Thursday, May 22, 2025 // (IG): BB // GITHUB // SN R&D
Chinese and North Korean Hackers Intensify Cyber Operations Across Latin America
Bottom Line Up Front (BLUF): China-backed APTs increased their cyber operations in Latin America by 150% in 2024, targeting government, telecom, and military sectors to further Beijing’s strategic influence. Simultaneously, North Korean and financially motivated actors also escalated campaigns across the region, exploiting weak cyber defenses and growing digital infrastructure.
Analyst Comments: Latin America has become a hotbed for cyber espionage and financially motivated attacks due to its expanding digital ecosystem and relatively immature cybersecurity posture. China's activity reflects its long-term geopolitical play to dominate regional technology markets, while North Korea’s focus on crypto and fraud underlines its need for sanctions evasion. The rapid expansion of access broker markets and stealer-log-driven credential abuse further indicates a deeply entrenched cybercrime economy. Multinational organizations operating in LATAM must anticipate persistent hybrid threats that blend geopolitical motives with criminal monetization strategies.
FROM THE MEDIA: China-linked threat groups such as Vixen Panda, Aquatic Panda, and Liminal Panda significantly ramped up cyber activity across Latin America last year. These APTs targeted over a dozen countries, focusing on telecoms, government entities, and defense sectors, often aligned with Beijing’s interest in expanding its influence through infrastructure like Huawei-powered 5G. North Korea-based groups, including Famous Chollima and Stardust Chollima, focused on financial gain, notably through crypto theft and fraudulent employment schemes. The report also noted a sharp increase in regional ransomware and credential-based attacks, with over one billion credentials from LATAM recovered from data leaks and stealer logs. CrowdStrike identified 107 active access brokers offering entry into 428 regional organizations, often via Spanish-language Telegram channels distributing malware and stolen data.
READ THE STORY: DR
Telegram Posts $540M Profit Amid Legal Firestorm and AI Expansion
NOTE:
Telegram’s rapid growth and $540 million profit in 2024 highlight its rising economic power, fueled by advertising, premium subscriptions, and a crypto-integrated ecosystem built on the Ton blockchain—yet its success is shadowed by mounting legal scrutiny and reputational risk. Founder Pavel Durov faces criminal charges in France over Telegram’s alleged failure to address illegal content, including child exploitation and terrorism, which could threaten the company’s ability to secure regulatory trust or pursue an IPO. Meanwhile, the app’s documented use by cybercriminals for malware distribution, illicit data sales, and coordination of attacks adds further reputational strain, as critics increasingly liken Telegram to a modern-day dark web. This dual identity—booming tech platform and haven for illicit activity—raises questions for investors about long-term viability: should regulators act forcefully, Telegram could face restrictions, deplatforming risks, or compliance costs that may dampen growth, reduce premium user appeal, or destabilize Toncoin’s price. Despite impressive cash flow, future profitability and valuation may hinge not just on product innovation or user growth, but on how well Telegram navigates its escalating legal, ethical, and cybersecurity liabilities.
Bottom Line Up Front (BLUF): Telegram achieved a $540 million profit in 2024, its first-ever annual surplus, driven by a surge in premium subscriptions, advertising, and crypto-based partnerships. The milestone comes as founder Pavel Durov faces criminal charges in France over content moderation failures, which could complicate the company’s IPO ambitions.
Analyst Comments: The company’s deep integration with the TON blockchain and new AI partnerships, including one with Elon Musk’s xAI, signal a strategy focused on decentralization and platform extensibility. However, Durov’s legal troubles and Telegram’s minimal internal moderation infrastructure expose the company to significant governance and compliance liabilities, especially as it courts public investors. The platform’s pivot into AI and crypto ecosystems also raises fresh concerns about oversight and misuse in areas already under scrutiny from global regulators.
FROM THE MEDIA: Telegram reported $1.4 billion in revenue and $540 million in profit for 2024, reversing a $173 million loss from the previous year, according to investor documents reviewed by The Financial Times. Founder Pavel Durov is under investigation in France for allegedly failing to police illegal content, including child exploitation and terrorism. Despite the controversy, Telegram launched a $1.5 billion bond offering to repurchase older debt this week, sweetening the deal with a 20% IPO discount clause. About half of Telegram’s revenue came from partnerships involving TON blockchain mini apps and cryptocurrency Toncoin. The company is also exploring a major AI integration with Elon Musk’s xAI, incorporating the Grok chatbot into the platform. Telegram now claims over 1 billion monthly active users and is operated by just 60 employees, with much of its moderation outsourced.
READ THE STORY: FT
Investors Brace for Taiwan Risk Amid Rising China Tensions and Trump Tariffs
Bottom Line Up Front (BLUF): Rising geopolitical tensions between China and Taiwan—exacerbated by President Trump’s aggressive trade policies—have made a potential cross-strait conflict a tangible concern for global investors. While invasion remains a tail-risk, the lack of viable hedging mechanisms has driven nearly $11 billion in foreign capital out of Taiwan’s stock market in 2025 alone.
Analyst Comments: Investor anxiety over Taiwan is reaching unprecedented levels as the perceived likelihood of a Chinese invasion grows amid political saber-rattling and military exercises. With President Trump reinstating tariffs and signaling uncertainty about U.S. defense commitments, confidence in Taiwan’s strategic stability is eroding. Despite this, many funds remain exposed due to Taiwan's critical role in global semiconductor supply chains, primarily through TSMC. Should conflict erupt, capital flight, currency collapse, and disruption to chip manufacturing could send shockwaves through international markets. While some analysts argue that risk is overstated, a lack of hedging options leaves investors vulnerable to extreme volatility.
FROM THE MEDIA: Tensions have surged since China held large-scale military drills near Taiwan in April. Betting markets now put the odds of a Chinese invasion at 12%, up from near zero at the beginning of 2025. Taiwan President Lai Ching-te’s pledge for peace has been met with hostility by Beijing, which labels him a “separatist.” As a result, Taiwan's benchmark stock index is down 6% this year, with foreign investors pulling out amid uncertainty. Despite these risks, Taiwan Semiconductor Manufacturing Company (TSMC), a cornerstone of the global chip market, keeps many investors tethered to the region, hoping U.S. defense guarantees remain intact.
READ THE STORY: Reuters
APT28 Targets Ukraine Aid Logistics via Email and VPN Exploits
Bottom Line Up Front (BLUF): Russian state-sponsored hackers, identified as APT28 (a.k.a. Fancy Bear), have intensified cyber-espionage efforts against logistics and tech companies facilitating aid to Ukraine. Western cybersecurity agencies warn that the group exploits known vulnerabilities in email platforms, VPNs, and Windows systems to gain persistent access and monitor aid routes.
Analyst Comments: GRU-aligned APT28 group, blending traditional military intelligence objectives with modern cyberwarfare techniques. These operations indirectly aim to undermine Ukraine’s defense support by focusing on logistics chains and infrastructure. The breadth of the attack surface—encompassing email systems, VPNs, and Active Directory—suggests the group is pursuing long-term infiltration and intelligence collection. Organizations supporting Ukraine or operating in NATO countries should harden their defenses around email gateways, enforce MFA, patch known vulnerabilities, and closely monitor for abnormal access behaviors.
FROM THE MEDIA: According to a joint cybersecurity advisory released May 21, 2025, APT28 has targeted dozens of organizations in NATO countries and Ukraine since 2022, focusing on entities involved in aid logistics. Initial access is gained using brute-force attacks, spear-phishing, and exploiting vulnerabilities including Outlook NTLM (CVE-2023-23397), Roundcube (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026), WinRAR (CVE-2023-38831), and unpatched VPN appliances. The campaign has also leveraged compromised SOHO devices to host phishing infrastructure. After gaining access, the threat actors used tools like Impacket, PsExec, RDP, and malware families like HeadLace and MASEPIE to establish persistence, conduct lateral movement, and exfiltrate sensitive data via PowerShell, IMAP, and Exchange Web Services. Western governments accuse the GRU's Unit 26165 of coordinating these actions in a bid to monitor and disrupt aid to Ukraine.
READ THE STORY: THN // The Record
Russian Influence and Digital Propaganda Elevate Burkina Faso’s Junta Leader Traoré to Icon Status
Bottom Line Up Front (BLUF): Burkina Faso's coup leader, Captain Ibrahim Traoré, has become a digital icon across Africa, propelled by social media propaganda, Russian-backed influence campaigns, and growing public disillusionment with Western democratic models. Despite concerns over authoritarianism and repression, his anti-West, pro-sovereignty messaging has resonated with millions.
Analyst Comments: Traoré’s rise reflects a broader geopolitical shift as Russian influence supplants Western alliances in parts of Africa disillusioned by unfulfilled democratic promises and persistent insecurity. His popularity, amplified by AI-generated content and Russian media narratives, highlights the power of digital influence in reshaping political legitimacy. For cybersecurity professionals, this is a stark case study in how social media manipulation and state-backed information warfare can alter political landscapes, erode trust in democratic institutions, and potentially destabilize regional governance.
FROM THE MEDIA: Captain Ibrahim Traoré has cultivated a strongman persona that resonates across Africa, aided by viral AI-generated videos, debunked social media posts, and endorsements from controversial figures like former MP George Galloway. While hailed for his anti-imperialist stance and calls for economic self-reliance, Traoré has also been accused of suppressing dissent, conscripting critics, and failing to contain escalating jihadist violence. Russian support has played a key role in sustaining his rule, with the paramilitary group Bear Brigade providing security and Moscow reopening its embassy in Ouagadougou. Experts say this mix of grassroots disillusionment and foreign influence has created fertile ground for alternative narratives that challenge Western norms and institutions.
READ THE STORY: FT
Legal Aid Agency Breach Threatens Safety of Domestic Abuse Survivors in UK
Bottom Line Up Front (BLUF): A major data breach impacting the UK's Legal Aid Agency has exposed personal information of over 2 million legal aid applicants, including addresses of survivors of domestic abuse. Authorities fear the data will be published by cybercriminals, posing serious risks to vulnerable individuals and confidential refuge locations.
Analyst Comments: While the UK government maintains a no-ransom policy, the potential publication of addresses linked to domestic violence survivors could trigger life-threatening consequences and forced relocations. The breach raises urgent questions about government data protection strategies, particularly in handling vulnerable populations. Cybersecurity programs must prioritize technical resilience, post-breach humanitarian responses, and threat-informed risk modeling for high-sensitivity datasets.
FROM THE MEDIA: The UK Ministry of Justice confirmed a cyberattack on the Legal Aid Agency, stating that data from legal aid applicants dating back to 2010 had been compromised. The stolen data may include addresses, national IDs, financial information, and criminal histories. Particularly alarming is the risk to women’s refuges and survivors of domestic violence, whose confidential locations could be revealed. Advocacy group Refuge has expressed "deep concern," noting the heightened risk of harassment, impersonation, and physical violence. The MoJ has developed a response plan focused on proactively identifying and assisting high-risk individuals, including abuse survivors, asylum seekers, and victims of modern slavery. Despite a legal injunction, officials acknowledge that data publication is likely imminent due to the attackers’ disregard for international law.
READ THE STORY: The Record
FBI and Microsoft Dismantle Lumma Infostealer Infrastructure Tied to 10 Million Infections
Bottom Line Up Front (BLUF): US and international law enforcement, in collaboration with Microsoft, have dismantled the infrastructure behind Lumma, one of the most prolific information-stealing malware services active since 2022. Used by cybercriminals and ransomware gangs, Lumma is linked to 10 million infections and over $36.5 million in credit card fraud in 2023 alone.
Analyst Comments: The takedown of Lumma marks a significant operational success in disrupting a global cybercrime ecosystem. However, the malware's administrator responded by swiftly creating new infrastructure, highlighting the resilience and adaptability of cybercriminal networks. The coordinated action involving Microsoft, Europol, and other global entities reflects a growing shift toward public-private partnerships in cybercrime disruption. Still, the persistence of Lumma-type malware underlines the need for organizations to harden endpoint security, monitor for credential abuse, and stay updated on emerging threat actor infrastructure.
FROM THE MEDIA: The FBI seized two key domains linked to the Lumma infostealer's control infrastructure, and just days later, additional domains established by the malware’s operator were also taken down. First observed in 2022, Lumma has become a preferred tool among threat groups like Scattered Spider and numerous ransomware operators for stealing credentials, browser data, and cryptocurrency wallets. Microsoft’s Digital Crimes Unit played a pivotal role, seizing over 2,300 domains — 300 of which were disabled with Europol’s help. In a separate move, Microsoft collaborated with Japan’s Cybercrime Control Center to dismantle regional Lumma servers. Between March and May 2025 alone, Microsoft identified nearly 400,000 infected Windows systems. Lumma has been tied to breaches of cloud platforms, phishing scams, and attacks on critical sectors, including logistics, healthcare, and finance.
READ THE STORY: The Register
Trump Unveils $175 Billion “Golden Dome” Missile Defense Plan with SpaceX, Palantir, and Anduril
Bottom Line Up Front (BLUF): President Donald Trump has officially launched the Golden Dome missile defense initiative, a $175 billion space-based shield aimed at intercepting enemy missiles in their boost phase. The ambitious program will rely on satellite-based sensors and interceptors and has drawn comparisons to Ronald Reagan’s defunct “Star Wars” initiative.
Analyst Comments: Golden Dome represents the most expansive U.S. missile defense initiative since the Cold War, reflecting a strategic pivot toward countering missile threats from peer adversaries like China and Russia. The initiative faces considerable political and technical challenges, especially in cost, treaty compliance, and feasibility of boost-phase interception. However, its alignment with commercial defense innovators such as SpaceX, Palantir, and Anduril suggests a continuing trend of integrating Silicon Valley into national defense infrastructure. The program could reshape geopolitical deterrence dynamics and the global space security environment.
FROM THE MEDIA: Trump emphasized the program as a completion of Reagan's Strategic Defense Initiative and as a leap beyond Israel’s Iron Dome system, which he credited the U.S. with helping develop. Early contracts are likely to go to defense tech firms, including SpaceX, Palantir, Anduril, L3Harris, Lockheed Martin, and RTX Corp. Despite the fanfare, Golden Dome’s funding remains uncertain, with an initial $25 billion tied to a broader and contentious defense spending bill in Congress. Critics point to the ambitious scale and unproven technology of space-based missile interception as key obstacles.
READ THE STORY: The Record
Cellcom Confirms Cyberattack Behind Week-Long Voice and SMS Outages in Midwest
Bottom Line Up Front (BLUF): Cellcom, a primary telecommunications provider in Wisconsin and Michigan, has confirmed that a cyberattack caused a significant disruption to voice and SMS services beginning last Wednesday. While customer data systems were reportedly unaffected, complete service restoration remains pending, and federal investigators, including the FBI, are now involved.
Analyst Comments: The segmentation of affected systems from customer data is reassuring, but the prolonged service disruption suggests deeper network or recovery complexities, possibly tied to ransomware. As smaller regional providers become frequent cyber targets, especially those with aging infrastructure or limited cyber budgets, telecom resilience must become a strategic priority at both the organizational and policy levels. The inability to port numbers to alternative carriers could draw regulatory scrutiny if recovery drags on.
FROM THE MEDIA: Cellcom CEO Brighid Riordan confirmed in a video that a "cyber incident" was responsible for major service disruptions impacting voice and SMS functions across Wisconsin and Michigan since the prior week. While some services resumed on Monday, complete restoration remains uncertain. Riordan stated that FBI and Wisconsin officials are assisting in the investigation. The affected systems are reportedly isolated from customer data, though frustration continues to grow as customers cannot port numbers or switch providers. Cellcom has not confirmed whether ransomware is involved, but cybersecurity experts have been brought in to support recovery efforts.
READ THE STORY: The Record
Items of interest
Swatch Activist Bid Fails Amid Governance Backlash and Boardroom Entrenchment
Bottom Line Up Front (BLUF): U.S. investor Steven Wood has failed in his attempt to join Swatch Group’s board. The Hayek family’s voting control blocked his application despite support from most bearer shareholders. This defeat highlights growing shareholder dissatisfaction with Swatch’s corporate governance as the luxury watchmaker’s performance and transparency continue to lag.
Analyst Comments: Swatch’s rebuff of activist engagement signals a persistent governance impasse that could discourage institutional investors and raise reputational concerns. The dual-share structure shielding the Hayek family illustrates the tension between legacy leadership and modern governance standards. While calls for restructuring and brand revitalization grow louder, the boardroom deadlock suggests the company may not evolve without outside regulatory or market pressure. Future campaigns by activist investors may escalate in both tone and scope, especially if financial performance declines.
FROM THE MEDIA: At Swatch Group’s annual meeting on May 21, 2025, U.S.-based investor Steven Wood of GreenWood Investors failed to secure a board seat despite gaining support from 62% of bearer shareholders. The Hayek family, who own 25% of the group’s shares but wield 44% of voting rights through a dual-class structure, opposed his nomination. Swatch shares have fallen 25% over the past year, and net profit dropped 75% in 2024 to SFr219mn. Proxy advisers ISS and Glass Lewis had raised corporate governance red flags, recommending a supervisory board overhaul. Wood criticized the voting process and hinted at calling for an extraordinary meeting to formally represent bearer shareholders.
READ THE STORY: FT
Swatch x OMEGA MoonSwatch - Genius Or Destroying A Luxury Brand?(Video)
FROM THE MEDIA: The Swatch x OMEGA MoonSwatch collaboration is a high-risk, high-reward marketing play. While it jeopardizes Omega’s luxury exclusivity in the eyes of some purists, it strategically targets younger, aspirational buyers and drives massive brand buzz and sales across segments—positioning Omega for long-term growth amid a shifting watch market.
Swatch x Omega Moonswatch Just Changed the Game Forever (Video)
FROM THE MEDIA: The Swatch x Omega MoonSwatch collaboration has redefined the luxury watch landscape by merging Omega's iconic Speedmaster design with Swatch's affordability and innovation, resulting in a timepiece that has captivated both watch enthusiasts and the general public.YouTube+13Wikipedia+13GQ+13
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.