Daily Drop (1059)

06-12-25

Thursday, Jun 12, 2025 // (IG): BB // GITHUB // SN R&D

---

SentinelOne Links ShadowPad and PurpleHaze Malware Campaigns to China-Aligned Threat Actors

Bottom Line Up Front (BLUF): SentinelOne researchers have attributed a series of cyberattacks leveraging ShadowPad and PurpleHaze malware to China-aligned threat actors. The campaign targets critical infrastructure and industrial control systems (ICS) across Southeast Asia and other strategic regions.

Analyst Comments: The dual use of ShadowPad (a modular backdoor) and PurpleHaze (a newer loader framework) suggests a coordinated evolution in Chinese cyber capabilities aimed at long-term access and espionage. These tools provide stealth and persistence, aligning with Beijing’s regional influence and information dominance goals. As ICS environments remain poorly defended relative to IT networks, such campaigns will likely intensify unless mitigated through cross-sector threat intelligence sharing and hardened OT cybersecurity practices.

FROM THE MEDIA: SentinelOne’s latest report details a sophisticated malware campaign utilizing ShadowPad and PurpleHaze, two tools frequently associated with Chinese cyber espionage groups. The attacks reportedly began in late 2023 and have continued into 2025, targeting telecommunications, energy, and transportation entities. ShadowPad is known for its modular design and ability to persist within networks for extended periods, while PurpleHaze is a custom loader developed for use in advanced operations. SentinelOne's telemetry links these tools to known Chinese APT groups, suggesting cooperation or tool-sharing within a broader strategic framework. The report notes that the attackers prioritized stealth, employing encrypted C2 channels and mimicking legitimate software behaviors to evade detection.

READ THE STORY: Industrial

Cyber and Strategic Leverage Over Russia Raises Concerns Amid Geopolitical Realignments

Bottom Line Up Front (BLUF): A recent Defence Blog analysis underscores growing Western concern over China's influence on Russia, particularly through technological and cyber dependencies. The article argues that if China were to withdraw its support, Russia’s capacity to sustain military operations and domestic stability could be critically undermined.

Analyst Comments: Russia's increasing reliance on Chinese technology—including electronics, semiconductors, and dual-use cyber capabilities—makes it vulnerable to strategic pressure from Beijing. This interdependence could reshape global cyber alliances, with China potentially leveraging its technological dominance as a geopolitical bargaining tool. Western policymakers may need to reevaluate cybersecurity strategies in light of this evolving axis, especially as sanctions isolate Russia from Western tech markets. The alignment also signals the emergence of a new cyber power bloc that could challenge NATO-aligned frameworks.

FROM THE MEDIA: Experts argue that China now functions as an essential lifeline for Russia, especially in the wake of Western sanctions following the invasion of Ukraine. The analysis emphasizes that China supplies critical technology, including consumer electronics and industrial equipment, which Russia repurposes for military and infrastructure needs. The article quotes a senior analyst stating, “Without China, Russia collapses—economically, technologically, and militarily.” The report highlights growing unease in NATO circles about this dependence, as it provides China with significant leverage over Russia's strategic direction. This power dynamic is increasingly visible in cyber operations, trade dependencies, and supply chain logistics.

READ THE STORY: Defence Blog

China and Taiwan Exchange Cybersecurity Accusations Amid Rising Cross-Strait Tensions

Bottom Line Up Front (BLUF): China and Taiwan have publicly accused each other of conducting cyberattacks on government networks and critical infrastructure, escalating an already tense geopolitical standoff. The accusations, reported by The Diplomat, reflect growing concerns over state-sponsored cyber operations as a front in cross-strait competition.

Analyst Comments: These mutual accusations are part of a broader trend where cyber conflict mirrors—and potentially foreshadows—military or political escalation. Taiwan’s assertion that China targets civilian infrastructure suggests a shift toward more aggressive and disruptive cyber posturing. Meanwhile, China's counterclaims may serve a dual purpose: discrediting Taiwan’s security posture and justifying its cyber operations under the guise of retaliation. As elections and global tech decoupling intensify regional frictions, expect cyber incidents to grow in frequency and strategic messaging value.

FROM THE MEDIA: Taiwan's Ministry of Digital Affairs has blamed Chinese state-sponsored hackers for recent cyberattacks on government agencies and infrastructure operators in recent months. In response, Beijing’s Ministry of Foreign Affairs accused Taiwan of fabricating claims and orchestrating cyberattacks on mainland systems with the help of "external actors," an apparent reference to U.S. or allied intelligence agencies. The report notes that Taiwan’s cybersecurity defense units have recorded an uptick in phishing campaigns and data exfiltration attempts linked to Chinese IP ranges and tools associated with APT groups like APT41. These events come as Taiwan prepares for critical legislative sessions and China increases military maneuvers in the Taiwan Strait.

READ THE STORY: The Diplomat

Russia's Strategic Signaling: Baltic Recognition Becomes New Precondition for Ending Ukraine War

Bottom Line Up Front (BLUF): The Russian government is now signaling that recognition of its geopolitical influence over the Baltic states could become a precondition for negotiating an end to the war in Ukraine. According to a detailed analysis by the Lansing Institute, this escalates Russia's strategic demands and raises concerns about broader regional destabilization.

Analyst Comments: By linking the Ukraine conflict to the status of NATO-member Baltic states, Moscow is expanding the scope of its geopolitical leverage and testing Western unity. This shift may indicate that the Kremlin sees protracted conflict and psychological pressure as tools for reshaping post-Cold War borders and influence spheres. Such rhetoric could justify expanded cyber and hybrid operations against Lithuania, Latvia, and Estonia. Expect increased NATO surveillance, cyber hardening, and potential red-line recalibrations in Eastern Europe.

FROM THE MEDIA: Moscow has begun floating new diplomatic narratives suggesting that Western acknowledgment of Russia’s "security interests" in the Baltic states should be considered in any future peace negotiations over Ukraine. This strategic signaling is interpreted as an attempt to force long-term geopolitical concessions beyond Ukraine. Analysts cited in the report view the move as an evolution of Russia’s hybrid warfare doctrine, blending conventional military aggression with diplomatic and informational pressure. The article also notes increased Russian military posturing near Kaliningrad and a surge in disinformation campaigns aimed at delegitimizing Baltic governments and NATO presence in the region.

READ THE STORY: RLI

Semiconductors Identified as Critical Infrastructure Vulnerability in U.S. Supply Chain

Bottom Line Up Front (BLUF): A new report from Homeland Security Today highlights semiconductors as a key vulnerability in the U.S. critical infrastructure ecosystem. The analysis warns that heavy reliance on foreign manufacturing, especially in Taiwan and South Korea, exposes American industries and national security to geopolitical and cyber risks.

Analyst Comments: Semiconductor supply chain fragility poses a serious cyber and operational threat, particularly as global tensions with China persist. Disruptions—whether from geopolitical conflict, natural disasters, or cyberattacks—could severely impact sectors from defense to healthcare. While U.S. initiatives like the CHIPS Act aim to bolster domestic production, timelines for onshoring fabrication capabilities stretch into the late 2020s, leaving a multi-year vulnerability gap. In the interim, adversaries may exploit this dependency through espionage, supply chain attacks, or strategic pressure on supplier nations.

FROM THE MEDIA: The backbone of modern digital infrastructure remains primarily manufactured abroad, with the U.S. producing only around 12% of the global supply. The article cites DHS officials and analysts who emphasize the risks posed by potential cyber intrusions, physical sabotage, or trade restrictions targeting foreign chip suppliers. The piece notes that semiconductors are deeply embedded across critical infrastructure sectors, including telecommunications, energy, and defense systems. The report draws attention to the increasing urgency of federal programs to strengthen domestic manufacturing, citing recent funding efforts and public-private partnerships under the CHIPS and Science Act. Despite these efforts, the article warns that the window of vulnerability remains significant and must be closely monitored.

READ THE STORY: HS TODAY

Over 40,000 Security Cameras Vulnerable to Remote Hacking via Unpatched Flaws

Bottom Line Up Front (BLUF): Over 40,000 internet-connected security cameras are vulnerable to remote attacks due to unpatched critical flaws in the firmware of TBK Vision devices, widely deployed across enterprises and public infrastructure. Attackers can exploit these vulnerabilities without authentication to gain complete control over the devices.

Analyst Comments: This widespread vulnerability demonstrates the ongoing risk of insecure IoT deployments, particularly in physical security infrastructure. The affected cameras are often used in sensitive environments, raising concerns about espionage, unauthorized surveillance, or lateral network movement. Without vendor patches or device replacement, these systems remain soft targets for cybercriminals or state-sponsored actors. The incident reinforces the need for better lifecycle management of connected devices, especially those integral to security operations.

FROM THE MEDIA: Researchers discovered that over 40,000 TBK Vision security cameras are exposed online and vulnerable to unauthenticated remote code execution (RCE) due to critical firmware flaws. The issues stem from hardcoded credentials and outdated web server software, allowing attackers to control the devices fully. These cameras are deployed globally across government buildings, hospitals, and retail environments. Despite multiple notifications, the vendor has issued no firmware updates, and the devices continue to be listed on Shodan. Experts warn that the vulnerability may already be exploited in the wild, posing a significant risk to privacy and facility integrity.

READ THE STORY: Security Affairs

UK Accuses Russian GRU of Cyberattacks on Global Logistics and Technology Sectors

Bottom Line Up Front (BLUF): The UK government has officially attributed a series of cyberattacks targeting global logistics and technology organizations to Russia’s military intelligence agency, the GRU. These operations, which have been active since at least 2022, are reportedly focused on espionage and disruption of supply chain networks.

Analyst Comments: This attribution aligns with broader patterns of Russian cyber activities aimed at weakening Western infrastructure and intelligence capabilities. Targeting logistics and tech firms suggests a strategic intent to compromise supply chain resilience and gather intelligence on defense-related industries. With the UK's public attribution, international pressure may grow for coordinated cybersecurity defenses and potential sanctions. These revelations warn industries critical to global operations to tighten defenses against nation-state actors.

FROM THE MEDIA: UK’s National Cyber Security Centre (NCSC) formally accused the GRU—specifically its cyber unit APT28—of orchestrating sustained cyberattacks against logistics, transportation, and tech organizations. The campaign reportedly involved phishing, credential theft, and exploiting publicly known vulnerabilities to infiltrate networks across Europe and the United States. Officials noted that some of the activity aimed to gather intelligence on sanctions enforcement and military supply chains. The UK government has summoned the Russian ambassador and vowed to work with allies to impose diplomatic and cyber countermeasures. The NCSC emphasized that affected organizations must prioritize patching and email security to reduce exposure to similar threats.

READ THE STORY: MSN

Rare Werewolf APT Targets Russian Firms Using Legitimate Software in Covert Espionage Campaign

Bottom Line Up Front (BLUF): A newly identified advanced persistent threat (APT) group dubbed Rare Werewolf is targeting Russian firms using legitimate remote administration tools (RATs) to conduct cyber-espionage. The attackers disguise their operations by leveraging widely used software, complicating detection and attribution.

Analyst Comments: Using legitimate software like AnyDesk and TeamViewer for malicious purposes is part of a broader trend in APT tradecraft, which increasingly prioritizes stealth and persistence over speed. That Rare Werewolf is focusing on Russian entities, suggesting a shift in traditional geopolitical targeting norms, possibly signaling intra-bloc surveillance or false-flag operations. The campaign also highlights how adversaries blur the lines between IT support tools and cyberweapons. Continued abuse of legitimate tools may prompt vendors and defenders to rethink trust models and behavioral baselining for endpoint activity.

FROM THE MEDIA: Cybersecurity firm F.A.C.C.T. uncovered a sophisticated espionage campaign against Russian companies conducted by a group labeled Rare Werewolf. Active since 2023, the group deploys benign-looking RATs such as RMS, Ammyy Admin, and occasionally TeamViewer, which are often used for remote IT support. The attackers reportedly install the software under the guise of updates or internal tools, then use it to monitor systems, exfiltrate data, and maintain long-term access. The campaign appears targeted rather than widespread, affecting select firms in sectors like manufacturing and telecommunications. F.A.C.C.T. notes the campaign’s high operational security and malware avoidance, making it difficult to detect using traditional antivirus tools.

READ THE STORY: The 420

Items of interest

Russia’s FSB Allegedly Exploiting Telegram Infrastructure to Undermine Privacy

Bottom Line Up Front (BLUF): CyberNews reports that Russia's Federal Security Service (FSB) is leveraging access to Telegram’s infrastructure to de-anonymize users and monitor dissent. Through data requests, pressure on local ISPs, and legal mechanisms, the FSB appears to be eroding Telegram's privacy assurances, especially for users within Russian territory.

Analyst Comments: The FSB’s expanding influence over digital platforms like Telegram illustrates how authoritarian regimes are repurposing private communication tools for domestic surveillance. While Telegram touts its privacy features, users in restrictive environments may face significant risk from localized infrastructure and legal compromises. This development raises alarms about the security of encrypted apps in jurisdictions where government pressure overrides technological safeguards. Users, activists, and businesses operating in or around Russia should reassess the threat landscape and consider safer alternatives for secure communication.

FROM THE MEDIA: Russia’s FSB is actively exploiting legal and infrastructural control points to compromise the privacy of Telegram users. The report details that, while Telegram's encryption remains technically robust, the FSB has found ways to access user metadata and identify users through IP tracking, social engineering, and pressure on ISPs and data centers. Experts in the article suggest this surveillance effort is part of a broader campaign to suppress political opposition and monitor anti-Kremlin activities. The article highlights past incidents where Telegram channels critical of the government were infiltrated or shut down, possibly using this expanded surveillance capability. CyberNews also warns that even perceived secure messaging apps are vulnerable when hosted or operated under regimes with coercive digital powers.

READ THE STORY: CyberNews

How is Telegram connected to the FSB? And what does this mean for you? (Video)

FROM THE MEDIA: This story is important for a billion people — each of whom, likely including you, has no idea what kind of Trojan horse they’re carrying in their pocket. It’s trusted by people in Russia, Ukraine, the United States, India, and many other countries. With its help, terrorists plan attacks and Russian security services recruit agents for sabotage abroad.

Who is the Russian billionaire founder of Telegram? (Video)

FROM THE MEDIA: On Saturday 24 April, the billionaire founder of the Telegram social media and messaging app, Pavel Durov, was arrested by French authorities as he disembarked from his private jet in Paris on his way from Azerbaijan.

The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.