Friday, May 23, 2025 // (IG): BB // GITHUB // SN R&D
DOJ Indicts Alleged Qakbot Creator Tied to Global Ransomware Operations
Bottom Line Up Front (BLUF): The U.S. Department of Justice has indicted Russian national Rustam Gallyamov for allegedly developing and operating the Qakbot malware, a foundational tool used by significant ransomware gangs. The malware, active since 2008, infected over 700,000 computers and enabled high-profile attacks on organizations across North America. Authorities seized $24 million in illicit proceeds during the investigation.
Analyst Comments: Qakbot’s removal from circulation disrupted numerous ransomware operations, underlining the malware’s central role in the cybercriminal ecosystem. The case illustrates malware developers’ deep intertwining with ransomware actors, functioning as core enablers. As cybercrime groups pivot to new tactics like “spam bombing,” defenders should anticipate shifts toward more socially engineered intrusions without stable malware platforms.
FROM THE MEDIA: The U.S. DOJ unsealed an indictment against Rustam Gallyamov, 48, accusing him of creating the Qakbot malware and facilitating its use by multiple ransomware groups, including Conti, REvil, Black Basta, and Dopplepaymer. Qakbot was dismantled in August 2023 through a multinational takedown effort involving several European nations. Gallyamov allegedly profited by selling access to infected devices to ransomware affiliates. Following Qakbot’s takedown, his group reportedly began launching spam-based phishing attacks. Alongside the indictment, the DOJ announced a civil forfeiture of more than $24 million in seized funds. The FBI’s Los Angeles office led the investigation with support from European counterparts.
READ THE STORY: The Record
Chinese APT UNC5221 Exploits Ivanti EPMM Flaws in Global Espionage Campaign
NOTE:
The big picture threat posed by the Ivanti EPMM vulnerabilities lies in their exploitation by a sophisticated, state-linked cyber espionage group to infiltrate and persist within critical infrastructure networks globally. By chaining unauthenticated remote code execution with hardcoded credentials and repurposed internal tools, the attackers gained deep, stealthy access to thousands of enterprise-managed mobile devices and sensitive backend systems. This type of intrusion threatens data confidentiality and operational integrity in sectors like defense, healthcare, and municipal services. The broader risk is that these vulnerabilities reveal how widely-used enterprise management tools can become high-value targets for nation-state actors seeking long-term access to critical systems, potentially enabling surveillance, disruption, or sabotage of essential services during geopolitical tensions.
Bottom Line Up Front (BLUF): A China-linked threat group, UNC5221, actively exploits two recently patched Ivanti EPMM vulnerabilities (CVE-2025-4427 and CVE-2025-4428) to target critical sectors globally. The attackers used the flaws to gain unauthorized access, deploy malware, and exfiltrate sensitive enterprise mobile device data from healthcare, defense, finance, and more organizations.
Analyst Comments: UNC5221’s sophisticated abuse of Ivanti’s mobile device management architecture shows a deep operational understanding of enterprise IT environments. Since exploitation began immediately after the patch disclosure, enterprises must reduce patch latency and bolster endpoint visibility. Shared Chinese tooling like FRP and links to Auto-Color C2 infrastructure suggest broader coordination within China’s cyber ecosystem.
FROM THE MEDIA: The threat actors chained the bugs to achieve unauthenticated remote code execution, leveraging the /mifs/rs/api/v2/ endpoint for reverse shells and deploying KrustyLoader—a Rust-based malware loader. The group further compromised Ivanti EPMM’s internal MySQL database using hard-coded credentials, accessing mobile device data, Office 365 tokens, and more. Tools like Fast Reverse Proxy and links to the Auto-Color backdoor—previously seen in university and government targeting—solidify attribution to UNC5221. GreyNoise separately reported increased scanning of Ivanti infrastructure ahead of the attacks, indicating advanced threat preparation.
READ THE STORY: The Register
Russia-Aligned TAG-110 Hacks Tajik Institutions in Espionage Campaign
Bottom Line Up Front (BLUF): Russian-linked cyber-espionage group TAG-110, believed to be associated with APT28 (BlueDelta), has been targeting government and research entities in Tajikistan. The campaign employed phishing emails with macro-enabled Word documents to deploy espionage tools. This activity signals an evolving regional intelligence-gathering effort from Moscow.
Analyst Comments: TAG-110's focus on Tajikistan marks a strategic pivot amid heightened geopolitical competition in Central Asia. The move from Hatvibe malware to macro-laden documents suggests the group is refining its methods to bypass detection and exploit soft targets. This operation aligns with Russia’s broader objective of maintaining political and military influence in former Soviet states. Expect continued cyber operations in the region, especially where political developments may impact Moscow’s strategic interests.
FROM THE MEDIA: Using phishing emails with documents referencing military and electoral topics, the hackers aimed to compromise Tajik systems. Unlike previous operations, TAG-110 used macro-enabled Word templates instead of Hatvibe malware, indicating a shift in tactics. If successful, the intrusions may have delivered tools like CherrySpy or LogPie. The group has previously conducted operations in India, Israel, Mongolia, and Ukraine, reflecting its alignment with Russian foreign policy goals.
READ THE STORY: The Record
Starlink Surges Ahead in Global Satellite Race, but Geopolitical and Technical Rivals Loom
Bottom Line Up Front (BLUF): SpaceX’s Starlink leads the low Earth orbit (LEO) satellite internet race with over 7,000 operational satellites and 5 million users across 125 countries, thanks to its rapid launch cadence and in-house capabilities. However, Amazon’s Project Kuiper, China’s state-backed constellations, and Europe’s IRIS² intensify competition in a sector crucial for global communications and digital sovereignty.
Analyst Comments: Starlink’s early and aggressive scale-up, backed by SpaceX’s vertical integration and reusable Falcon 9 rockets, has created a formidable first-mover advantage. Yet that dominance is increasingly challenged by Amazon’s retail and cloud integration strategy and China’s strategic push to deploy global internet infrastructure under the Belt and Road Initiative. For governments, the geopolitical stakes are clear: reliance on a single commercial provider, especially one led by a politically polarizing figure, risks national security and digital independence. The next few years will likely see the fragmentation of global LEO networks along political and strategic lines.
FROM THE MEDIA: Amazon’s Project Kuiper has entered the fray with its first 27 satellites, part of a $16–$20 billion investment to provide a lower-cost alternative to Starlink. Meanwhile, China’s Guowang and SpaceSail aim to launch more than 26,000 satellites combined, supported by state funding and strategic partnerships in Belt and Road countries. The EU’s delayed IRIS² project, backed by €6 billion in public financing, reflects Europe’s scramble to establish sovereignty in space-based broadband. Starlink’s dominance—while commercially successful—is sparking concern among governments wary of Musk’s political influence and the risks of monopolized digital infrastructure.
READ THE STORY: FT
Senator Wyden Slams Telcos Over Government Surveillance Failures on Senate Lines
Bottom Line Up Front (BLUF): U.S. Senator Ron Wyden has accused AT&T, Verizon, and T-Mobile of failing to fulfill contractual obligations to notify the Senate about government surveillance of lawmakers' phone records. These oversights came to light following a staff-led investigation prompted by previous DOJ abuses involving sealed surveillance orders targeting members of Congress.
Analyst Comments: The DOJ's use of sealed orders to secretly gather metadata from lawmakers' devices underscores how executive surveillance can erode the principle of separation of powers. Wyden’s push could catalyze legislative or contractual reforms requiring telecom carriers to enforce stronger notification and privacy mechanisms.
FROM THE MEDIA: Senator Ron Wyden stated that major telecom carriers — AT&T, Verizon, and T-Mobile — failed to establish systems to alert Senate offices when law enforcement requested surveillance data, despite contractual requirements. Wyden noted that one carrier admitted to sharing Senate-related data without notice. This disclosure follows a 2024 DOJ report that revealed secret surveillance of congressional staffers and journalists between 2017 and 2020. While T-Mobile has since pledged to improve notification policies, the senator warned that personal and campaign phones remain vulnerable. Wyden urged lawmakers to select providers that proactively notify users of surveillance demands, citing smaller carriers like US Mobile and Cape that adopted such policies following outreach.
READ THE STORY: The Register
National Guard Trains on Volt Typhoon Intrusion During Cyber Yankee 2025
Bottom Line Up Front (BLUF): During the Cyber Yankee 2025 exercise, National Guardsmen received a firsthand briefing from a Massachusetts utility compromised by China-linked Volt Typhoon. The event marked the first time a real-world victim briefed participants, reinforcing the threat of nation-state intrusions targeting U.S. critical infrastructure. The training scenario mirrored tactics used by Volt Typhoon and other Chinese APTs.
Analyst Comments: Regional utilities become key targets as China moves from espionage to actively probing critical infrastructure. This exercise deepens collaboration between military cyber teams and private-sector operators and underscores the importance of building resilience in operational technology (OT). Future scenarios may evolve to simulate coordinated, multi-sector attacks, particularly as utilities become digitally interlinked.
FROM THE MEDIA: Cyber Yankee 2025, held in New Hampshire from May 5–16, featured nearly 400 participants from the military, government, private sector, and 40 international partners. A highlight of this year’s event was a live briefing from Littleton Electric, Light, and Water Departments, which had been infiltrated by Volt Typhoon — a Chinese APT actor known for its stealthy “living off the land” techniques. The attackers had gained access to both IT and possibly OT systems. Following the briefing, military participants gravitated toward the OT training tracks. The scenario used open-source tools to simulate real-world attacks, aligning with observed Chinese cyber activities. Cyber Yankee aims to strengthen partnerships and incident response coordination between Guardsmen and critical infrastructure operators.
READ THE STORY: Defense Scoop
Killnet Resurfaces as Cyber Mercenary Outfit Amid Russia-Ukraine Tensions
Bottom Line Up Front (BLUF): The notorious Russian hacktivist group Killnet has reemerged under new leadership and branding, shifting from patriotic DDoS attacks to profit-driven cybercrime. Recent claims of disrupting Ukraine’s drone-tracking systems—though unverified—suggest the group is attempting to reassert its relevance as a cyber mercenary outfit during key geopolitical events like Russia's Victory Day.
Analyst Comments: Killnet’s transformation illustrates a broader trend of cybercriminal collectives rebranding and shifting missions to stay relevant and profitable. Initially a pro-Kremlin hacktivist group, its new leadership under “BTC” now focuses on financially motivated attacks, dark web activities, and hack-for-hire services. This pivot complicates attribution and broadens the threat surface beyond ideological targets. Security teams should treat groups like Killnet as hybrid threats, blending nation-state interests with commercial criminal operations.
FROM THE MEDIA: Cybersecurity researchers at TRM Labs and Flashpoint report that Killnet, once infamous for simplistic DDoS attacks, has returned with a new strategy after a leadership shakeup and public scandal involving its founder. Under its new identity, Killnet claimed involvement in recent Ukrainian drone system disruptions, though no independent verification exists. The rebranded group reportedly functions more as a mercenary cybercrime service while maintaining its hacktivist image. Internal fractures have led to offshoot groups like KillNet 2.0 and Just Evil, each adopting varying political or financial motivations. Analysts view this as a calculated reentry into the cyber landscape aligned with Russian disinformation efforts.
READ THE STORY: The Record
Rising Deficit Raises Alarm for U.S. Dollar Stability, Say Market Analysts
Bottom Line Up Front (BLUF): Mounting concerns about U.S. deficit sustainability are reshaping traditional expectations for the dollar, bonds, and equities. Analysts now warn that excessive federal borrowing could simultaneously depress the dollar, raise bond yields, and spook foreign investors, particularly as global alternatives become more attractive.
Analyst Comments: The once-reliable “dollar smile” theory—where the dollar strengthens in both economic booms and busts—is being replaced by what Deutsche Bank calls a “fiscal frown.” In this new model, both overspending and sharp fiscal tightening could undermine U.S. financial markets. With rising yields and falling demand for Treasuries, the market may react negatively to fiscal stimulus it previously welcomed. This marks a potential inflection point, where the U.S. can no longer count on near-universal demand for its debt.
FROM THE MEDIA: Deutsche Bank’s FX research suggests both loose and overly tight fiscal policies could trigger capital flight or recession. Although bond yields remain in line with pre-2008 levels, fears of spiraling debt costs persist. Analysts warn that if the U.S. budget becomes too stimulative, it may raise yields unsustainably, while austerity risks recession and further dollar weakening. With Europe ramping up fiscal spending and international demand for U.S. assets wavering, the dollar’s status as a haven is no longer assured.
READ THE STORY: FT
Chinese Threat Group UAT-6382 Exploits Trimble Cityworks Vulnerability to Breach U.S. Government Networks
Bottom Line Up Front (BLUF): Chinese-linked hacking group UAT-6382 exploited a critical deserialization vulnerability (CVE-2025-0944) in Trimble Cityworks software to breach U.S. local government networks. The flaw enabled remote code execution, allowing the attackers to deploy multiple web shells and malware for persistent access and data exfiltration.
Analyst Comments: UAT-6382’s use of open-source Chinese tools and custom malware such as TetraLoader suggests continued investment in developing stealthy long-term espionage capabilities. The targeting of utility management systems raises alarm about potential future disruption operations, not just espionage. Organizations using Cityworks or similar platforms must prioritize patching and closely monitor for web shell activity.
FROM THE MEDIA: Cisco Talos researchers reported that UAT-6382 began exploiting CVE-2025-0944 as early as January 2025. The vulnerability, rated 8.6 on the CVSS scale and patched in February, allowed attackers to execute arbitrary code in Trimble’s Cityworks software, widely used by local governments. Once inside, UAT-6382 deployed a Rust-based loader called TetraLoader to deliver Cobalt Strike and VShell, establishing persistent access. The group leveraged standard Chinese web shells like AntSword, Behinder, and Chopper to maintain control and exfiltrate sensitive utility management data. These activities were traced back to a publicly available malware framework, MaLoader, shared in Chinese developer forums in late 2024.
READ THE STORY: THN
Chinese Hackers Exploit Trimble Cityworks Vulnerability to Target U.S. Municipal Infrastructure
Bottom Line Up Front (BLUF): Chinese-speaking threat actors are actively exploiting CVE-2025-0994, a critical remote code execution vulnerability in Trimble Cityworks software U.S. municipalities use. The vulnerability allows attackers to gain persistent access to systems managing utilities, inspections, permits, and other essential local government operations.
Analyst Comments: Trimble Cityworks deployments by China-nexus actors underscore an escalating trend in cyber-espionage: the infiltration of software that underpins civic infrastructure. By compromising local governments’ asset management platforms, adversaries gain strategic access to critical services like water, power, and transportation. The attackers’ use of Chinese-language malware builders and tools signals a highly tailored campaign, possibly intended to support long-term surveillance or to lay the groundwork for disruptive cyber operations. This is consistent with Beijing’s broader interest in mapping and influencing foreign critical infrastructure.
FROM THE MEDIA: Cisco Talos has tracked Chinese hackers exploiting CVE-2025-0994—a deserialization vulnerability in Trimble Cityworks, which U.S. local governments widely use. The attackers deployed web shells and custom malware, some built with the Chinese-language MaLoader framework, to maintain persistent access. The exploitation campaigns began shortly after warnings were issued in February by Trimble and CISA. Federal agencies were mandated to patch the vulnerability by February 28. Once inside networks, the attackers focused on utilities management systems and began staging files for data exfiltration. The tactics and language indicators strongly link the activity to Chinese-speaking actors.
READ THE STORY: The Record // The Register
SaaS Supply Chain at Risk: Nation-State Actors Exploit Commvault Azure Vulnerability
Bottom Line Up Front (BLUF): CISA has warned about an ongoing cyber campaign exploiting CVE-2025-3928, a zero-day in Commvault’s Azure-hosted Microsoft 365 (M365) backup SaaS platform, Metallic. The flaw allowed nation-state threat actors to access app secrets, enabling unauthorized access to customer M365 environments.
Analyst Comments: The attackers’ ability to exploit a web server flaw to access sensitive authentication data shows how misconfigured or over-permissioned service principals can become an entry point for widespread compromise. Nation-state actors increasingly turn to SaaS platforms as vectors for strategic espionage or long-term access operations. This area remains under-defended despite its centrality to business operations.
FROM THE MEDIA: Commvault's Metallic SaaS platform was compromised by a nation-state actor exploiting CVE-2025-3928—an authenticated RCE flaw in its web server. First detected in February, the activity gave attackers unauthorized access to M365 environments by stealing app secrets stored in Azure. The malware campaign, which targeted customers using default configurations and excessive permissions, is believed to be part of a broader effort affecting multiple SaaS providers. Commvault has rotated credentials and emphasized that customer backup data remains unaffected. CISA recommends enhanced log monitoring, service principal review, and restricting access to trusted networks.
READ THE STORY: THN
Items of interest
The Bulova Lunar Pilot: The Accidental Moon Watch with a Legendary Legacy
In 1971, during NASA's Apollo 15 mission, Commander David Scott made history by driving the first lunar rover and inadvertently turning a backup wristwatch into an icon. When the crystal of his NASA-issued Omega Speedmaster detached during a moonwalk, Scott turned to a personal timepiece—his Bulova Chronograph Model #88510/01. This unexpected substitution made Bulova the only other watch brand besides Omega to make it to the lunar surface.
Unlike Omega, which was officially sanctioned by NASA, Bulova had been passed over in early selection trials. However, astronauts could carry personal items, and Scott’s decision to bring his Bulova proved pivotal. The watch helped him complete critical extravehicular activities, proving its reliability in the harshest environment imaginable.
This story later fueled Bulova’s release of the Lunar Pilot, a modern chronograph modeled after the original. While the design retains a classic, legible dial and rugged stainless steel case, the new model uses a high-frequency quartz movement accurate to within 10 seconds per year, significantly more precise than the mechanical Speedmaster. With a price point starting around $500, the Lunar Pilot stands as one of the most affordable pieces of genuine space history one can wear.
More than just a stylish chronograph, the Bulova Lunar Pilot is a testament to resilience, reliability, and the kind of contingency that can define a moment in space exploration history.
READ THE STORY: GQ
Out of This World: The Bulova Lunar Pilot Review – A Watch with Space History (Video)
FROM THE MEDIA: The Bulova Lunar Pilot is an affordable, historically significant space watch that offers a unique blend of lunar legacy, modern technology, and underdog appeal. Originally worn during the Apollo 15 mission after an Omega Speedmaster failure, this quartz chronograph delivers space heritage for a fraction of the price of its rivals.
Omega Speedmaster vs Bulova Lunar Pilot (Video)
FROM THE MEDIA: The Omega Speedmaster Professional and the Bulova Lunar Pilot are both legendary timepieces with lunar legacies. While the Speedmaster offers refined mechanical craftsmanship and heritage-driven design, the Lunar Pilot delivers bold styling, modern quartz precision, and unmatched value. Each watch appeals to different priorities: heritage and finesse vs. impact and affordability.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.