Friday, May 02, 2025 // (IG): BB // GITHUB // SN R&D
China-Linked APT TheWizards Exploits IPv6 SLAAC in New Spellbinder AitM Attacks
NOTE:
TheWizards' use of Spellbinder reflects a strategic investment in exploiting under-monitored IPv6 infrastructure, particularly SLAAC-based vectoring, to maintain stealth and continuity in cyber operations. What sets this campaign apart is the overlap between advanced APT tooling and open-source research within Chinese-language GitHub accounts. Repositories such as suddensix
(1)and security_w1k1
(2) reveal an ecosystem where SLAAC spoofing, MITM frameworks, and DNS hijacking are actively developed and shared. Although generic, these public tools mirror Spellbinder’s core functions—namely, router advertisement injection, packet capture, and malicious redirection—suggesting that China’s offensive cyber capabilities draw directly from internal contractor networks and broader domestic infosec communities. This convergence supports the notion of civil-military fusion, with open research reinforcing state-aligned intrusion workflows. (1 // 2)
Bottom Line Up Front (BLUF): Chinese APT group TheWizards has been observed using a custom lateral movement tool named Spellbinder to conduct adversary-in-the-middle (AitM) attacks via IPv6 SLAAC spoofing. These operations are part of a sophisticated campaign targeting software update mechanisms of popular Chinese applications to distribute the WizardNet backdoor.
Analyst Comments: TheWizards’ focus on Chinese software ecosystems — particularly update mechanisms — allows them to blend attacks with legitimate operations and avoid detection. Their use of modular implants like WizardNet and strategic domain spoofing indicates a high level of operational maturity. The involvement of Chinese contractor UPSEC in supplying related malware (DarkNights/DarkNimbus) suggests a deepening integration between commercial suppliers and offensive state-linked operations. Organizations in affected regions, especially those using Chinese apps, should audit update channels and monitor DNS anomalies.
FROM THE MEDIA: Spellbinder exploits IPv6 SLAAC by spoofing router advertisements and manipulating DNS queries. In one case, it redirected update requests for Tencent QQ to an attacker-controlled server, serving a trojanized update that dropped WizardNet, a modular .NET backdoor. Other targeted Chinese apps include Baidu, Youku, Xiaomi, and Qihoo 360. The toolset also leverages WinPcap to sniff and manipulate packets and is deployed via DLL sideloading and in-memory shellcode. This campaign extends a trend of Chinese actors targeting software update mechanisms, a tactic previously seen in Blackwood and PlushDaemon operations.
READ THE STORY: THN
CIA Publishes Chinese-Language Recruitment Videos to Solicit Insider Leaks
NOTE:
China’s Ministry of State Security (MSS) is likely to counter the CIA’s recruitment videos through a combination of digital censorship, counter-propaganda, and internal security crackdowns. The Chinese government can quickly suppress the videos on domestic internet platforms using the Great Firewall, ensuring they do not reach their intended audience within the country. Simultaneously, the MSS may amplify narratives portraying the videos as foreign psychological operations aimed at destabilizing China, reinforcing nationalistic sentiment, and loyalty to the Communist Party. Internally, authorities may conduct intensified loyalty checks, government and military personnel surveillance, and launch campaigns warning against foreign espionage. These efforts are designed to deter potential informants and demonstrate the high personal risks of cooperating with foreign intelligence services.
Bottom Line Up Front (BLUF): The CIA has publicly released two Chinese-language videos encouraging Chinese government officials to leak sensitive information. The videos were posted to the agency's verified social media accounts and direct viewers to the CIA’s official dark web contact page for secure communication.
Analyst Comments: The agency is attempting to exploit discontent within the Chinese Communist Party (CCP) amid political purges by using native-language media and emotionally resonant narratives. These efforts follow successful Russian-language campaigns and signal the CIA’s ongoing commitment to recruiting assets from authoritarian adversaries. China’s muted response so far suggests it may be evaluating its internal vulnerabilities before launching a public counter-narrative.
FROM THE MEDIA: The CIA released two short Chinese-language videos on its official YouTube, Twitter (X), and Instagram accounts. The dramatized videos portray fictional Chinese officials who grow disillusioned with the CCP and contact the CIA using secure digital tools. The clips conclude with the CIA’s logo and instructions for accessing a dark web portal. A CIA official confirmed to Reuters and ABC News that the videos are part of a broader human intelligence campaign to gather information on Chinese military, cyber, economic, and political activities. The agency previously conducted similar public campaigns targeting Russia, Iran, and North Korea. The Chinese government has not formally responded to this specific campaign, though past reactions have characterized such efforts as “disinformation” and hostile propaganda.
READ THE STORY: SCMP
China Activates 'Minors Mode' to Control Online Content for Under-18s
Bottom Line Up Front (BLUF): China has officially launched “Minors Mode,” a state-mandated system restricting online content accessible to users under 18. The initiative, driven by the Cyberspace Administration of China (CAC), ensures that youth are only exposed to state-approved, “wholesome” and socialist-aligned material.
Analyst Comments: This rollout signals China’s intensifying grip on digital content under the guise of youth protection and national ideological security. While marketed as a child safety measure, Minors Mode reinforces digital authoritarianism and could serve as a model for broader content control. The centralized integration across smartphones and online platforms reveals the extent of state influence over private tech companies. Over time, this could expand surveillance and behavioral profiling of young citizens, reinforcing ideological conformity from an early age.
FROM THE MEDIA: The system categorizes online material by age group and enforces limits on screen time, content type, and behavioral nudges like break reminders. Companies including Xiaomi, Honor, and vivo preload the feature on new phones, while Huawei, OPPO, and ZTE will roll it out via software updates. Major content platforms, from short video providers to e-commerce sites, have also agreed to restrict and tailor content for young users, aligning with “core socialist values.” Parents can activate the mode with a single tap and monitor usage statistics. While some Western platforms offer similar safety tools, China’s system is compulsory, centralized, and ideologically driven.
READ THE STORY: The Register
Raytheon and Nightwing Settle for $8.4M Over Failure to Meet Federal Cybersecurity Standards
Bottom Line Up Front (BLUF): Raytheon and its former division, Nightwing Group, have agreed to pay $8.4 million to resolve allegations of violating cybersecurity requirements under a U.S. Department of Defense contract. The case stems from Raytheon's CODEX division's use of a non-compliant network that housed non-classified defense information and lacked a required system security plan.
Analyst Comments: The lack of a system security plan and failure to meet NIST standards highlight persistent gaps in the defense industrial base’s adherence to minimum cyber hygiene. With whistleblower incentives in place, organizations should anticipate greater scrutiny of internal practices and be proactive in closing compliance gaps. More broadly, this case signals to all federal contractors that cyber lapses—especially those involving controlled but unclassified information—will face legal and financial consequences.
FROM THE MEDIA: Raytheon and Nightwing Group agreed to a joint $8.4 million settlement with the U.S. government over allegations of cybersecurity noncompliance tied to a Department of Defense contract. Between 2015 and 2021, Raytheon’s CODEX division reportedly used a network that failed to meet National Institute of Standards and Technology (NIST) cybersecurity guidelines. Although the company disclosed the issue to federal clients in 2020, it could not implement a compliant system security plan during the timeframe. The case was initiated under the False Claims Act by a whistleblower, a former Raytheon engineering director, who will receive over $1.5 million from the settlement. Nightwing, spun off from Raytheon in 2024, was also named in the complaint.
READ THE STORY: The Record
SSC Cyber Expo Spotlights China as Most Persistent Space-Cyber Threat
Bottom Line Up Front (BLUF): At the 7th annual Space Systems Command (SSC) Cyber Expo, held April 22–23, 2025, U.S. Space Force officials and cyber experts identified China as the most active and persistent cyber threat to U.S. space systems and critical infrastructure. The event brought together military, commercial, and academic stakeholders to address the growing vulnerabilities across space and cyber domains.
Analyst Comments: The Expo underscored how cyberspace is now inseparable from space operations, with threats from China, Russia, Iran, and North Korea targeting U.S. systems at every stage—from design to orbit. China's cyber apparatus, reportedly employing over 150,000 operatives, has become a sophisticated and well-resourced machine capable of persistent intrusion. As space becomes more militarized, adversaries are exploiting supply chains, launching lateral movement attacks, and integrating AI tools to increase stealth and efficiency. The U.S. must harden both its technical posture and workforce pipeline to stay competitive in this "fifth domain" of warfare.
FROM THE MEDIA: Held at Los Angeles Air Force Base, the SSC Cyber Expo attracted over 400 attendees from Space Systems Command, Space Operations Command, STARCOM, and the private sector. Cyber intelligence analyst Mike Schripsema highlighted China’s cyber threat to space systems, noting its persistent targeting of command-and-control systems and critical infrastructure via credential theft, LOTL techniques, and supply chain infiltration. Keynote speaker Alex Stamos emphasized China's scale—over 150,000 cyber operatives working directly or indirectly for the state—and its capacity to execute real-world intrusions at scale. Officials stressed that most current space systems were not designed with cybersecurity in mind and called for a life-cycle approach to protection. The event also showcased AI’s dual-use role in both cyber offense and defense, while a “Cyber Petting Zoo” and Capture-the-Flag event engaged attendees with hands-on tools and scenarios.
READ THE STORY: Spaceforce
Chery Deploys DeepSeek-Powered AIMOGA Humanoid Robots as Showroom Sales Staff
Bottom Line Up Front (BLUF): Chinese automaker Chery has begun deploying humanoid robots, powered by DeepSeek AI, to serve as multilingual sales staff in its showrooms. The robots, dubbed AIMOGA, can walk, speak 10 languages, and perform human-like movements using advanced sensor arrays and motion libraries.
Analyst Comments: While the use of DeepSeek AI positions China as a major player in applied generative AI, it also raises broader questions about labor displacement, gendered design choices, and the data governance implications of interactive retail AI systems. As AI-enhanced robotics gains commercial traction, expect increased scrutiny over regulatory standards, especially regarding biometric data collection and AI transparency in consumer-facing roles.
FROM THE MEDIA: These robots, powered by AI models from DeepSeek, feature 41 degrees of motion freedom, multilingual capabilities, and dynamic path planning. AIMOGA robots are designed with silicone “bionic” faces and human-like proportions and are engineered to enhance customer interaction by simulating natural gestures and conversational responses. Videos of AIMOGA show the robots describing vehicle features in showrooms and performing increasingly fluid physical tasks. While Chery is promoting the move as a leap in AI-powered retail, critics have noted the stereotypical aesthetic design of the robots, which resemble conventionally attractive women.
READ THE STORY: The Register
DarkWatchman and Sheriff Malware Campaigns Strike Russia and Ukraine with Stealth and Precision
Bottom Line Up Front (BLUF): Two distinct malware campaigns currently target Russia and Ukraine using advanced evasion techniques and modular espionage capabilities. The JavaScript-based DarkWatchman RAT is hitting Russian sectors via phishing, while the newly discovered Sheriff backdoor targets Ukraine’s defense sector, likely through a compromised national news portal.
Analyst Comments: DarkWatchman’s fileless structure and keylogging via C# allow for stealthy intrusions across high-value Russian industries. At the same time, Sheriff’s abuse of trusted infrastructure like ukr.net indicates an evolution in cyber deception and infrastructure staging. The overlap of Sheriff’s traits with known Turla and CloudWizard malware suggests shared tooling or attribution to a broader advanced persistent threat (APT) ecosystem. As automation and cloud-based exfiltration become the norm, defenders must focus on layered defense and behavioral anomaly detection to keep pace.
FROM THE MEDIA: The malware has resurfaced in waves since 2021 and is linked to the Hive0117 group. Phishing emails delivering password-protected archives remain the primary vector. In Ukraine, IBM identified Sheriff, a modular Windows backdoor hosted on the news portal ukr.net, targeting a defense-related entity. Sheriff collects screenshots, executes commands, and exfiltrates data via Dropbox, with self-deletion capabilities to maintain stealth. The campaign aligns with broader Russian strategies combining espionage, sabotage, and supply chain infiltration. Ukraine's SSSCIP reported a 48% increase in cyber incidents during the second half of 2024, reflecting intensifying digital pressure amid the ongoing conflict.
READ THE STORY: THN
Tesla Model 3 VCSEC Vulnerability (CVE-2025-2082) Allows Remote Code Execution via TPMS
Bottom Line Up Front (BLUF): A critical vulnerability in Tesla’s Model 3 vehicle security controller (VCSEC) allowed attackers to execute arbitrary code via the Tire Pressure Monitoring System (TPMS). Disclosed at Pwn2Own 2025 and tracked as CVE-2025-2082, the flaw was patched by Tesla in firmware update 2024.14.
Analyst Comments: While the flaw required proximity, it bypassed authentication and allowed access to the CAN bus, opening pathways to tamper with critical vehicle functions. As automotive software becomes more connected and complex, manufacturers must prioritize vulnerability disclosure pipelines and implement proactive firmware security hardening. The incident also serves as a wake-up call for broader supply chain and protocol-level scrutiny in connected vehicles.
FROM THE MEDIA: At the 2025 Pwn2Own competition, cybersecurity firm Synacktiv revealed a high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s VCSEC module. The flaw originated from an integer overflow triggered via manipulated certificate responses through the TPMS interface. Successful exploitation allowed attackers within Bluetooth or Wi-Fi range to gain unauthorized control over the CAN bus, enabling potential manipulation of core vehicle functions including braking and acceleration. No authentication was required. Tesla issued a silent fix via firmware version 2024.14 in October 2024. While no known exploits occurred in the wild, researchers emphasized the severity of remote vehicle control risks. Owners are advised to ensure their firmware is updated to at least version 2024.14.
READ THE STORY: GBhackers
Critical Viasat Satellite Modem Vulnerability Enables Remote Code Execution via SNORE Interface
Bottom Line Up Front (BLUF): A high-severity vulnerability (CVE-2024-6198) in Viasat satellite modems allows unauthenticated remote code execution via a buffer overflow in the SNORE web interface. Multiple widely used models are affected, placing communications in energy, maritime, and defense sectors at risk.
Analyst Comments: Weak input validation in exposed management interfaces and the lack of memory safety mitigations like stack canaries or CFI (Control Flow Integrity) leave essential devices open to exploitation. Although Viasat has issued patches via OTA updates, the decentralized nature of satellite modem deployment makes comprehensive remediation difficult. Organizations must urgently assess patch compliance and bolster perimeter defenses against ROP-based attacks.
FROM THE MEDIA: Security researchers at ONEKEY identified CVE-2024-6198, a stack buffer overflow flaw in the SNORE web interface of Viasat satellite modems, which permits attackers to hijack execution flow using return-oriented programming (ROP) chains. The issue resides in the index.cgi
binary that handles administrative HTTP requests affects modems including RM4100, RM4200, RM5110, RG1000, and EG1000 across firmware versions ≤4.3.0.1. The flaw enables remote, unauthenticated LAN access to execute arbitrary commands. Viasat has addressed the vulnerability in firmware versions 3.8.0.4 and 4.3.0.2, respectively. Customers are urged to verify update status, audit device logs for suspicious activity on ports 3030 and 9882, and isolate vulnerable systems. The risk is heightened by the role of these modems in critical communications infrastructure, including defense applications.
READ THE STORY: Cyber Security News
Unpatched Netgear EX6200 Vulnerabilities Expose Millions to Remote Access and Data Theft
Bottom Line Up Front (BLUF): Security researchers have uncovered three critical vulnerabilities in Netgear’s EX6200 Wi-Fi extender (firmware version 1.0.3.94), allowing remote attackers to execute arbitrary code and steal data. Netgear has not yet responded to the reported flaws (CVE-2025-4148, -4149, -4150), leaving devices exposed.
Analyst Comments: The EX6200's widespread use in home and small business environments makes it an attractive target for botnet operators and espionage campaigns. These flaws exemplify how embedded device vulnerabilities can provide attackers with persistent footholds for lateral movement or data exfiltration. Organizations should consider proactive network segmentation, disable remote access features, and plan for device replacement if no patch is issued soon.
FROM THE MEDIA: Researchers have identified three buffer overflow vulnerabilities in the Netgear EX6200 extender that allow remote attackers to execute code or steal sensitive data by exploiting unsafe functions in the SNORE web interface. All flaws scored 8.8 on the CVSS v3.1 scale and are triggered through maliciously crafted requests that cause memory corruption. Despite early disclosure, Netgear has not released a patch. Recommended mitigations include disabling remote management, monitoring for unusual activity, and segmenting vulnerable devices. Without a fix, users remain exposed to code execution, credential theft, or inclusion in botnets.
READ THE STORY: GBhackers
SonicWall Confirms Active Exploitation of Critical Flaws in SMA 100 Series Devices
Bottom Line Up Front (BLUF): SonicWall has confirmed that two high-severity vulnerabilities (CVE-2023-44221 and CVE-2024-38475) affecting its SMA 100 Series appliances are actively exploited in the wild. Although patches were issued in December 2023 and December 2024 respectively, the company urges customers to verify system integrity and check for unauthorized access.
Analyst Comments: While SonicWall quickly patched both flaws, the revelation of active exploitation months later suggests gaps in customer patch adoption or delayed threat detection. Given the history of SonicWall vulnerabilities being leveraged in high-profile campaigns, organizations using SMA appliances should treat this alert as a high priority and assess exposure immediately. These developments also raise renewed concerns about the security of edge-access and VPN technologies in hybrid environments.
FROM THE MEDIA: CVE-2023-44221 enables OS command injection via improper input neutralization, while CVE-2024-38475 leverages a flaw in Apache mod_rewrite to manipulate file paths. Both flaws allow attackers with authenticated access to escalate privileges or hijack sessions. While SonicWall did not disclose details about threat actors or the scale of exploitation, it warned that CVE-2024-38475 could enable attackers to gain unauthorized access to specific files and hijack sessions. Affected products include SMA 200/210/400/410/500v models. These disclosures follow the addition of CVE-2021-20035 to CISA’s Known Exploited Vulnerabilities catalog earlier this month.
READ THE STORY: THN
Apple Alerts Users in 100 Countries to Targeted Spyware Attacks Linked to Mercenary Surveillance
Bottom Line Up Front (BLUF): Apple has issued threat notifications to users in over 100 countries warning them of targeted spyware attacks. Victims include journalists and political commentators, such as Italian reporter Cyrus Pellegrino and Dutch pundit Eva Vlaardingerbroek, raising concerns over the global spread of mercenary-grade surveillance tools.
Analyst Comments: The widespread nature and selective targeting of these attacks underscore the increasing accessibility and geopolitical use of commercial spyware. While Apple refrained from naming the spyware or its operators, past incidents involving Paragon spyware and targeting of critics of Italian PM Giorgia Meloni suggest a political dimension. These campaigns highlight the need for stronger regulations and transparency around private surveillance vendors. As mobile devices continue to serve as personal data hubs, the covert nature of these attacks, where no user interaction is required, makes timely platform-level defense and user awareness essential.
FROM THE MEDIA: Italian journalist Cyrus Pellegrino, who previously reported on fascist ties in PM Meloni’s party, publicly disclosed receiving the alert and linked it to earlier reports of Paragon spyware attacks. Dutch commentator Eva Vlaardingerbroek also confirmed receiving a notification. Though Apple did not name the specific spyware used, the company noted in an April 23 blog that these notifications target the most advanced digital threats and are part of a broader campaign to warn high-risk individuals. Apple has notified users in more than 150 countries since launching the program in 2021. The company emphasized that mercenary spyware vendors with state-level customers typically carry out these attacks.
READ THE STORY: The Record
Items of interest
Chinese Nuclear Firms Exploit UK Patent System Despite US Sanctions
Bottom Line Up Front (BLUF): Chinese state-owned nuclear firms sanctioned by the US are using the UK Intellectual Property Office to patent advanced reactor designs, including technologies with potential military and dual-use implications. The filings continue despite concerns over Beijing’s strategic influence on UK infrastructure and global technology ambitions.
Analyst Comments: While the US enforces strict export controls and blacklists, the UK remains open to foreign patent applications even from entities linked to national security risks. These filings serve both commercial and strategic purposes, allowing China to legitimize and protect technologies potentially relevant to nuclear weapons development. This underscores the need for more substantial alignment between IP governance and national security policy, especially given rising concerns over China’s cyber and industrial espionage activities.
FROM THE MEDIA: Despite being sanctioned by the US over alleged attempts to divert civilian nuclear technology to military use, Chinese firms, including China General Nuclear Power Corporation (CGN) and affiliated entities, have successfully filed nuclear technology patents in the UK. Recent applications include a 3D test system for simulating reactor core components and methodologies for evaluating plant safety. Critics argue this access stems from the UK’s Climate Change Act-driven reliance on Chinese investment in nuclear energy, such as the Hinkley Point C project. CGN previously held stakes in multiple UK nuclear initiatives but has since faced a rollback amid worsening geopolitical tensions. Experts warn that allowing such patenting creates potential security loopholes and cements Chinese influence over Western infrastructure planning.
READ THE STORY: Metro (UK)
CGN Mining - China's Uranium Producer (Video)
FROM THE MEDIA: Paul Ma of CGN Mining provides an overview of China's nuclear power campaign and recent contracts that CGN Mining signed with CGNP, China's largest utility.
What is China's Nuclear Policy? (Video)
FROM THE MEDIA: Nuclear expert Tong Zhao of the Carnegie Endowment for International Peace discusses China's approach to nuclear weapons, its expanding nuclear capabilities, and the potential impact on the U.S.-China security relationship.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.