Daily Drop (1051)
05-31-25
Saturday, May 31, 2025 // (IG): BB // GITHUB // SN R&D
TOOL DROP:
A world map that visualizes active proxy servers from multiple sources worldwide, featuring automated data collection, real-time analytics, and beautiful visualizations. Updates every 6 hours using GitHub Actions and deploys seamlessly to GitHub Pages.
U.S. Defense Secretary Warns of Imminent Chinese Military Action Against Taiwan at Shangri-La Dialogue
Bottom Line Up Front (BLUF): U.S. Defense Secretary Pete Hegseth warned that Chinese military action against Taiwan "could be imminent," urging allies in the Indo-Pacific to increase defense spending. Speaking at the Shangri-La Dialogue, he emphasized that Beijing's threats are real and are a wake-up call for regional partners to strengthen deterrence.
Analyst Comments: By framing the threat as "imminent," Hegseth signals a shift toward a more urgent call for collective defense, potentially accelerating military cooperation with regional allies. However, some analysts caution that China’s timeline remains uncertain and that talk of an imminent invasion could spur regional defense investment rather than signal immediate conflict. A significant challenge remains balancing economic ties with China while bolstering defense capabilities.
FROM THE MEDIA: Speaking at Singapore's IISS Shangri-La Dialogue defense forum, U.S. Defense Secretary Pete Hegseth warned that Chinese military action against Taiwan "could be imminent." He called on Indo-Pacific allies to follow Europe’s example and boost defense spending, arguing that the People’s Liberation Army is actively training and preparing for an invasion of Taiwan by 2027. Hegseth highlighted China’s cyber threats and harassment in the South China Sea, describing the risk as urgent and potentially destabilizing for the entire region. Despite a firm tone, he emphasized that the U.S. does not seek conflict but would not allow allies to be subordinated by Beijing’s aggression.
READ THE STORY: FT
Researchers Uncover "AppleProcessHub" Stealer Targeting macOS Devices
Bottom Line Up Front (BLUF): Cybersecurity researchers have identified a new stealer malware dubbed "AppleProcessHub," which targets macOS devices. This malware steals sensitive data, including passwords and system information, raising concerns about the evolving threat landscape for Apple users.
Analyst Comments: The malware exploits trusted processes and evades detection, underscoring the importance of layered defense strategies and user awareness. Apple users, often targeted by high-value attackers, should be vigilant about software updates and security best practices. This discovery could signal a broader focus on macOS by cybercriminals seeking to diversify their attack surfaces.
FROM THE MEDIA: AppleProcessHub masquerades as a legitimate process, enabling it to bypass certain detection mechanisms. Researchers warn that it could be leveraged for credential theft, reconnaissance, and even to facilitate further attacks. Users are advised to update their systems and exercise caution when downloading software from untrusted sources.
READ THE STORY: GBhackers
Mexican Authorities Seize Over 3 Million Liters of Stolen Fuel in Crackdown
Bottom Line Up Front (BLUF): Mexican authorities have confiscated more than 3 million liters of illegally stored fuel in Tabasco, marking a significant escalation in the country’s battle against fuel smuggling. The bust highlights ongoing efforts to combat widespread fuel theft from state-run Pemex pipelines and fraudulent imports to evade taxes.
Analyst Comments: Fuel theft remains a critical challenge for Mexico’s energy sector, draining resources from Pemex and undercutting legitimate trade. The recent seizure underscores the Mexican government’s commitment to cracking down on domestic and cross-border smuggling networks. New traceability measures could bolster accountability and disrupt criminal supply chains, but sophisticated smuggling methods and high demand may persist. Expect increased security and monitoring of fuel movements, potentially impacting legitimate fuel logistics in the region.
FROM THE MEDIA: Eighteen vehicles and three pieces of machinery were also confiscated. Mexican President Claudia Sheinbaum linked the seizures to new fuel traceability regulations. Pemex, Mexico’s state-owned oil company, has long struggled with fuel theft from its pipelines, a problem that continues to strain the economy. Authorities also recently seized 1.5 million liters in Tabasco and 10 million liters in Tamaulipas, the latter from a U.S.-linked shipment.
READ THE STORY: Reuters
Germany Identifies "Stern," Key Figure in Trickbot Cybercrime Gang
Bottom Line Up Front (BLUF): German authorities have identified a hacker known as “Stern” as a leading figure in the notorious Trickbot malware gang. Stern’s unmasking is part of a broader effort to dismantle the group, which has been linked to ransomware attacks and financial fraud worldwide.
Analyst Comments: Trickbot has evolved from a banking Trojan into a sophisticated malware ecosystem facilitating ransomware deployments, data theft, and large-scale cybercrime campaigns. The identification of Stern underscores the growing effectiveness of international law enforcement collaboration in cybercrime investigations. However, Trickbot's decentralized structure and affiliates may complicate efforts to fully eradicate its operations. Continued pressure on cybercriminal groups, combined with efforts to harden network defenses, is critical to reducing their impact.
FROM THE MEDIA: Stern was identified by Germany’s Federal Criminal Police Office (BKA) with the help of U.S. law enforcement and cybersecurity firms. Trickbot has been active since 2016, initially targeting online banking credentials before pivoting to delivering ransomware like Ryuk and Conti. Stern allegedly managed infrastructure and played a role in coordinating Trickbot’s operations. This latest development follows international takedown efforts in 2020, which severely disrupted Trickbot’s operations but did not fully eliminate its activities.
READ THE STORY: Wired
Mexican Authorities Seize Over 3 Million Liters of Stolen Fuel in Crackdown
Bottom Line Up Front (BLUF): Mexican authorities have confiscated more than 3 million liters of illegally stored fuel in Tabasco, marking a significant escalation in the country’s battle against fuel smuggling. The bust highlights ongoing efforts to combat widespread fuel theft from state-run Pemex pipelines and fraudulent imports to evade taxes.
Analyst Comments: Fuel theft remains a critical challenge for Mexico’s energy sector, draining resources from Pemex and undercutting legitimate trade. The recent seizure underscores the Mexican government’s commitment to cracking down on domestic and cross-border smuggling networks. New traceability measures could bolster accountability and disrupt criminal supply chains, but sophisticated smuggling methods and high demand may persist. Expect increased security and monitoring of fuel movements, potentially impacting legitimate fuel logistics in the region.
FROM THE MEDIA: Eighteen vehicles and three pieces of machinery were also confiscated. Mexican President Claudia Sheinbaum linked the seizures to new fuel traceability regulations. Pemex, Mexico’s state-owned oil company, has long struggled with fuel theft from its pipelines, a problem that continues to strain the economy. Authorities also recently seized 1.5 million liters in Tabasco and 10 million liters in Tamaulipas, the latter from a U.S.-linked shipment.
READ THE STORY: Reuters
Meta Disrupts Coordinated Influence Operations Linked to China, Iran, and Romania
Bottom Line Up Front (BLUF): Meta announced the takedown of coordinated influence operations originating from China, Iran, and Romania. These campaigns targeted multiple regions and aimed to spread propaganda, disinformation, and pro-state narratives. The removals highlight the persistent global threat of state-backed online influence operations on social media platforms.
Analyst Comments: Romania’s inclusion indicates a broader trend of influence campaigns beyond major powers. Meta’s actions reflect social media platforms’ challenges in policing state-backed disinformation while balancing free expression. Future operations will likely grow more sophisticated, making detection and countermeasures increasingly difficult for platforms and governments.
FROM THE MEDIA: Meta reported that it dismantled networks of fake accounts and pages linked to China, Iran, and Romania that were engaged in coordinated inauthentic behavior. The Chinese network targeted the United States and Chinese-speaking audiences worldwide with content about U.S. politics, global events, and controversial topics. Iran’s network focused on Israel, primarily posting political content in Hebrew, while Romania’s network primarily targeted Ukraine with pro-Russian narratives. Meta stated that the operations leveraged a combination of authentic and fake accounts, with tactics including spammy sharing, comment boosting, and the use of AI-generated content to mask inauthentic behavior. The company shared its findings as part of its quarterly threat report and emphasized its commitment to transparency and collaboration with external experts.
READ THE STORY: The Record
U.S. Army Report Analyzes China’s Large-Scale Combat Strategies and Cyber Tactics
Bottom Line Up Front (BLUF): A new U.S. Army report outlines how China prepares for large-scale combat operations, emphasizing integrated cyber and electronic warfare as key components. The analysis highlights the PLA’s use of digital and AI-driven technologies to disrupt adversaries’ command systems and critical infrastructure.
Analyst Comments: The PLA’s “active defense” strategy enables China to combine defensive postures with offensive tactics, supporting power projection beyond its borders. The PLA’s emphasis on joint multidomain integration and ground force readiness signals a significant shift that the U.S. Army must factor into training, force posture, and operational planning. The focus on military-civil fusion also suggests that cyber capabilities will be deeply embedded across all levels of Chinese operations, posing additional challenges to Western defense systems.
FROM THE MEDIA: According to the U.S. Army’s TRADOC study, China’s PLA doctrine in large-scale combat operations (LSCO) relies heavily on a whole-of-nation approach, integrating military and civilian resources through military-civil fusion. This includes utilizing information operations, electronic warfare, and cyber capabilities to paralyze enemy systems and achieve information dominance. PLA ground forces, often underestimated in Pacific conflict scenarios, are expected to conduct amphibious assaults, airborne operations, and integrated joint maneuvers as part of the PLA’s Multidomain Precision Warfare concept. The report stresses that the PLA’s approach to LSCO is designed to delay, deter, and defeat adversaries, like the U.S. Army, through comprehensive systems confrontation. The study builds on TRADOC Pamphlet 525-92 and ATP 7-100.3, providing updated insights into the PLA’s tactics and strategy for potential Indo-Pacific conflicts.
READ THE STORY: MILITARNYI
APT41 Exploits Google Calendar for Malware Command and Control, Targeting Ukrainian Systems
Bottom Line Up Front (BLUF): Chinese state-backed hacking group APT41 uses Google Calendar as a stealthy command-and-control (C2) channel to manage malware on compromised systems. Security researchers in Ukraine and globally have identified this innovative technique, which leverages legitimate cloud services to bypass traditional detection mechanisms.
Analyst Comments: By embedding commands in calendar events, the attackers can exploit a widely trusted platform, making detection and mitigation significantly harder. This tactic demonstrates a growing trend of adversaries blending malicious operations with everyday cloud services, challenging defenders to rethink monitoring and anomaly detection. The tactic also underscores the need for stronger cloud governance and anomaly-based detection in cloud-native environments.
FROM THE MEDIA: APT41 uses Google Calendar as a covert communication channel to manage malware implants. Security researchers at ThreatMon observed that APT41 creates calendar events with embedded malicious commands in event descriptions. These are parsed by compromised endpoints, enabling dynamic instruction delivery without raising suspicion. The technique also leverages legitimate HTTPS traffic, complicating perimeter-based defenses. The campaign primarily targets high-tech, defense, and government sectors across Europe, North America, and Asia. Google has been notified of the abuse and is reportedly working to improve detection and takedown capabilities.
READ THE STORY: DEV.UA
ConnectWise Hit by Cyberattack Linked to Nation-State Threat Actor
Bottom Line Up Front (BLUF): ConnectWise, a leading IT management software company, has confirmed a cyberattack that compromised some of its internal systems. The breach has been linked to a nation-state threat actor, raising alarms over supply chain risks and potential downstream impacts on ConnectWise’s extensive partner network.
Analyst Comments: The increasing sophistication of nation-state cyberattacks targeting software providers, which often serve as critical infrastructure for managed service providers (MSPs) and their customers. Such compromises can facilitate broader supply chain attacks, leveraging trusted relationships to propagate malware or conduct espionage. Organizations relying on ConnectWise should review their cybersecurity postures and implement additional monitoring to detect any anomalies potentially linked to this breach.
FROM THE MEDIA: ConnectWise publicly acknowledged the intrusion on Thursday, stating that it had contained the breach and was working with law enforcement and cybersecurity experts to investigate. While the company did not specify the precise methods used by the attackers, sources indicate that the compromise involved sophisticated techniques consistent with advanced persistent threats (APTs). Security experts warn threat actors might exploit trust relationships with MSPs to infiltrate customer environments. ConnectWise urges its partners to enhance security measures and apply recommended patches immediately.
READ THE STORY: THN
China Deploys AI-Driven Satellites to Boost Space Capabilities and Cyber Defense
Bottom Line Up Front (BLUF): China has integrated advanced artificial intelligence (AI) into its satellite technology, enabling faster data processing and real-time decision-making in orbit. These AI-powered satellites are designed to enhance China’s space-based cyber defense and surveillance capabilities, raising concerns about potential military applications and global cybersecurity risks.
Analyst Comments: These satellites could facilitate more sophisticated electronic warfare and rapid-response cyber defense, challenging traditional satellite security paradigms. Western governments and cybersecurity experts should monitor these developments closely, as AI-enabled satellites could be used to disrupt or surveil critical infrastructure globally.
FROM THE MEDIA: According to Chinese media, these satellites can quickly identify cyber threats and adjust their operations without waiting for ground-based commands. This capability enhances China’s ability to conduct space-based cyber operations, including identifying and countering potential threats to its satellite network. Analysts say that AI-enhanced satellites are primarily intended to improve efficiency. However, they could also be leveraged for military purposes, raising concerns among U.S. and allied security agencies about potential threats to satellite-based communications and infrastructure.
READ THE STORY: CN
DragonForce Hackers Exploit SimpleHelp Flaws for Global Attacks
Bottom Line Up Front (BLUF): A threat group known as DragonForce has launched widespread attacks exploiting multiple vulnerabilities in SimpleHelp, a remote support software. The attackers use these flaws to deploy web shells and backdoors, compromising organizations across various sectors.
Analyst Comments: Attackers’ use of web shells demonstrates their focus on persistence and stealth, enabling further lateral movement and data exfiltration. This campaign highlights the critical need for continuous monitoring and prompt patching, especially in tools with broad remote access capabilities. As remote support software becomes integral to IT operations, expect these platforms to remain attractive targets for cybercriminals and nation-state actors.
FROM THE MEDIA: DragonForce, a hacking group previously known for web defacements and hacktivist activity, has exploited critical vulnerabilities in SimpleHelp’s remote support software. Researchers at Uptycs revealed that the group has weaponized these flaws to install web shells, create new administrator accounts, and deploy backdoors on vulnerable systems. The vulnerabilities affect unpatched versions of SimpleHelp, exposing organizations to potential data theft and ransomware. DragonForce has reportedly targeted industries including healthcare, education, and finance, with incidents reported in North America, Europe, and Asia. SimpleHelp has released patches, and users are urged to update immediately.
READ THE STORY: THN
SilentWerewolf Campaign Combines Legitimate IT Tools for Stealthy Cyberattacks
Bottom Line Up Front (BLUF): A new cyberattack campaign dubbed “SilentWerewolf” uses legitimate IT administration tools in combination with malicious scripts to target organizations globally. The campaign, identified by cybersecurity researchers, focuses on evading detection by blending into routine IT activities.
Analyst Comments: This makes detection especially challenging, as standard endpoint monitoring may classify the activity as normal administrative behavior. The campaign underscores the need for defenders to monitor suspicious usage patterns, such as unusual remote access, script execution, or process abuse, even when involving trusted software. Expect more threat actors to adopt similar approaches as they seek to evade advanced endpoint detection systems.
FROM THE MEDIA: SilentWerewolf is a cyberattack campaign that leverages legitimate tools like PowerShell, PsExec, and Windows Management Instrumentation (WMI) to execute malware, establish persistence, and exfiltrate data. Researchers at Uptycs revealed that attackers deploy small, modular payloads using these tools to blend in with regular IT administration processes. The attackers also use legitimate RMM (Remote Monitoring and Management) software to avoid triggering alarms. The campaign has primarily targeted organizations in the finance, healthcare, and technology sectors across North America, Europe, and Asia. Uptycs advises organizations to control administrative tool usage strictly and enhance behavioral monitoring to detect suspicious activity.
READ THE STORY: GBhackers
U.S. Sanctions Southeast Asian Provider of Scam Infrastructure Tied to Global Fraud Campaigns
Bottom Line Up Front (BLUF): The U.S. Treasury Department has sanctioned a Southeast Asian company that allegedly provided infrastructure services to cybercriminal groups responsible for large-scale phishing, scam calls, and financial fraud. The company’s resources have been linked to thousands of scam campaigns globally.
Analyst Comments: By targeting infrastructure providers—often small but critical links in cybercriminal operations—authorities aim to dismantle the technical backbone of global scams. The sanctions also message similar service providers that facilitating cybercrime, even indirectly, could bring serious consequences. Expect other countries to follow suit with coordinated enforcement and legal actions, further tightening the net on illicit infrastructure.
FROM THE MEDIA: The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned a Southeast Asian company accused of providing essential infrastructure to cybercriminal groups. The company allegedly offered services like hosting, bulletproof domains, and VoIP call centers used by scammers in phishing and social engineering campaigns. According to the Treasury, these services have supported thousands of fraudulent activities, targeting individuals and organizations across the globe. The sanctions freeze the company’s U.S. assets and bar Americans from conducting business. This is part of a broader crackdown on the ecosystem that enables cybercrime, aligning with recent efforts by the U.S. to target ransomware affiliates and illicit money transfer networks.
READ THE STORY: The Record
New Windows RAT Evades Detection for Over a Year Using Legitimate Services
Bottom Line Up Front (BLUF): A new Windows remote access trojan (RAT) has remained undetected for over a year, using legitimate services like Dropbox and Slack to exfiltrate data. Researchers at ThreatMon identified the malware’s stealthy operations, highlighting the need for improved detection techniques.
Analyst Comments: The extended period during which this RAT evaded detection shows the ongoing challenges defenders face in identifying malware that abuses legitimate cloud services. The use of common platforms like Dropbox and Slack makes it harder for traditional security tools to spot malicious activity. The RAT’s stealth tactics emphasize the need for behavior-based detection, improved endpoint monitoring, and user awareness training. Organizations should also enforce stricter access controls and monitor unusual patterns of cloud service usage to mitigate these threats.
FROM THE MEDIA: The malware operators leveraged these popular cloud services to blend malicious traffic with legitimate user activity, making detection difficult. The RAT reportedly allows attackers to exfiltrate files, execute commands, and maintain persistent access on compromised systems. ThreatMon analysts emphasized that the malware’s long undetected presence points to weaknesses in existing antivirus and EDR solutions, which often fail to identify threats hiding in plain sight. The discovery follows a surge in threat actors’ use of legitimate cloud services to avoid detection by security systems and human analysts.
READ THE STORY: THN
China’s Manufacturing Activity Contracts Again as U.S. Trade Tensions Intensify
Bottom Line Up Front (BLUF): China’s manufacturing sector contracted for the second straight month in May, with the official PMI at 49.5, amid persistent trade tensions with the U.S. President Trump’s decision to double steel and aluminum tariffs exacerbates the risk of prolonged trade instability. Analysts expect Beijing to introduce more monetary and fiscal stimulus to support growth.
Analyst Comments: China’s struggle to maintain manufacturing momentum in the face of domestic challenges and renewed trade tensions with the U.S. Despite a slight rebound in export orders, the overall outlook remains fragile. Trump’s tariff increase will dampen business sentiment further, especially given the sector’s dependence on export-led growth. Additional stimulus may provide short-term relief, but structural challenges will persist, including deflationary pressures and weak domestic demand. The U.S.-China relationship remains volatile, and any prolonged tensions could slow China’s efforts to hit its 5% GDP target this year.
FROM THE MEDIA: This marks the second consecutive month of decline. President Trump’s decision to double steel and aluminum tariffs to 50% has further strained bilateral trade ties. Senior NBS statistician Zhao Qinghe noted some firms saw a rebound in trade with the U.S. The non-manufacturing PMI also weakened slightly, dropping to 50.3. Analysts expect Beijing to respond with additional monetary easing, including interest rate cuts and liquidity injections, to cushion the economy from the impact of tariffs.
READ THE STORY: Reuters
Items of interest
Mexican Authorities Seize Over 3 Million Liters of Stolen Fuel in Crackdown
Bottom Line Up Front (BLUF): Mexican authorities have confiscated more than 3 million liters of illegally stored fuel in Tabasco, marking a significant escalation in the country’s battle against fuel smuggling. The bust highlights ongoing efforts to combat widespread fuel theft from state-run Pemex pipelines and fraudulent imports to evade taxes.
Analyst Comments: Fuel theft remains a critical challenge for Mexico’s energy sector, draining resources from Pemex and undercutting legitimate trade. The recent seizure underscores the Mexican government’s commitment to cracking down on domestic and cross-border smuggling networks. New traceability measures could bolster accountability and disrupt criminal supply chains, but sophisticated smuggling methods and high demand may persist. Expect increased security and monitoring of fuel movements, potentially impacting legitimate fuel logistics in the region.
FROM THE MEDIA: Eighteen vehicles and three pieces of machinery were also confiscated. Mexican President Claudia Sheinbaum linked the seizures to new fuel traceability regulations. Pemex, Mexico’s state-owned oil company, has long struggled with fuel theft from its pipelines, a problem that continues to strain the economy. Authorities also recently seized 1.5 million liters in Tabasco and 10 million liters in Tamaulipas, the latter from a U.S.-linked shipment.
READ THE STORY: Reuters
Mexico’s latest cartel war, explained (Video)
FROM THE MEDIA: Betrayal, grisly murders and failed strategies: this is the story of how Mexico’s latest cartel war in Sinaloa state became a “narco pandemic”.
Utah couple arrested, accused of smuggling oil from Mexico worth at least $300 million (Video)
FROM THE MEDIA: A Utah couple was arrested after their company in Texas was raided by the FBI. They are now accused of money laundering and smuggling oil from Mexican cartels.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.