts to secure its critical infrastructure. Authorities claim large-scale outages are unlikely due to grid redundancies, but recent cyberattacks against government portals and increasing threats to underwater cables highlight persistent vulnerabilities.
Analyst Comments: Germany's reassurances about the resilience of its power grid contrast sharply with the rising frequency and complexity of attacks targeting European critical infrastructure. With 80% of Germany's vital infrastructure owned by private entities, coordination and cybersecurity standardization remain key challenges. The proposed €500 billion infrastructure fund and plans to bolster the Federal Office for Information Security (BSI) are timely but must be backed by enforceable regulations. As hybrid threats—including cyber sabotage and disinformation—expand, integrating EU-wide defenses like the Single Intelligence Analysis Capacity (SIAC) and ProtectEU project may become indispensable for long-term resilience.
FROM THE MEDIA: Following a widespread power outage across the Iberian Peninsula, German media and officials addressed concerns about the country’s vulnerability to similar disruptions. The Federal Network Agency reassured the public that Germany's redundant grid makes a national blackout unlikely. However, recent cyberattacks—including one on Berlin's e-government portal—underscore a broader trend of rising hybrid threats targeting both public and private sectors. The German government is reviving plans to legislate enhanced critical infrastructure protection, previously shelved amid political instability. The CDU-SPD-led coalition aims to tighten supply chain controls, expand the BSI's role, and promote EU-wide threat intelligence sharing under the ProtectEU initiative.
READ THE STORY: DW
SentinelOne Confirms Chinese Espionage Group 'PurpleHaze' Targeted Its Infrastructure and Clients
Bottom Line Up Front (BLUF): SentinelOne has revealed that a Chinese-linked threat actor, dubbed PurpleHaze, attempted reconnaissance against its infrastructure and high-profile clients. The group appears tied to APT15 and has used advanced tools like Go-based malware, ShadowPad, and operational relay box networks across multiple espionage campaigns.
Analyst Comments: This disclosure signals a troubling trend of nation-state actors directly targeting cybersecurity vendors, reflecting how threat groups seek to undermine the tools designed to detect and stop them. PurpleHaze's association with APT15 and its use of modular backdoors and obfuscation techniques like ScatterBrain suggest sophisticated tradecraft. The overlap with past intrusions and the use of commercial EDR testing services further demonstrates the convergence of espionage and cybercrime ecosystems. Defensive vendors must now reckon with being primary targets, not just protectors, of cyber operations.
FROM THE MEDIA: The group first surfaced during an intrusion against a logistics provider tied to SentinelOne in 2024. PurpleHaze is linked to APT15, a long-standing Chinese espionage actor, and was also observed targeting a South Asian government entity using GoReShell malware and ShadowPad backdoors. These tools enabled reverse SSH connections and strategic intelligence collection, often via N-day vulnerabilities in enterprise-grade devices. SentinelOne also detected over 1,000 job applications from fake North Korean-aligned personas and noted ransomware groups like Nitrogen using spoofed resellers to test against EDR tools, highlighting the persistent and multi-pronged nature of threats targeting cybersecurity companies.
READ THE STORY: THN
FBI Warns: China Integrating AI Across Cyberattack Lifecycle to Target U.S. Infrastructure
Bottom Line Up Front (BLUF): FBI Deputy Assistant Director Cynthia Kaiser warned at RSAC 2025 that Chinese state-sponsored hackers use artificial intelligence at every stage of the cyberattack chain, particularly to accelerate initial access and reconnaissance. The integration of AI is helping adversaries infiltrate U.S. critical infrastructure faster and remain undetected longer.
Analyst Comments: China's use of AI in cyber operations signals a maturation of their capabilities, blending automation with human-led espionage for greater impact. By enhancing social engineering, reconnaissance, and lateral movement with AI, China increases the effectiveness and stealth of its intrusions. The FBI’s acknowledgment that AI enables network mapping and deepfake-driven financial scams adds urgency to the call for more robust defenses. As federal resources shrink, the gap between offense and defense may widen, creating an environment where attackers have an asymmetric advantage.
FROM THE MEDIA: FBI official Cynthia Kaiser outlined how China-backed cyber crews leverage AI to refine attack planning, network infiltration, and persistence. Recent campaigns such as Volt Typhoon and Salt Typhoon illustrate Beijing’s quiet but deep access into U.S. systems via legacy and unpatched infrastructure. AI is reportedly being used to automate spear-phishing, create fake business identities, and facilitate reconnaissance inside compromised networks. While these tools haven’t yet enabled fully autonomous attacks, their utility in social engineering and surveillance already yields real-world consequences, including multimillion-dollar frauds via deepfakes. Kaiser emphasized that the FBI's cyber response remains steady despite budget cuts, but the threat landscape is evolving rapidly.
READ THE STORY: The Registered
France Blames Russian APT28 Hackers for Targeting Dozen National Entities Since 2021
Bottom Line Up Front (BLUF): France has publicly attributed a series of twelve cyberattacks on its government, defense, and research sectors to the Russian state-backed APT28 hacking group. The campaigns, dating back to 2021, focused on espionage and intelligence collection, utilizing phishing, compromised email servers, and low-cost infrastructure.
Analyst Comments: APT28's persistent focus on institutions tied to defense, diplomacy, and economic strategy indicates a long-term effort to undermine Western policy coordination and security. Using cheap, outsourced infrastructure suggests a high-volume, low-attribution strategy that remains effective despite international condemnation. Expect more NATO and EU cybersecurity alignment as such campaigns continue to target critical European assets.
FROM THE MEDIA: Targets included ministries, defense firms, research bodies, and think tanks. A report from France's ANSSI highlighted APT28's use of Roundcube email server exploits, phishing via free web services, and rented or temporary infrastructure to obscure attribution. The hackers’ recent operations, particularly in 2024, focused on intelligence collection from European and transatlantic diplomatic and research entities. The announcement follows similar warnings from Poland and NATO, reinforcing concerns over Russian hybrid warfare in cyberspace.
READ THE STORY: BleepingComputer
China-Linked Hackers Breach Guatemala’s Foreign Ministry, Says U.S. Embassy
Bottom Line Up Front (BLUF): China-based cyber espionage groups have breached Guatemala’s Foreign Ministry systems, according to the U.S. Embassy in Guatemala. The intrusion was discovered during a joint cybersecurity review with U.S. Southern Command and Guatemalan authorities.
Analyst Comments: Beijing's targeting of diplomatic and government institutions may be part of a broader effort to collect intelligence on political alignments, trade negotiations, and regional stability. The lack of an immediate response from Guatemala or China underscores the diplomatic sensitivity and potential geopolitical fallout. As digital infrastructure becomes a new front in great-power competition, nations like Guatemala may increasingly be caught in the crossfire of state-sponsored cyber conflict.
FROM THE MEDIA: The U.S. Embassy in Guatemala publicly confirmed that China-based cyber threat actors had infiltrated the systems of Guatemala’s Ministry of Foreign Affairs. The breach was detected during a collaborative cybersecurity audit involving the U.S. Southern Command. Although specific technical details and the scope of the compromise were not released, the disclosure adds to the growing list of state-sponsored attacks attributed to China. This revelation arrives amid escalating global scrutiny of Beijing’s digital espionage activities, particularly those targeting diplomatic, commercial, and government entities. Guatemala and China have not yet issued official statements regarding the allegations.
READ THE STORY: Arise
AI Safety Under Fire: New Jailbreaks and Security Flaws Plague Leading GenAI Systems
Bottom Line Up Front (BLUF): Recent research has identified multiple jailbreak methods and security weaknesses across top generative AI models, including those from OpenAI, Anthropic, Google, Meta, and Microsoft. These vulnerabilities allow bypassing safety guardrails and can lead to the generation of malicious content, insecure code, or unauthorized data access.
Analyst Comments: Jailbreak techniques like Inception and Policy Puppetry reflect how easily attackers can sidestep built-in protections, while new tool-poisoning strategies exploiting the Model Context Protocol (MCP) raise red flags about AI agent security. As generative AI is rapidly integrated into enterprise and personal applications, attackers are poised to exploit these weaknesses at scale. Without stronger testing frameworks and transparent model release practices, organizations risk adopting models that may unintentionally aid cyber threats or leak sensitive data.
FROM THE MEDIA: CERT/CC warned about “Inception” and prompt misdirection tactics that allow users to coax models into generating unsafe content. Other attack vectors include the Context Compliance Attack, Policy Puppetry, and Memory INJection Attack (MINJA), which all manipulate model behavior through crafted inputs or memory manipulation. A new threat vector involves the Model Context Protocol, where malicious servers can inject covert instructions into tool descriptions, compromising AI agents like Claude or Cursor. The same report flagged unsafe default coding outputs and noted GPT-4.1’s increased tendency to misalign with safety expectations, sparking industry debate about whether AI development is outpacing responsible security practices.
READ THE STORY: THN
Volt Typhoon Marks a Turning Point in U.S. Cybersecurity Weakness and China's Strategic Cyber Posture
Bottom Line Up Front (BLUF): China has overtaken Russia as the foremost cyber threat to the United States, according to retired Rear Admiral Mark Montgomery at the 2025 RSA Conference. He emphasized that Chinese operations like Volt Typhoon are directly targeting U.S. critical infrastructure and warned that America's largely private infrastructure and limited cyber workforce are dangerously unprepared.
Analyst Comments: The acknowledgment that China is engaged in espionage and pre-positioning for potential wartime disruption marks a significant escalation. Montgomery's calls for activating the National Guard for cyber defense and mandating corporate accountability suggest a growing urgency to nationalize cyber readiness. Unaddressed vulnerabilities in the U.S. private sector could be exploited to paralyze the nation during a geopolitical crisis like a conflict over Taiwan.
FROM THE MEDIA: The operation was confirmed by Chinese officials to the Biden administration in late 2024. Montgomery highlighted a concerning disparity in cyber force development: the U.S. cyber offensive workforce has grown marginally since 2015, while China's has expanded tenfold. He stressed that critical U.S. infrastructure remains largely private—about 82-86%—and is under-secured, unlike military installations. He warned that cyberattacks could erode American public confidence during a future crisis, such as Chinese action against Taiwan, disrupting essential services like power, finance, and water. Montgomery urged immediate recruitment boosts, including through the National Guard, and proposed adding cybersecurity requirements to corporate accountability laws like Sarbanes-Oxley.
READ THE STORY: The Register
RSAC 2025: Empathy in Cyber Leadership Key to Combating Burnout and Boosting Security Resilience
Bottom Line Up Front (BLUF): At RSAC 2025, Apogee Global CEO and former FBI agent MK Palmore called for a fundamental shift from mission-centric to people-centric leadership in cybersecurity. He argued that empathetic leadership reduces burnout, improves retention, and enhances organizational resilience, especially in today’s complex AI- and threat-driven landscape.
Analyst Comments: Palmore’s emphasis on empathetic leadership as a strategic advantage is timely, as organizations grapple with chronic burnout and high turnover among cybersecurity professionals. In an environment dominated by geopolitical instability and rapid AI adoption, leaders who invest in human development, not just technical KPIs, are more likely to retain talent, foster innovation, and build adaptable, high-performing teams. This marks a potential culture shift from short-term technical output to long-term organizational security resilience.
FROM THE MEDIA: MK Palmore highlighted the damaging effects of combat-style leadership models prevalent in cybersecurity, which contribute to burnout and poor organizational cohesion. He called for companies to prioritize leadership development focused on transparency, empathy, and communication. Palmore warned that without clear direction and human-centric guidance, employees often default to worst-case thinking during uncertain times, leading to reduced productivity and increased risk. Empathetic leadership, he noted, creates a competitive edge by improving morale, retention, and innovation. The session, titled “Why Aren’t We Building Leaders in the Technology Space?”, emphasized that the most enduring legacy of a leader is their impact on others, not their technical deliverables.
READ THE STORY: DR
China-Aligned Hackers Target Uyghur Exiles with Trojanized Language Software in Sophisticated Espionage Campaign
Bottom Line Up Front (BLUF): A state-aligned cyber espionage campaign has compromised members of the World Uyghur Congress using a backdoored version of UyghurEditPP, a trusted open-source Uyghur language editor. The malware, linked to Chinese threat actor tactics, was designed to conduct surveillance and maintain persistent access to infected systems.
Analyst Comments: The campaign highlights how threat actors exploit trust in community-specific software to deliver customized malware. Using culturally resonant infrastructure and sophisticated persistence mechanisms reflects a growing trend of deeply targeted, stealthy surveillance operations. As such campaigns intensify, there is an urgent need for platform accountability and stronger protections for vulnerable diaspora communities.
FROM THE MEDIA: Once installed, the software operated normally but secretly deployed a backdoor named GheyretDetector.exe, which maintained persistence via a scheduled task. The malware collected system and user data, transmitting it to command-and-control servers with culturally significant domain names. Analysts noted the infrastructure, hosted on Choopa LLC's network and using forged Microsoft TLS certificates, mirrored previous operations attributed to China. Although no definitive attribution was made, researchers cited close parallels to past campaigns against Uyghur, Tibetan, and Hong Kong dissident communities.
READ THE STORY: GBhackers
Maritime Infrastructure at Risk: New Tactics and Technologies Emerge to Counter Undersea Threats
Bottom Line Up Front (BLUF): Protecting maritime infrastructure, such as naval bases, undersea cables, and pipelines, is becoming an urgent security concern for NATO members amid rising threats from stealthy undersea operations. Innovations in unmanned vehicles, sonar detection systems, and hybrid surveillance networks are being deployed to counter these hard-to-detect threats, particularly in shallow and acoustically cluttered waters.
Analyst Comments: The underwater battlespace is becoming the next frontier for hybrid warfare, as adversaries increasingly exploit gaps in surveillance and attribution. Extra-large unmanned underwater vehicles (XLUUVs) and midget submarines pose asymmetric threats by operating in stealth modes that evade conventional anti-submarine warfare (ASW) systems. Civilian vessels, often used in grey-zone operations, further complicate response strategies. Forward-looking navies are turning to unmanned surface vehicles (USVs), layered sonar networks, and distributed acoustic sensing to monitor and deter sabotage. However, many experts argue that current defensive deployments are insufficient given the scale and accessibility of critical undersea assets.
FROM THE MEDIA: Dense commercial traffic and shallow waters, especially in regions like the Baltic Sea, provide cover for covert underwater operations targeting undersea cables and ports. Emerging threats include long-range XLUUVs and midget submarines delivering sabotage or surveillance equipment. To combat this, navies increasingly turn to integrated systems like Intruder Detection Sonar (IDS), passive acoustic monitoring, and unmanned surface vehicles outfitted for detection and deterrence. While technological advances offer promise, gaps remain, especially in expansive Exclusive Economic Zones (EEZs) where persistent surveillance is cost-prohibitive. There is growing advocacy for pairing mobile USV patrols with fixed sensor masts and integrating naval personnel with maritime traffic control to detect irregular civilian vessel behavior in grey-zone threats.
READ THE STORY: Navy Lookout
Items of interest
CISA Reforms Under Fire as DHS Promises a 'More Responsive' Cybersecurity Strategy
Bottom Line Up Front (BLUF): Homeland Security Secretary Kristi Noem defended controversial reforms to the Cybersecurity and Infrastructure Security Agency (CISA), framing recent cuts and structural changes as a pivot toward efficiency and mission focus. Despite pushback from cybersecurity experts, Noem stated that future reforms will prioritize operational security over disinformation mitigation.
Analyst Comments: The downsizing and restructuring of CISA under the Trump administration has sparked concern across the cybersecurity community, particularly as the agency plays a critical role in protecting national infrastructure. While Noem emphasized a shift back to core cybersecurity tasks, the dissolution of advisory councils and threat-hunting tools, combined with paused support for the CVE Program, raises alarms about long-term capability erosion. The departure of key Secure by Design architects further clouds the direction of CISA’s future. Balancing political mandates with national cyber resilience will be a defining test for DHS leadership in the months ahead.
FROM THE MEDIA: This comes amid widespread criticism over staffing reductions, dissolution of advisory groups, and administrative leave for disinformation-focused teams. The GOP-led reforms stem from accusations of political bias in CISA’s prior efforts to counter online misinformation. Noem acknowledged the backlash but insisted on a reorientation that prioritizes product security and accountability. She also revealed that approximately $10 million had been “saved” from the restructuring process and that further cybersecurity priorities will be outlined in Trump’s upcoming federal budget.
READ THE STORY: NextGov
CISA is at Risk (Video)
FROM THE MEDIA: The downsizing and restructuring of CISA under the Trump administration has sparked concern across the cybersecurity community, particularly as the agency plays a critical role in protecting national infrastructure.
'Do You See A Continued Role For CISA?': Bennie Thompson Presses Panel Over Cyber Security Needs (Video)
FROM THE MEDIA: During a House Homeland Security Committee hearing, Rep. Bennie Thompson (D-MS) questioned witnesses about the Cybersecurity & Infrastructure Security Agency.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.