Saturday, May 17, 2025 // (IG): BB // GITHUB // SN R&D
Denmark Navigates Cyber Tensions Amid China-Taiwan Dispute
Bottom Line Up Front (BLUF): Denmark's diplomatic engagement with China has been strained following a controversial visit by former Taiwanese President Tsai Ing-wen to Copenhagen, during which she criticized China for cyber aggression and expansionism. In response, Denmark reiterated its support for the one-China policy while emphasizing a pragmatic and balanced foreign policy approach.
Analyst Comments: Tsai’s appearance in Denmark and her public condemnation of China's cyber conduct have intensified geopolitical frictions, especially in cyberspace, where China has been frequently accused of conducting state-sponsored espionage. While Denmark seeks constructive engagement with Beijing, it also signals a subtle but growing discomfort with China’s cyber behavior. This incident may prompt Denmark to bolster its cybersecurity policies, especially in the public sector, and engage more deeply in EU-level cyber diplomacy initiatives to deter authoritarian digital threats.
FROM THE MEDIA: Tsai’s meetings with Danish lawmakers and remarks at a democracy summit — condemning China's military posture and cyber operations — were met with sharp criticism from Beijing. The Chinese embassy accused Denmark of undermining the one-China principle. Despite this, Denmark maintains informal ties with Taiwan and has signaled interest in pursuing open, pragmatic dialogue with China while acknowledging policy divergences. The visit also coincides with the 75th anniversary of Sino-Danish diplomatic relations.
READ THE STORY: Devdiscourse
Sen. Mark Warner Urges OPM to Maintain Identity Protections for 2015 Breach Victims
Bottom Line Up Front (BLUF): Senator Mark Warner (D-VA) has urged the Office of Personnel Management (OPM) not to terminate identity protection contracts set up after the 2015 data breach that compromised the sensitive data of 21.5 million individuals. These protections, established by federal law, were designed to shield victims from long-term risks from the breach, which was widely attributed to Chinese state-backed hackers.
Analyst Comments: Discontinuing these protections would leave millions of federal employees and their families vulnerable to ongoing exploitation, especially given that the breached data includes biometrics and health information, which is highly valuable on the dark web. Warner’s intervention reflects growing concern about federal cybersecurity budgeting under the Department of Government Efficiency (DOGE). As China remains a persistent threat actor, long-term cyber resilience requires sustained investment in identity protection and breach remediation efforts.
FROM THE MEDIA: Sen. Warner criticized DOGE’s cost-cutting plans that could end the identity monitoring services for victims of the 2015 OPM hack. The breach exposed Social Security numbers, fingerprints, and medical records, posing enduring risks. Warner emphasized the legal requirement for these services and expressed concern over leadership changes at OPM, especially amid the planned departure of Elon Musk from his advisory role in the Trump administration. Despite playing a key role in implementing DOGE’s budgetary reforms, OPM has not commented publicly on the matter.
READ THE STORY: The Record
Windows 10 KB5058379 Update Triggers BitLocker Recovery and System Boot Issue
Bottom Line Up Front (BLUF): Microsoft’s May 2025 update KB5058379 for Windows 10 is causing widespread issues in enterprise environments. The update pushes devices into Windows Recovery Mode and prompts for BitLocker recovery keys. It conflicts with virtualization-based security settings and Intel Trusted Execution Technology, particularly affecting systems deployed via SCCM and WSUS.
Analyst Comments: The forced recovery lockouts suggest a failure in compatibility testing with TPM and virtualization settings, which are common in managed enterprise deployments. IT administrators face mass recovery events and potential operational downtime without proactive BIOS configuration changes. Microsoft’s lack of official acknowledgment could hinder timely remediation, urging organizations to preemptively adjust firmware settings before applying the patch.
FROM THE MEDIA: Windows 10 update KB5058379 is forcing affected systems into Recovery Mode, displaying BitLocker key prompts. Most incidents occur in enterprise environments using Windows 10 21H2 LTSC and 22H2 Enterprise, especially on Dell, HP, and Lenovo systems. The update reportedly triggers false-positive alerts in TPM hardware validation, tied to virtualization security modules like Intel Trusted Execution Technology (TXT). Microsoft’s official documentation lists no known issues, though numerous administrators have confirmed disruptions on platforms like Reddit. Systems using Windows 11 appear unaffected. The problem can be resolved by disabling Intel TXT in BIOS before patch deployment, after which re-enabling it post-update causes no recurrence.
READ THE STORY: GBhackers
HTTPBot Botnet Unleashes Over 200 Precision DDoS Attacks on Gaming, Tech, and Education Sectors
NOTE:
NSFOCUS, a Beijing-based cybersecurity firm, regularly publishes detailed threat advisories and technical reports for the global cybersecurity community. These publications offer deep insights into emerging threats, malware behavior, and sophisticated attack techniques, such as their recent analysis of the HTTPBot botnet. While these contributions bolster collective cyber defense, they also reflect an element of China’s soft power strategy by projecting technical leadership, transparency, and influence in global cybersecurity discourse. Through public threat intelligence sharing, NSFOCUS not only aids defenders but subtly reinforces China's image as a responsible and capable cybersecurity actor on the world stage.
Bottom Line Up Front (BLUF): A new Windows-based botnet dubbed HTTPBot has launched over 200 targeted DDoS attacks since April 2025, primarily focusing on gaming platforms, technology companies, and educational institutions in China. The malware in Golang uses advanced evasion tactics and high-fidelity HTTP traffic simulations to bypass traditional defenses.
Analyst Comments: Its modular design, stealth persistence mechanisms, and browser-mimicking behavior show how attackers adapt to increasingly sophisticated DDoS defenses. Given its targeting of Windows systems—a departure from typical IoT-based botnets—this variant could be particularly disruptive to enterprise environments relying on real-time digital services.
FROM THE MEDIA: NSFOCUS identified HTTPBot as an emerging DDoS botnet that has rapidly expanded its operations over the past several months. Initially detected in August 2024, HTTPBot uses HTTP-based flood techniques and dynamic obfuscation to evade rule-based detection systems. It targets Windows machines, leveraging unauthorized Windows Registry changes for persistence and concealing its GUI to avoid user detection. Its attack modules include BrowserAttack, HttpAutoAttack, WebSocketAttack, and HttpFpDlAttack, each designed to simulate legitimate web traffic while overloading server resources. Malware is particularly dangerous due to its precision targeting of web application endpoints, which marks a strategic pivot in DDoS methodology from volume to efficacy.
READ THE STORY: THN
Nucor Steel Threats to Industrial Infrastructure
Bottom Line Up Front (BLUF): Nucor Corporation, the largest steel manufacturer in North America, has halted production at several facilities following a significant cybersecurity incident detected in early May 2025. The company reported unauthorized access to IT systems and took multiple systems offline as a precaution. No customer or employee data was compromised, but operations remain partially disrupted as forensic investigations continue.
Analyst Comments: The strategic decision to halt production suggests a potential OT-level intrusion, likely requiring complex remediation. While the specific attack vector remains unknown, external experts and federal involvement indicate a high-impact event, possibly involving ransomware or a nation-state adversary. The disruption could ripple across supply chains, particularly in the automotive and construction sectors. Nucor’s experience may prompt wider reassessments of cyber risk management in heavy industry.
FROM THE MEDIA: Nucor Corporation disclosed the breach in a regulatory 8-K filing, describing unauthorized third-party access to IT systems that support production. The company activated its incident response plan, shut down specific systems, and brought cybersecurity firms to contain the threat. The FBI and CISA are also involved in the ongoing investigation. Though production is resuming incrementally, analysts warn the breach could lead to long-term operational disruptions, compliance issues, and financial liabilities. The company has not detailed which facilities were affected or whether the attack impacted operational technology environments.
READ THE STORY: GBhackers
GitHub Action Supply Chain Attack Exposes Thousands of Secrets
Bottom Line Up Front (BLUF): A malicious commit to the popular GitHub Action tj-actions/changed-files triggered a supply chain attack affecting over 23,000 repositories. Tracked as CVE-2025-30066, the attack allowed remote access to CI/CD secrets such as AWS and RSA private keys through exposed action logs.
Analyst Comments: The attack's reach into the repositories of major organizations suggests extensive downstream impacts. As the software supply chain becomes more interconnected, real-time monitoring and automated dependency vetting are growing necessities. In response to this event, expect increased scrutiny and tooling focused on securing developer pipelines.
FROM THE MEDIA: StepSecurity disclosed a supply chain compromise in the GitHub Action tj-actions/changed-files, which is used in more than 23,000 repositories to automate CI/CD processes. The attacker inserted a malicious commit that exposed sensitive secrets through GitHub logs. The incident, designated CVE-2025-30066, enabled unauthorized access to AWS access keys, GitHub tokens, and private keys. Wiz Threat Research identified dozens of affected repositories, including those of large enterprises. Though the malicious code was quickly removed, experts like Jonathan Braley of IT-ISAC warn of lingering threats due to the widespread reuse of vulnerable packages in other software products.
READ THE STORY: CyberSecurityDive
Procolored Drivers Spread XRed and SnipVex Malware in Supply Chain Breach
Bottom Line Up Front (BLUF): Printer manufacturer Procolored has been found distributing malware-infected drivers, including the XRed backdoor and SnipVex clipboard stealer. The infected software was discovered on USB drives and public download links associated with multiple printer models. Although the command-and-control servers for XRed are offline, active malware like SnipVex poses ongoing risks.
Analyst Comments: Legacy malware like XRed and an active threat like SnipVex suggest a lapse in Procolored’s software hygiene and antivirus defenses during build or distribution. While the breach appears accidental, it underscores how even outdated malware can re-emerge through poorly vetted third-party software. Vendors distributing embedded software must ensure robust endpoint scanning and secure packaging practices to prevent reputational and operational fallout.
FROM THE MEDIA: An analysis revealed 39 malicious files, including a Delphi-based XRed backdoor and a .NET-based coin stealer. The malware was served through downloads hosted on Mega.nz, which had functionality that included keylogging, screenshot capture, and clipboard hijacking. Procolored initially dismissed the findings but later acknowledged the issue and removed infected packages. Clean drivers have since been issued, with the company attributing the infection to USB-based transfer errors. Security experts advise complete system reformatting for affected users due to the depth of disease caused by SnipVex.
READ THE STORY: GBhackers
China-Backed Hackers Target India’s Critical Infrastructure Amid Military Standoff
Bottom Line Up Front (BLUF): Following Operation Sindoor, escalating military tensions with Pakistan have caused India to be hit by a wave of coordinated cyberattacks attributed to China-backed hackers and Pakistani hacktivist groups. These attacks targeted defense contractors, infrastructure, and financial systems, aiming to exfiltrate sensitive data and disrupt civilian services.
Analyst Comments: The attribution to Chinese and Pakistani actors suggests increased cyber coordination among geopolitical allies opposed to Indian strategic interests. India’s cyber defense posture, while improving, faces major challenges in hardening public sector networks and protecting critical national infrastructure from nation-state threats. The urgency for AI-driven defense mechanisms, better threat intelligence sharing, and mandatory cyber hygiene across government systems is now paramount.
FROM THE MEDIA: According to The Times of India and The420.in, attackers focused on defense PSUs, MSME vendors, Indian Railways, ports, airports, and financial platforms like UPI and stock exchanges. Cyber forensics experts confirmed the use of phishing, DoS, and malware attacks. Several government websites, including those of the National Institute of Water Sports and Central Coalfields Ltd, were defaced by the “Pakistani Cyber Force.” Though officially downplayed, experts warn these events reflect critical vulnerabilities. Security analysts are urging investment in AI-based intrusion systems, stronger CERT-In capabilities, and broader international cyber partnerships to mitigate ongoing threats.
READ THE STORY: The 420
Russian APT Group Coldriver Deploys ‘Lostkeys’ Malware in Targeted Phishing Campaigns
Bottom Line Up Front (BLUF): Google's Threat Intelligence Group (GTIG) has identified a new malware named Lostkeys, developed and deployed by the Russian APT group Coldriver (also known as UNC4057, Star Blizzard, or Callisto). First detected in January 2025, Lostkeys is designed to exfiltrate sensitive files and system information following multi-stage phishing attacks. It has been used in targeted operations against NATO-aligned governments, NGOs, and diplomatic personnel.
Analyst Comments: The malware’s stealthy exfiltration of specific file types and operational data and its deployment through deceptive emails from fake organizations suggests a well-resourced and persistent threat actor focused on intelligence gathering. As geopolitical tensions with Russia remain high, this activity could be a precursor to further operations targeting Western critical infrastructure or policy institutions. The malware’s ability to evade detection in initial stages highlights ongoing challenges in email security and endpoint monitoring.
FROM THE MEDIA: Lostkeys was first observed in the wild in January 2025 and saw increased activity in March and April. The malware is distributed through phishing campaigns, where Coldriver impersonates legitimate organizations and sends malicious links via email. Once the user engages, Lostkeys is deployed and steals files based on specific extensions and directories. Additionally, it collects system metadata and lists of running processes, which are sent back to Coldriver’s command and control infrastructure. Coldriver has a history of targeting NATO, military, and government entities, and this latest campaign aligns with their known objectives.
READ THE STORY: MSN
Fancy Bear Targets Ukrainian Defense Officials and Foreign Suppliers with Webmail Exploits
Bottom Line Up Front (BLUF): Russian state-backed hacking group Fancy Bear (APT28) has intensified a long-running cyber-espionage campaign targeting Ukrainian government officials and international defense contractors supporting Kyiv. According to ESET research, attackers exploited a zero-day vulnerability (CVE-2024-11182) in webmail platforms including Roundcube, Horde, MDaemon, and Zimbra to steal sensitive data, including emails and two-factor authentication credentials.
Analyst Comments: APT28’s latest operations emphasize Russia’s persistent interest in Ukraine’s defense supply chain, likely aiming to disrupt military aid and gain strategic insights. The group's expansion to foreign contractors in Bulgaria, Romania, and other NATO-aligned countries reflects Moscow’s broader geopolitical surveillance goals. Their sustained focus on webmail vulnerabilities signals a shift toward exploiting less-defended entry points, highlighting a key blind spot in many organizations’ email security posture. With phishing lures mimicking Ukrainian media and focusing on credential theft, this campaign is tailored for stealth and scalability in wartime intelligence gathering.
FROM THE MEDIA: In 2024, targets included government and defense entities in Ukraine, Romania, Bulgaria, Greece, Cameroon, and Ecuador. The attackers used realistic spearphishing emails featuring fake Ukrainian news headlines to bait recipients. Once opened, malicious JavaScript executed through cross-site scripting exfiltrated email contents, address books, and authentication credentials. Some malware payloads could defeat two-factor authentication by stealing passwords and secrets. The group reportedly avoids persistent implants, instead relying on repeated phishing to regain access. ESET blocked most of the attack attempts at various stages, but confirmed 17 organizations were targeted, with some compromises likely.
READ THE STORY: CS
North Korea's TA406 Launches Cyberespionage Campaign Against Ukraine
Bottom Line Up Front (BLUF): North Korean state-sponsored group TA406 (aka Konni or Opal Sleet) has been targeting Ukrainian government entities since February 2025 in a cyberespionage campaign likely tied to Pyongyang's growing support for Russia in the Ukraine conflict. Using phishing emails and malicious archive files, the group deploys tools to collect system data, achieve persistence, and exfiltrate sensitive information.
Analyst Comments: It also underscores North Korea's intent to gather battlefield intelligence to inform military or political decision-making, particularly after committing troops and resources to Russia. TA406’s use of technical and psychological pressure tactics—such as impersonating analysts and persistent follow-ups—demonstrates increasing sophistication in spearphishing methodology. With recent activity also involving scheduled tasks and stealthy data exfiltration, defenders should expect further targeting of Ukrainian and pro-Ukraine entities by DPRK-linked APTs in the months ahead.
FROM THE MEDIA: Messages claim to offer political analysis and link to password-protected RAR archives containing malicious CHM files. These files trigger PowerShell scripts that send system information to attacker-controlled servers and create persistent autorun batch files. Another variation used ZIP archives with shortcut (.LNK) files executing JavaScript-encoded payloads. TA406 also engaged in credential harvesting, spoofing Microsoft alerts about suspicious sign-ins. These tactics are part of broader North Korean efforts to assess Ukrainian government sentiment, operational resilience, and forecast potential Russian military needs. Researchers note TA406 has previously targeted Russian and South Korean entities and now appears to be synchronizing efforts with North Korea’s military involvement in Ukraine.
READ THE STORY: CSO
Sen. Mark Warner Urges OPM to Maintain Identity Protections for 2015 Breach Victims
Bottom Line Up Front (BLUF): Senator Mark Warner (D-VA) has urged the Office of Personnel Management (OPM) not to terminate identity protection contracts set up after the 2015 data breach that compromised the sensitive data of 21.5 million individuals. These protections, established by federal law, were designed to shield victims from long-term risks from the breach, which was widely attributed to Chinese state-backed hackers.
Analyst Comments: Discontinuing these protections would leave millions of federal employees and their families vulnerable to ongoing exploitation, especially given that the breached data includes biometrics and health information, which is highly valuable on the dark web. Warner’s intervention reflects growing concern about federal cybersecurity budgeting under the Department of Government Efficiency (DOGE). As China remains a persistent threat actor, long-term cyber resilience requires sustained investment in identity protection and breach remediation efforts.
FROM THE MEDIA: Sen. Warner criticized DOGE’s cost-cutting plans that could end the identity monitoring services for victims of the 2015 OPM hack. The breach exposed Social Security numbers, fingerprints, and medical records, posing enduring risks. Warner emphasized the legal requirement for these services and expressed concern over leadership changes at OPM, especially amid the planned departure of Elon Musk from his advisory role in the Trump administration. Despite playing a key role in implementing DOGE’s budgetary reforms, OPM has not commented publicly on the matter.
READ THE STORY: GBhackers
Items of interest
Japan Passes Landmark Active Cyber Defence Law to Counter Foreign Cyber Threats
Bottom Line Up Front (BLUF): Japan has enacted the Active Cyberdefence Law (ACD) to proactively defend against increasing cyberattacks, particularly from foreign state-backed actors. The law enables IP traffic monitoring and empowers authorities to launch countermeasures while preserving domestic privacy protections. This marks a strategic shift in Japan’s national security posture as digital threats intensify.
Analyst Comments: With critical infrastructure frequently targeted by ransomware and state-sponsored espionage campaigns (notably “MirrorFace,” allegedly China-backed), Tokyo's new strategy reflects growing regional insecurity. Empowering the National Police Agency and Self-Defense Forces to disrupt hostile servers actively may serve as a deterrent. Still, implementation challenges remain, particularly given Japan’s acute cybersecurity talent shortage and reliance on foreign-built cyber tools. A push for homegrown solutions and incident transparency will be key to success.
FROM THE MEDIA: Chief Cabinet Secretary Yoshimasa Hayashi stated the goal is to match or exceed the cyber capabilities of the U.S. and Europe. The law circumvents Article 21 of Japan’s pacifist constitution, which guarantees the secrecy of domestic communications, by restricting surveillance to foreign-linked traffic. Authorities will also mandate reporting of breaches by critical infrastructure operators. The legislation follows a record year of attacks targeting seaports, energy grids, and hospitals, with cyber-espionage campaigns like MirrorFace reportedly aimed at stealing national security data. Experts say Japan’s new law reflects the strategic imperative to shift from a passive to a preemptive cybersecurity doctrine.
READ THE STORY: FT
Japan's Cybersecurity Evolution (Video)
FROM THE MEDIA: In this episode of the Other Side of the Firewall podcast, hosts Ryan Williams, Shannon Tynes, and Daniel Acevedo discuss Japan's new active cyber defense legislation and its implications for its cybersecurity landscape. They explore the historical context of Japan's cybersecurity preparedness, the influence of international relations, and the need for improved information sharing and incident response strategies.
SmartFiles: Active Cyber Defense (Video)
FROM THE MEDIA: Cohesity SmartFiles is an enterprise-class, software-defined, data-centric, multiprotocol file and object solution for the enterprise that transcends traditional offerings in terms of manageability, scale, security, efficiency, and multi-tiered data management. Among the key values it delivers to customers is Active Cyber Defense. SmartFiles offers a multilayered approach allowing accurate content classification and discovery of sensitive data, compliance and governance, identification of threats, and the ability to respond and recover quickly from ransomware and other emerging cyber threats.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.