Tuesday, Jun 24, 2025 // (IG): BB // GITHUB // SN R&D
China-Linked Salt Typhoon Group Exploits ScreenConnect in Global Cyber Espionage Campaign
Bottom Line Up Front (BLUF): A Chinese state-sponsored APT group known as Salt Typhoon is actively exploiting vulnerabilities in ScreenConnect, a remote desktop software, to infiltrate organizations across the U.S., Asia, and the Middle East. The campaign has been ongoing since at least February 2024 and primarily targets government and defense-related entities.
Analyst Comments: Salt Typhoon's targeting profile aligns with Beijing’s geopolitical interests, suggesting the group is focused on gathering military, technological, and political intelligence. Organizations relying on remote desktop tools must prioritize patch management and restrict lateral movement to prevent exploitation. The campaign reflects China’s continued investment in cyber capabilities aimed at persistent espionage, especially in regions where competition over strategic influence intensifies.
FROM THE MEDIA: Microsoft has attributed a cyber-espionage campaign exploiting ScreenConnect software vulnerabilities to a Chinese threat actor named Salt Typhoon (formerly Flax Typhoon). The group has been using unpatched software versions to access targeted systems remotely. Once inside, they deploy custom malware and leverage built-in Windows tools to evade detection. Microsoft observed activity focused on government, defense, and IT services sectors, with targets spanning the U.S., Taiwan, and other countries in Asia and the Middle East. The attackers maintain persistent access by using legitimate credentials and creating scheduled tasks. Microsoft has issued mitigation guidance and is working with partners to address the threat.
READ THE STORY: THN
Iran Targets Al Udeid Air Base in Qatar, Striking at U.S. Military Command in the Gulf
Bottom Line Up Front (BLUF): Iran launched a missile barrage against Al Udeid Air Base in Qatar, home to U.S. Central Command’s Combined Air Operations Center (CAOC), in a significant escalation of hostilities in the Middle East. While Qatari defenses intercepted the attack, the strike represents an unprecedented direct assault on one of the most strategically important U.S. military facilities in the region.
Analyst Comments: Although interception systems successfully defended the base, the move raises the threat of future hybrid tactics—potentially including cyber operations—against command-and-control centers like Al Udeid. The base's operational sensitivity, especially its digital command and surveillance capabilities, makes it a prime candidate for kinetic and cyber sabotage. Regional cybersecurity posture must now include contingency planning for coordinated multi-domain attacks on defense logistics hubs.
FROM THE MEDIA: Iran fired multiple missiles at Al Udeid Air Base, the largest U.S. military installation in the Middle East, in retaliation for U.S.-Israeli airstrikes on Iranian nuclear facilities. Satellite imagery preceding the strike showed the U.S. had relocated most of its aircraft, leaving only three on-site as of June 19. Qatar’s Ministry of Defense confirmed that all incoming missiles were successfully intercepted. Al Udeid serves as the nerve center for U.S. air operations across the region and houses UK Royal Air Force assets. While no damage was reported, the strike has triggered heightened alert across Gulf military installations. Bahrain, home to the U.S. Fifth Fleet, suspended its airspace temporarily as a precaution.
READ THE STORY: FT
Iran-Linked Group Conducts Cyberattack on Albanian Government Systems
Bottom Line Up Front (BLUF): Albania has confirmed a cyberattack on its government IT infrastructure, which officials attribute to an Iran-linked threat group. The attack briefly disrupted public services and is the latest in a series of state-sponsored operations targeting Albania due to its diplomatic ties with Iranian opposition groups.
Analyst Comments: The repeated targeting of Albanian infrastructure demonstrates Tehran’s use of cyber operations as a coercive diplomatic tool. While the operational disruption appears limited, the strategic message is clear: small nations engaging in adversarial diplomacy with Iran remain vulnerable. Western-aligned countries with contentious Iran relations should anticipate similar low-intensity but persistent cyber threats.
FROM THE MEDIA: Albanian National Authority for Electronic Certification and Cyber Security (AKCESK) confirmed a cyberattack that impacted several state services. Initial investigations suggest the involvement of Iranian state-linked actors, although no specific group has been named publicly. This is not the first such attack—Albania previously severed diplomatic ties with Iran in 2022 following a major cyberattack attributed to the Iranian group "Homeland Justice". Authorities stated that systems were quickly restored, and no sensitive data was reported stolen. The attack comes amid heightened regional tensions and could signal a resurgence of cyber pressure on Western-aligned Balkan states.
READ THE STORY: The Record
Ford Struggles to Secure Rare-Earth Magnets Despite U.S.-China Export Deal
Bottom Line Up Front (BLUF): Ford Motor Company faces severe shortages of rare-earth magnets essential for EV production, despite a recent U.S.-China agreement to ease export controls. The situation remains precarious, with automakers warning of potential factory shutdowns due to the fragile supply chain.
Analyst Comments: China’s control over 90% of rare-earth magnet production gives it enormous geopolitical leverage, particularly over Western defense and EV sectors. As EV and renewable technologies expand, supply vulnerabilities like these could become prime targets for cyber-enabled economic disruption or industrial espionage. Until alternative sources or domestic production capacities are developed, automakers will remain highly exposed to political and cyber risks tied to China’s export policies.
FROM THE MEDIA: Ford continues to struggle with obtaining rare-earth magnets, despite a U.S.-China deal struck earlier this month to resume limited exports. Lisa Drake, Ford’s VP of industrial planning for EVs, described the situation as “hand to mouth,” indicating an unstable supply that caused one production halt in May. The magnets, including elements like dysprosium and terbium, are critical to operating high-performance EV motors. While some supply has resumed, auto executives say approvals for export licenses remain sluggish. China began enforcing new export rules in April, cementing its dominant position in this essential materials market. The temporary U.S.-China deal lasts six months, raising concerns about long-term supply reliability and strategic dependency.
READ THE STORY: WSJ
Ex-JBLM Soldier Accused of Leaking U.S. Military Network Access Details to China
Bottom Line Up Front (BLUF): A former U.S. Army soldier stationed at Joint Base Lewis-McChord (JBLM) has been arrested for allegedly attempting to provide sensitive U.S. military network access credentials to a Chinese intelligence officer. The Department of Justice confirmed charges of conspiracy to communicate national defense information.
Analyst Comments: As geopolitical tensions with China intensify, espionage attempts, including efforts to compromise network infrastructure from within, are likely to increase. The breach highlights the need for improved insider threat detection, enhanced access controls, and continuous behavioral monitoring across Department of Defense networks.
FROM THE MEDIA: Federal authorities arrested a former U.S. Army soldier for allegedly leaking classified information about military networks to a person he believed to be a Chinese intelligence agent. The suspect, who served at Joint Base Lewis-McChord in Washington, is accused of attempting to transmit login credentials, system diagrams, and configuration data relevant to U.S. defense networks. The Department of Justice stated that the soldier knowingly conspired to deliver information that could harm national security. He now faces multiple federal charges under the Espionage Act and could face decades in prison if convicted. Officials emphasized that the investigation remains ongoing and may involve additional actors.
READ THE STORY: GBhackers
Hackers Exploit Misconfigured Docker APIs to Deploy Cryptocurrency Miners
Bottom Line Up Front (BLUF): Cybercriminals exploit publicly exposed and misconfigured Docker Engine APIs to deploy cryptocurrency mining malware on Linux servers. The attacks involve spinning up malicious containers to mine Monero (XMR), using up system resources, and leaving compromised servers vulnerable to further exploitation.
Analyst Comments: Misconfigured Docker environments offer attackers a low-friction entry point, especially in DevOps pipelines where default settings often remain unchanged. These exploits typically go undetected for long periods, allowing extensive resource abuse. As part of a secure DevSecOps framework, organizations must adopt strict access controls, disable public API exposure, and monitor for unauthorized container activity.
FROM THE MEDIA: Threat actors are actively scanning for and exploiting misconfigured Docker Engine APIs left exposed to the internet without authentication. Once identified, attackers deploy malicious containers that mine Monero (XMR), generating profit by hijacking system CPU resources. The attack infrastructure includes command-and-control servers, obfuscated bash scripts, and persistence mechanisms to evade detection. Security researchers found that the same IPs used for scanning also distribute known Linux-based malware like Kinsing. Docker Inc. has urged users to review configuration settings and ensure that Docker daemons are inaccessible over unsecured networks.
READ THE STORY: THN
Iran Threatens Strait of Hormuz Closure, Escalating Oil and Cybersecurity Risks
Bottom Line Up Front (BLUF): Iran’s parliament has reportedly approved a measure to close the Strait of Hormuz following joint U.S.-Israeli strikes on Iranian nuclear facilities. Although actual closure remains under the authority of Iran's top security officials, the threat has already driven oil prices up and sparked global concerns about both kinetic and cyber disruptions to maritime and energy infrastructure.
Analyst Comments: While a complete blockade would provoke direct military confrontation, Iran will likely use asymmetric tactics—including cyberattacks on shipping navigation systems and port logistics—to disrupt oil flows without inviting outright war. Given the regional tensions and Iran’s growing digital warfare capabilities, maritime logistics, energy, and transportation organizations must prepare for both physical and cyber operational impacts.
FROM THE MEDIA: Iranian lawmakers have threatened to close the Strait of Hormuz in retaliation for U.S. support of Israeli airstrikes on Iranian nuclear facilities. Although actual closure authority rests with national security officials, the mere threat caused Brent crude oil prices to spike 3.2% to $79.50 per barrel. Nearly 20% of global oil and a significant share of liquefied natural gas pass through the strait, making it a critical conduit for global energy markets. U.S. Navy officials and shipping executives warn that any disruption could trigger a prolonged crisis, with potential tactics ranging from naval mines to swarming boat attacks or cyber sabotage of maritime systems. While tanker traffic remained normal as of Sunday, energy analysts and military experts caution that continued escalation could lead to physical and digital threats to oil infrastructure in and beyond the region.
READ THE STORY: WSJ
UAC-0001 Hackers Target Industrial Control Systems in Coordinated Cyber Campaign
Bottom Line Up Front (BLUF): A threat group tracked as UAC-0001 actively targets Industrial Control Systems (ICS) with phishing and malware campaigns aimed at energy, water, and manufacturing sectors. The attackers are deploying customized malware to access operational technology (OT) networks, posing a significant risk to critical infrastructure.
Analyst Comments: Targeting ICS devices indicates a strategic intent to disrupt essential services or gather intelligence on industrial operations. UAC-0001’s tactics, including tailored malware and spear-phishing, suggest a well-resourced actor capable of long-term infiltration. If successful, such campaigns could enable sabotage, ransomware deployment, or even physical damage to systems, underlining the urgent need for ICS-specific threat detection and segmentation.
FROM THE MEDIA: Cybersecurity researchers have identified a new wave of attacks from the UAC-0001 group, a threat actor previously linked to infrastructure-related espionage. The attackers are leveraging phishing emails with malicious attachments to infiltrate industrial organizations. Once inside, they deploy specialized malware capable of interacting with SCADA systems, data historians, and programmable logic controllers (PLCs). The malware supports lateral movement within OT networks and is designed to exfiltrate sensitive industrial data. Security experts warn that the group will likely conduct reconnaissance for more destructive follow-up attacks or sell access to other actors.
READ THE STORY: GBhackers
APT28 Uses Signal Chat to Deploy BEARDSHELL and COVENANT Malware in Ukraine
Bottom Line Up Front (BLUF): Russia-linked threat actor APT28 (UAC-0001) has been observed using Signal messages to distribute malicious Microsoft Word documents that deploy two custom malware families—BEARDSHELL and COVENANT—targeting Ukrainian government entities. CERT-UA attributes the campaign to a broader effort exploiting vulnerabilities in outdated webmail platforms.
Analyst Comments: The deployment of BEARDSHELL via COVENANT highlights modular attack capabilities designed for persistence, data exfiltration, and system control. Combined with prior exploitation of Roundcube and Horde webmail platforms, the campaign reveals a sustained focus on Ukrainian public infrastructure. To counter these advanced tactics, organizations using legacy systems must prioritize patching, macro prevention policies, and secure messaging monitoring.
FROM THE MEDIA: Ukraine’s CERT-UA disclosed a campaign attributed to APT28, in which attackers used Signal chat messages to deliver macro-laced Word documents to Ukrainian government targets. The document, named “Акт.doc”, drops a malicious DLL and PNG file, leveraging registry edits to persist and execute a memory-resident malware framework named COVENANT. This framework, in turn, downloads the BEARDSHELL backdoor, written in C++ and capable of executing PowerShell scripts and communicating with remote servers via the Icedrive API. The campaign is linked to earlier breaches involving XSS and SQL injection exploits in Roundcube (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641), with over 40 Ukrainian entities reportedly targeted. CERT-UA recommends monitoring domains like api.icedrive[.]net and app.koofr[.]net for threat indicators.
READ THE STORY: THN
Items of interest
‘LAPDOGS’ Hackers Compromise 1,000+ SOHO Devices in Global Espionage Operation
Bottom Line Up Front (BLUF): A threat actor group known as LAPDOGS has compromised over 1,000 small office/home office (SOHO) routers globally, turning them into a covert espionage network. The campaign targets journalists, academics, and government personnel, enabling persistent surveillance through compromised infrastructure.
Analyst Comments: The LAPDOGS campaign represents a growing shift in cyber-espionage tactics: exploiting under-secured SOHO devices outside of traditional enterprise perimeters. By targeting personal and small-business routers, attackers avoid conventional detection mechanisms and gain long-term access to high-value targets. This decentralized infrastructure also makes attribution and takedown efforts more difficult. The campaign reflects advanced planning and could signal similar efforts by other APTs seeking low-profile surveillance vectors across loosely defended endpoints.
FROM THE MEDIA: The attackers use the compromised routers as proxy nodes to mask command-and-control traffic and exfiltrate sensitive data. Victims reportedly include individuals in the journalism, political, and academic sectors. The malware deployed maintains persistence, routes traffic through encrypted tunnels, and enables passive interception of internet activity. Security researchers note that the attackers avoid high-profile vulnerabilities, instead exploiting outdated firmware and default credentials. The campaign is ongoing, and the true extent of surveillance remains unclear.
READ THE STORY: GBhackers
Firmware Extraction and Hardcoded Password Discovery - Hacking the Mercusys MB110 (Video)
FROM THE MEDIA: Research project focused on analyzing the Mercusys MB110 IoT device through firmware extraction and vulnerability assessment.
How China Is Building an Army of Hackers (Video)
FROM THE MEDIA: China and the US constantly struggle for information, using cyber espionage to gain a strategic advantage. Recently leaked files have shed light on rapid advances in China’s cyber capabilities as both nations prepare for any future conflict.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.