Wednesday, Jun 25, 2025 // (IG): BB // GITHUB // SN R&D
China to Showcase Cyberspace, Aerospace, and Info-Support Forces in Landmark September Military Parade
Bottom Line Up Front (BLUF): China will debut its newly structured information support, aerospace, and cyberspace forces during a military parade in Beijing on September 3, 2025. The event marks the 80th anniversary of victory over Japanese aggression and signals the People's Liberation Army's (PLA) growing emphasis on high-tech, integrated warfare capabilities.
Analyst Comments: By publicly showcasing these new forces, Beijing is signaling its digital warfare capabilities' operational maturity and focus on information dominance in future conflicts, including unmanned systems, hypersonic weapons, and cyber warfare tools, which reflect China’s ambition to match or surpass peer adversaries in multi-domain operations. This public display may also serve as a form of cyber deterrence, especially amid rising global tensions involving Taiwan and the South China Sea.
FROM THE MEDIA: China will hold a military parade on September 3, 2025, at Tiananmen Square to commemorate the 80th anniversary of the victory against fascism and Japanese aggression. The parade will feature the debut of the PLA’s information support, cyberspace, and aerospace forces—newly reorganized units reflecting the PLA’s strategic shift toward integrated joint operations. Senior military officials stated the parade will include unmanned combat systems, underwater assets, cyber warfare tools, and hypersonic weapons. These updates stem from sweeping reforms that disbanded the former Strategic Support Force and reassigned capabilities under direct Central Military Commission (CMC) command. Experts say this signals increased transparency and confidence in China’s advanced military capabilities.
READ THE STORY: GT (State Sponsered)
Over 70 Microsoft Exchange Servers Compromised by Keylogger Attacks Exploiting Legacy Flaws
Bottom Line Up Front (BLUF): Unidentified threat actors have compromised over 70 Microsoft Exchange servers across 26 countries by injecting JavaScript keyloggers into Outlook Web Access login pages. The campaign, first observed in 2024, leverages known Exchange vulnerabilities—particularly ProxyShell and ProxyLogon—to steal credentials undetected.
Analyst Comments: By embedding JavaScript-based keyloggers directly into Exchange login pages, attackers evade traditional detection tools and maintain long-term access. The campaign’s global scope and use of Telegram bots and DNS tunneling for exfiltration suggest a highly coordinated operation with espionage objectives. Organizations with public-facing Exchange servers must urgently verify patch status and monitor for unauthorized page modifications.
FROM THE MEDIA: The attackers exploited vulnerabilities such as CVE-2021-26855 (ProxyLogon), CVE-2021-34473 (ProxyShell), and others dating back as far as 2014. Once inside, they injected JavaScript into the login interface to capture usernames and passwords—either storing the data locally or exfiltrating it via Telegram or DNS tunnels. Affected entities span government, industrial, and logistics sectors, with notable concentrations in Vietnam, Russia, Taiwan, and Lebanon. The attackers remain unidentified, and some servers appear to have been compromised since 2021, highlighting both the longevity and stealth of the campaign.
READ THE STORY: THN
Iranian-Backed Hackers Intensify Cyber Activity Following U.S. Military Strikes
Bottom Line Up Front (BLUF): According to U.S. officials, Iranian-linked cyber groups have escalated their operations in retaliation for recent U.S. military strikes. The campaigns target American infrastructure and private sector entities to signal resilience and capability despite kinetic losses.
Analyst Comments: Tehran uses proxy hacker groups to maintain plausible deniability while exerting pressure on the U.S. through asymmetric digital means. These cyber actions likely serve propaganda and operational purposes—signaling strength domestically and testing American cyber defenses. Expect continued Iranian focus on vulnerable sectors such as energy, finance, and transportation.
FROM THE MEDIA: U.S. officials confirmed that Iranian-backed hacker groups have ramped up cyber operations following U.S. airstrikes targeting Iranian-linked facilities. While the attacks appear disruptive and symbolic, some campaigns may have deeper espionage or reconnaissance objectives. The operations are reportedly being carried out by known proxies such as “Abandoned Kitten” and “MuddyWater,” previously tied to Iran’s Ministry of Intelligence. The FBI and CISA have issued alerts to critical infrastructure operators, advising heightened monitoring for indicators of compromise. U.S. cyber defenders are working to assess these renewed threats' full scope and impact.
READ THE STORY: ABC NEWS
Russian-Linked Cyberattack Targets Ukrainian Government Systems Amid Ongoing Conflict
Bottom Line Up Front (BLUF): Ukrainian government institutions were hit by a sophisticated cyberattack attributed to the Russian APT group UAC-0050. The attackers used phishing emails with malicious attachments to deliver Remcos RAT, a known remote access trojan for espionage and persistent access.
Analyst Comments: UAC-0050’s reliance on phishing and RATs like Remcos demonstrates how conventional social engineering techniques remain central to state-sponsored cyber campaigns. These incursions may aim to gather intelligence on Ukrainian defense or diplomatic operations. Expect continued targeting of Ukrainian critical infrastructure as the geopolitical conflict drags on.
FROM THE MEDIA: The campaign involved emails masquerading as official communications containing malicious Microsoft Word documents. Once opened, these documents executed scripts to install Remcos RAT, granting the attackers remote control over infected systems. UAC-0050 has previously been linked to Russian cyber operations and has a track record of using Remcos in campaigns across Eastern Europe. Ukrainian CERT-UA confirmed that the campaign was detected and disrupted, though some systems may have been compromised before mitigation.
READ THE STORY: The Cyber Express
FBI Warns of China's Expanding Cyber-Espionage via Typhoon Groups Targeting U.S. Infrastructure
Bottom Line Up Front (BLUF): The FBI has warned that Chinese state-sponsored "Typhoon" threat groups are expanding their cyber-espionage operations against U.S. critical infrastructure. These campaigns use pre-positioned access to remain undetected, enabling long-term strategic advantage in case of future conflict.
Analyst Comments: The Typhoon groups (Microsoft's term for China-nexus APTs) reflect a coordinated approach, likely tied to Beijing’s military-civil fusion doctrine. Expect increased U.S. emphasis on public-private threat sharing and hardening infrastructure sectors like energy, water, and communications. The warning also indicates growing tension in the cyber domain that mirrors real-world geopolitical friction.
FROM THE MEDIA: Brett Leatherman, FBI deputy assistant director of cyber operations, disclosed that China-backed cyber actors—referred to as “Typhoon” groups by Microsoft—actively embed themselves within U.S. critical infrastructure. The FBI and CISA have recently highlighted using stealthy techniques, such as living off-the-land binaries, to remain undetected for extended periods. These actors are not simply collecting intelligence but are also building the capability to cause real-world disruptions. The public disclosure follows a series of alerts regarding Volt Typhoon, one of the more prominent groups with targeted communications and utilities. The FBI emphasized the strategic nature of this activity and urged private sector entities to adopt proactive defense measures.
READ THE STORY: The Record
Russia Controlled Messaging App to Rival WhatsApp and Telegram
Bottom Line Up Front (BLUF): Russia is developing a government-operated messaging platform to replace Western services like WhatsApp and Telegram within state institutions. The move is part of the Kremlin’s broader push for digital sovereignty and aims to reduce reliance on foreign tech.
Analyst Comments: A state-run messaging app could improve internal security, but it raises concerns over censorship and surveillance of domestic communications. This move could accelerate the fragmentation of the global internet and increase operational challenges for foreign tech companies in Russia. If successful, it may inspire similar efforts by other authoritarian regimes.
FROM THE MEDIA: Russia's Ministry of Digital Development oversees the creation of a new messaging app tailored for use by state agencies and affiliated organizations. The project, led by state-controlled technology firm VK, is expected to deliver a beta version by the end of 2025. Officials cited security concerns over Western-owned platforms like WhatsApp and Telegram, particularly after Meta tightened access and privacy updates. The new app will feature encrypted messaging, document sharing, and Russian government IT systems integration. Analysts note that this is part of a broader campaign by Russia to build sovereign tech alternatives across social media, cloud services, and operating systems.
READ THE STORY: CyberNews
China-Linked ‘LapDogs’ ORB Network Exploits SOHO Devices for Espionage Infrastructure
Bottom Line Up Front (BLUF): Researchers have uncovered a China-nexus cyber-espionage campaign, dubbed “LapDogs,” that has compromised over 1,000 SOHO devices across the US and Asia. The attackers built an Operational Relay Box (ORB) network using custom malware and TLS spoofing to hide malicious traffic and enable reconnaissance and command-and-control functions.
Analyst Comments: By targeting small office/home office routers and access points, attackers exploit weakly secured devices to mask their activities and avoid traditional detection. The spoofed TLS certificates and custom backdoor (ShortLeash) underscore the adaptability of these threat actors. The emergence of such stealthy, reusable networks complicates attribution and takedown efforts and highlights the urgent need for security hardening of consumer-grade networking gear.
FROM THE MEDIA: SecurityScorecard’s STRIKE team uncovered the “LapDogs” ORB network in a report published June 24, 2025. The campaign has been active since at least September 2023 and infects Linux-based SOHO devices, particularly Ruckus Wireless access points and hardware from ASUS, Cisco Linksys, and others. The network is used for cyber-espionage and anonymized C2 operations, especially targeting US, Japan, Taiwan, and Southeast Asia entities. The attackers deploy a custom backdoor, “ShortLeash,” and generate spoofed TLS certificates appearing to originate from the Los Angeles Police Department. These certificates help the attackers disguise infected nodes as legitimate infrastructure. Researchers suspect involvement of the Chinese threat group UAT-5918, but could not confirm whether they operate or rent the ORB. SecurityScorecard warns that any compromised device could be used as a pivot into internal enterprise networks.
READ THE STORY: DR
Russia Quietly Releases REvil Ransomware Gang Members Amid Global Tensions
Bottom Line Up Front (BLUF): Russian authorities have released several members of the REvil ransomware gang, who were arrested in a high-profile 2022 crackdown. The unexpected move comes with minimal public explanation and amid strained cyber-relations with Western nations.
Analyst Comments: The release of REvil affiliates raises questions about Russia’s commitment to international cybercrime cooperation, especially following Western sanctions and heightened cyber tensions linked to the war in Ukraine. It may signal a shift to tolerating or even tacitly supporting domestic cybercriminals, particularly if their activities align with Russian geopolitical interests. This development could embolden ransomware operations and complicate future international law enforcement efforts. It also underscores the challenges of cyber diplomacy in the context of geopolitical rivalry.
FROM THE MEDIA: Russian authorities have quietly released multiple individuals tied to the notorious REvil ransomware group, despite their prior arrests by the FSB in January 2022. The detainees, who had been accused of operating some of the most destructive ransomware attacks—including the Kaseya breach—have reportedly resumed everyday life, and at least one is known to have reclaimed seized assets. This reversal follows Russia’s initial arrests, which were widely interpreted as a gesture of goodwill during a brief thaw in U.S.–Russia cyber cooperation. However, since the invasion of Ukraine, that cooperation has largely collapsed. Neither the FSB nor the Russian judiciary has issued a formal statement explaining the releases.
READ THE STORY: The Record
Items of interest
China-Linked Salt Typhoon Hacks Canadian Telecom via Cisco CVE-2023-20198 Exploit
Bottom Line Up Front (BLUF): In February 2025, China-linked threat actor Salt Typhoon compromised a Canadian telecommunications provider by exploiting the widely known CVE-2023-20198 vulnerability in Cisco devices. Canadian and U.S. authorities confirmed the breach, noting attackers established GRE tunnels to siphon network traffic for espionage purposes.
Analyst Comments: Despite the availability of a patch since 2023, critical flaws remain unaddressed in high-value targets, reflecting systemic issues in patch management across telecom sectors. Salt Typhoon’s continued focus on telecoms suggests an intelligence-gathering strategy targeting communications metadata, potentially enabling surveillance or influence operations. Given the group's expanding scope, finance, government, and energy entities should prepare for lateral threat movement.
FROM THE MEDIA: Canadian cybersecurity authorities and the FBI confirmed that Salt Typhoon, a Chinese state-sponsored hacking group, breached a Canadian telecom network in February. The attackers exploited CVE-2023-20198, a critical remote code execution flaw in Cisco software, to gain administrative access to three network devices. The hackers extracted configuration files and deployed a GRE tunnel to reroute traffic for interception. Although a fix was released in October 2023, the breach highlights significant lapses in patch implementation. Salt Typhoon had previously targeted major U.S. telecoms and even compromised phone records linked to political figures during the 2024 election campaign. Officials warn that the group may now be targeting sectors beyond telecommunications.
READ THE STORY: CyberNews
CVE-2023-20198 Explained (Video)
FROM THE MEDIA: A critical zero-day vulnerability in Cisco IOS XE (CVE-2023-20198) allows unauthenticated remote attackers to gain full privileged access (level 15) via the web UI. The flaw is being actively exploited, with over 1,800 internet-exposed systems affected and millions potentially at risk. Urgent mitigation is advised.
How China Is Building an Army of Hackers (Video)
FROM THE MEDIA: China and the US constantly struggle for information, using cyber espionage to gain a strategic advantage. Recently leaked files have shed light on rapid advances in China’s cyber capabilities as both nations prepare for any future conflict.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.