Tuesday, Jul 08, 2025 // (IG): BB // GITHUB // SN R&D
PROJECT UPDATE:
This scrapes, parses, and dedupes stories every six hours. It’s not evaluated, but it’s a great way to get a glimpse of the news/threat-scape. (click the image)
NEWS:
China’s Rare Earth Sanctions Trigger Global Supply Shock and U.S. Policy Reversal
Bottom Line Up Front (BLUF): China’s spring 2025 export controls on rare earth minerals and magnets have severely disrupted global supply chains, prompting Washington to scale back recent tariff increases. The move marks a shift in Beijing’s use of economic statecraft, exerting global pressure through targeted restrictions on critical raw materials.
Analyst Comments: The fallout exposed Western nations' chronic underinvestment in alternative mineral supply chains, despite over a decade of warnings. China’s ability to rapidly affect production in sectors like automotive and defense underscores a growing geopolitical leverage point that could be further refined and expanded. This episode may accelerate Western rare earth diversification efforts, but any strategic decoupling will be slow and costly.
FROM THE MEDIA: Beijing has often relied on opaque trade retaliation, but this strategy represented a rare, overtly impactful sanction. The restrictions affected the U.S. and key partners like Japan, South Korea, and India. European Commission President Ursula von der Leyen highlighted the issue at the June G7 summit. Despite longstanding awareness of China’s dominance in rare earth production, Western preparedness was minimal, with some manufacturers holding only a week's worth of magnet inventory. Beijing's sanctions policy now includes extraterritorial demands, pressuring non-Chinese firms to avoid supplying U.S. defense industries with Chinese-origin materials.
READ THE STORY: FT
Houthis Resume Red Sea Attacks Despite Trump-Brokered Truce; Israel Launches Retaliatory Airstrikes
Bottom Line Up Front (BLUF): Yemen’s Houthi rebels attacked a commercial ship in the Red Sea on July 6, marking the first such incident since President Trump announced a truce with the group in May. In response, Israel conducted major airstrikes on Houthi-controlled ports and infrastructure in Yemen, escalating regional tensions.
Analyst Comments: The Houthis' renewed aggression underscores the fragility of informal ceasefires in a region where multiple actors pursue divergent objectives. Although Trump’s truce halted U.S. operations, the Houthis continued to target Israel, highlighting the limitations of bilateral deals that exclude regional stakeholders. Israel’s broad retaliatory campaign indicates a readiness to act independently, potentially complicating Washington’s de-escalation efforts. The attack also signals a return to maritime insecurity in the Red Sea, a vital global shipping route, with implications for supply chains and insurance costs.
FROM THE MEDIA: Houthi forces attacked the Liberian-flagged, Greek-owned vessel Magic Seas with small arms and grenades near Yemen’s Hodeidah port. The incident forced the crew to abandon ship and marked the first such attack since President Trump claimed in May that the Houthis had agreed to halt maritime assaults in exchange for a U.S. military pause. The group stated the vessel’s operator violated its ban on entry to Israeli ports. In retaliation, Israel launched extensive airstrikes early July 7, targeting Houthi ports and a radar-equipped hijacked ship used for surveillance. The strikes involved 20 Israeli jets and hit key facilities linked to Iran-backed weapons transfers. The Houthis fired multiple ballistic missiles and drones at Israeli cities in response, with two missiles entering Israeli airspace. No casualties were reported. This incident reintroduces volatility into Red Sea shipping lanes, previously disrupted by over 100 Houthi attacks since late 2023.
READ THE STORY: WSJ
VenusTech and Salt Typhoon Leaks Reveal China’s Cyber Mercenary Infrastructure and MSS Ties
Bottom Line Up Front (BLUF): Leaked data posted on DarkForums has exposed confidential files tied to VenusTech and Salt Typhoon, uncovering evidence of China’s hack-for-hire ecosystem linked to the Ministry of State Security (MSS). The breach includes government contracts, intelligence targeting data, employee PII, and compromised infrastructure, offering unprecedented insight into Chinese cyber operations.
Analyst Comments: The documents link firms like VenusTech to past offensive operations and show how Salt Typhoon coordinates with MSS and PLA units using commercial vendors as operational fronts. The leaks also demonstrate a shift — Chinese actors and insiders increasingly participate in Western-style cybercrime marketplaces. As the data is combed for attribution and patterns, further revelations may emerge that implicate additional state-connected entities or expose vulnerabilities in Chinese offensive cyber infrastructure.
FROM THE MEDIA: In late May 2025, anonymous users “IronTooth” and “ChinaBob” published leaks from Chinese cybersecurity vendor VenusTech and MSS-linked APT group Salt Typhoon on the dark web site DarkForums. The VenusTech leak revealed internal documents and spreadsheets indicating cyber espionage contracts with Chinese government clients and access to foreign systems, including the Korean National Assembly’s email server. The Salt Typhoon leak contained employee PII, router configurations, and links to MSS and PLA-affiliated entities, including PLA Unit 61419 and the Institute of Information Engineering. The exposed materials suggest close cooperation between front companies, APT groups, and Chinese state agencies, highlighting a complex and covert network of cyber mercenary activity sanctioned at high levels.
READ THE STORY: GBhackers
NightEagle APT Unleashes Custom Malware and Zero-Days to Infiltrate Industrial Systems
Bottom Line Up Front (BLUF): The NightEagle APT group, tracked as APT-Q-95 by Chinese cybersecurity firm Qian Pangu, has executed a series of sophisticated intrusions targeting high-tech industries in China. NightEagle has remained undetected for over a year while exfiltrating sensitive data from Exchange servers using zero-day vulnerabilities, memory-resident malware, and advanced infrastructure obfuscation tactics.
Analyst Comments: Its ability to exploit unknown Exchange vulnerabilities, avoid disk forensics, and mimic trusted services suggests state-level backing, possibly from a Western actor, given its operating hours aligning with North America’s Pacific Time. Targeting AI, semiconductor, and military sectors aligns with strategic priorities in the global tech race, particularly in Sino-Western cyber competition. As such, this campaign is a cyber incident and a window into evolving cyber espionage tradecraft.
FROM THE MEDIA: Initial compromise began with DNS queries to decoy domains like synologyupdates.com, leading to the delivery of malware such as “SynologyUpdate.exe,” a SOCKS proxy tool coded in Go. The attackers deployed memory-resident malware via ASP.NET DLLs (App_Web_cn*.dll) into Exchange servers to maintain invisible access. Qianxin’s threat detection showed persistent email theft over a year, leveraging dynamic infrastructure, one domain per victim, and tools to obscure real C2 locations. The malware’s execution was automated through scheduled tasks and demonstrated highly targeted, well-timed behaviors matching geopolitical motives and high-value industries. Several malicious domains and traffic signatures have been published, with Qian Pangu releasing detection tools such as APT-Q-95 Exchange Memory Self-Check for defenders.
READ THE STORY: CSO online // GBhackers
FBI Says Salt Typhoon Hackers ‘Largely Contained’ in U.S. Telecom Networks, Still Pose Risk
Bottom Line Up Front (BLUF): The FBI has reported that the Chinese state-sponsored group Salt Typhoon remains “largely contained” within affected U.S. telecommunications networks, with no current active exfiltration. However, the group’s presence remains a latent risk. Meanwhile, the Pentagon’s AI office has eliminated its CTO role as part of a Trump administration-led initiative to cut federal inefficiencies.
Analyst Comments: Although Salt Typhoon is not currently exfiltrating data, its entrenched foothold across multiple telecom providers signifies a persistent threat that could be rapidly reactivated in a crisis. This mirrors patterns observed in Volt Typhoon, reinforcing concerns that Chinese APTs establish dormant, infrastructure-level access for future disruption. The federal government’s structural cuts to technical leadership, especially within the Pentagon’s AI office, could hinder long-term cybersecurity preparedness as adversarial threats become more sophisticated and intertwined with AI and telecommunications systems.
FROM THE MEDIA: While some observers contrast Salt Typhoon with Volt Typhoon, Leatherman noted both groups use similar prepositioning tactics. Concurrently, the Pentagon’s Chief Digital and AI Office (CDAO) has removed its Chief Technology Officer directorate, citing inefficiencies revealed during the Trump-era workforce and budget reviews. The move follows widespread resignations and may affect the CDAO’s ability to manage emerging tech challenges.
READ THE STORY: FEDSCOOP
Taiwan’s Satellite Legal Status Exposes Strategic Lawfare Risk Amid Rising PRC Threat
Bottom Line Up Front (BLUF): Taiwan’s small but expanding satellite fleet, including the upcoming FORMOSAT-8 series, faces a critical vulnerability: its unclear legal status under international space law. This legal ambiguity—stemming from Taiwan’s lack of recognized statehood—could be exploited by the PRC in a lawfare strategy to assert control or deny Taiwan’s use of space assets during a conflict.
Analyst Comments: As Taiwan increases reliance on satellites for intelligence, surveillance, and deterrence—much like Ukraine has with Starlink—the PRC could preemptively challenge the legality of Taiwan’s space activities under the Outer Space Treaty. The U.S. has a unique opportunity to counter this lawfare risk by legally “flagging” Taiwan-launched satellites as U.S. assets under Article VIII of the OST and the Registration Convention. Doing so would deter PRC interference by introducing legal complications and increasing the cost of hostile action. This legal solution, inspired by Cold War-era maritime policy, reflects an emerging domain of hybrid warfare where sovereignty and international law are weaponized.
FROM THE MEDIA: These assets are critical to Taiwan’s national defense planning, especially in light of recent global examples where space systems played a decisive role in hybrid conflicts. However, legal ambiguities in Taiwan's status under international law—due to its exclusion from the UN since Resolution 2758 (1971)—create a loophole: its satellites may not be protected under key space treaties like the Outer Space Treaty and the Registration Convention. PRC legal strategists could exploit this to claim jurisdiction or delegitimize Taiwan's satellite operations during a crisis. U.S. law, specifically the Taiwan Relations Act, allows Taiwan to be treated as a state under federal law, enabling a workaround by registering future satellites under U.S. jurisdiction to reinforce legal protections and complicate PRC aggression.
READ THE STORY: The Space Review (Part 2)
Cyberattack Disrupts Russian Firmware System Used to Militarize DJI Drones in the Ukraine War
Bottom Line Up Front (BLUF): Unidentified hackers have disrupted the distribution infrastructure of “1001” firmware, a Russian-developed system that modifies civilian DJI drones for battlefield use in Ukraine. The cyberattack targeted servers linked to terminal updates, rendering them inoperable and potentially impairing Russia’s drone deployment capabilities.
Analyst Comments: This attack represents a rare but significant cyber blow to Russia’s drone warfare infrastructure, potentially limiting its capacity to reflash or maintain modified UAVs. The sophistication and precision of the operation suggest an actor with deep knowledge of the firmware’s niche delivery system, possibly aligned with Ukrainian or allied cyber interests. As both sides in the conflict intensify their reliance on commercial drones, such sabotage operations signal an evolving front in the cyber-physical battlespace. Future attacks on firmware distribution chains may become a recurring tactic to blunt battlefield advantages without engaging in confrontation.
FROM THE MEDIA: Shared through a pro-Russian Telegram channel, the statement confirmed the attackers breached the distribution infrastructure, displayed false messages on operator terminals, and disabled the system. Though the firmware wasn’t compromised, operators were urged to disconnect terminals as a safety measure. The “1001” firmware removes flight restrictions, enhances GPS spoofing resistance, and boosts performance, making it vital to Russia’s battlefield drone fleet—reportedly installed on over 200,000 UAVs. With the firmware distribution system offline, Russian forces may face challenges maintaining or updating drones already in combat use.
READ THE STORY: The Record
FDD Urges FCC to Revoke Legacy Authorizations for Chinese-Made Equipment Citing National Security Risk
Bottom Line Up Front (BLUF): The Foundation for Defense of Democracies (FDD) has called on the FCC to close regulatory loopholes that allow pre-2023 Chinese-made telecommunications and surveillance equipment to remain operational in U.S. networks. In a public comment, FDD recommends revocation of legacy equipment authorizations, expanded supply chain definitions, and risk-based mitigation to address persistent threats from adversary-controlled hardware.
Analyst Comments: The continued operation of such devices—particularly near critical infrastructure and military facilities—offers cyber adversaries persistent backdoor access and long-term espionage potential. Revoking these authorizations and enhanced vetting of foreign-influenced component suppliers would mark a decisive shift in safeguarding the U.S. communications supply chain against hybrid warfare tactics.
FROM THE MEDIA: The current FCC rules lack a mechanism for revoking older authorizations solely on national security grounds. FDD recommends that the FCC adopt a risk-based revocation framework, prioritize replacement in high-risk areas, and broaden the definition of "produced by" to include components and OEM arrangements tied to Covered List entities. The comment also pushes for deeper information collection on foreign business ties and urges alignment with Commerce Department definitions under 15 CFR § 791.2 to better detect hidden ownership or control by foreign adversaries, especially the PRC. These measures, FDD argues, are essential to closing systemic security gaps.
READ THE STORY: FDD
DragonForce vs. RansomHub: Ransomware Turf War Threatens Wave of Double Extortion Attacks
Bottom Line Up Front (BLUF): A brewing conflict between rival ransomware gangs DragonForce and RansomHub is escalating, with cybercriminals reportedly extorting the same victims to outdo each other. Security experts warn this "turf war" could increase the frequency and severity of ransomware attacks, particularly through double extortion schemes targeting overlapping victims.
Analyst Comments: While gang rivalries can sometimes hinder operations, in this case, competition is intensifying pressure on victims, who may face multiple ransom demands from different groups exploiting the same breach. The blurred lines between affiliates and operators, compounded by the Ransomware-as-a-Service (RaaS) model, allow bad actors to pivot between gangs and continue attacks unabated. Expect more volatile and aggressive tactics against sectors with weak cyber hygiene or repeated compromise histories.
FROM THE MEDIA: The dispute has reportedly led to DragonForce taking down RansomHub’s dark website. Experts told the outlet that this kind of competition could lead to victims being extorted by both gangs for the same data — a scenario known as "double extortion." Similar tensions erupted in past high-profile cases, including the $22 million ransom payment by UnitedHealth Group's Change Healthcare, where overlapping affiliations caused ransom confusion and loss. RaaS ecosystems remain fluid, meaning any gang that "implodes" often re-emerges under new branding, complicating attribution and response efforts.
READ THE STORY: Tom's Hardware
Trump Denies Responsibility for Ukraine Arms Delay, Leaves Door Open for Future Aid
Bottom Line Up Front (BLUF): President Donald Trump told Ukrainian President Volodymyr Zelensky he was not behind the recent pause in U.S. weapons shipments to Kyiv. Trump attributed the delay to a Pentagon stockpile review following strikes on Iranian targets. Trump assured Zelensky that military support would continue “as much as we can spare,” though shipments remain suspended pending defense assessments.
Analyst Comments: His distancing from the weapons freeze—amid rising pressure following a massive Russian missile strike—signals a desire to avoid complete disengagement while still projecting control over military prioritization. The fundamental determinant now lies with Defense Secretary Pete Hegseth and the Joint Chiefs, whose decisions could either reassure allies or embolden adversaries. Meanwhile, the pause raises questions about how Trump would balance domestic defense needs against Ukraine's urgent battlefield demands in any future administration.
FROM THE MEDIA: The halt includes vital interceptors, missiles, and artillery rounds needed by Ukraine to defend against Russian airstrikes. The Pentagon confirmed the review followed recent missile use in defense of U.S. bases in the Middle East. Despite Trump’s assurance that aid would resume based on availability, the shipments remain frozen. Trump’s earlier call with Russian President Vladimir Putin reportedly ended in deadlock, and Russia responded by launching one of its most extensive assaults on Ukrainian cities since the war began. Zelensky described the conversation with Trump as “maximally productive,” hinting at hope for resumed support.
READ THE STORY: WSJ
Batavia Spyware Campaign Targets Russian Firms with Multi-Stage Windows Malware
Bottom Line Up Front (BLUF): Kaspersky has uncovered a new Windows spyware dubbed Batavia that targets Russian organizations via phishing emails posing as contract requests. Since mid-2024, the malware has exfiltrated documents, screenshots, and system metadata through a stealthy multi-stage infection chain, ultimately delivering payloads via attacker-controlled domains.
Analyst Comments: Its Delphi-based payload and removable media scanning suggest a deliberate attempt to infiltrate air-gapped or semi-isolated systems. The attack vector—contract-themed phishing—remains a practical entry point in both the public and private sectors. The targeting of Russian entities adds intrigue, potentially hinting at internal dissident groups, criminal actors, or foreign intelligence activity aiming to exploit regional vulnerabilities amid geopolitical shifts.
FROM THE MEDIA: Attackers send phishing emails from the domain oblast-ru[.]com with links to download a .VBE script disguised as a contract, which upon execution profiles the host and delivers a Delphi-based executable. This malware collects a range of documents, system logs, screenshots, and removable media content. A third-stage payload expands data collection to include images, emails, and archives, before transmitting data to ru-exchange[.]com. A fourth-stage executable is then fetched for continued exploitation. Meanwhile, Fortinet has also reported on a separate stealer malware, NordDragonScan, which abuses .LNK and mshta.exe to deploy a .NET payload that targets browsers and documents, using a Ukrainian-language decoy.
READ THE STORY: THN
Free Cyber Defense Service for U.S. Infrastructure Ends Amid Rising Russian Threats
Bottom Line Up Front (BLUF): The Critical Infrastructure Defense Project, a free cybersecurity initiative launched by Cloudflare, CrowdStrike, and Ping Identity in response to Russia’s 2022 invasion of Ukraine, has been discontinued due to declining usage. The shutdown comes just as NATO and security experts warn of renewed Russian cyber reconnaissance targeting critical U.S. infrastructure.
Analyst Comments: The sunset of this initiative may leave vulnerable sectors — including utilities, healthcare, and water systems — exposed at a time of escalating geopolitical cyber threats. While the initial wave of participation has waned, adversaries like Russia and Iran continue to probe U.S. infrastructure, making a case for maintaining or adapting such public-private defense models. The program’s quiet termination raises questions about the sustainability of short-term cybersecurity interventions and whether voluntary protection mechanisms can keep pace with persistent state-backed threats.
FROM THE MEDIA: The program, backed by Cloudflare, CrowdStrike, and Ping Identity, aimed to shield hospitals and utility providers from increased Russian cyber activity following its invasion of Ukraine. A CrowdStrike spokesperson told Nextgov/FCW that the project was phased out as threat activity and participation declined. However, the timing is contentious: recent intelligence suggests Russian actors are once again mapping critical infrastructure, including undersea cables. Iran has also resumed targeting U.S. facilities, further highlighting the continuing need for such defenses. As of July 2025, the project’s website will be redirected to Cloudflare’s homepage.
READ THE STORY: MSN
OpenAI Fortifies Cybersecurity Amid Foreign Espionage Concerns
Bottom Line Up Front (BLUF): OpenAI has significantly overhauled its internal security protocols in response to rising foreign espionage threats, especially from Chinese AI competitors. The company has implemented stricter data controls, biometric access, and isolated computing environments after suspecting a Chinese firm, DeepSeek, of model distillation.
Analyst Comments: Introducing “tenting” and deny-by-default egress policies shows OpenAI treats its models with national-security-level sensitivity. As AI becomes a strategic asset akin to nuclear or biotech capabilities, firms like OpenAI will likely resemble defense contractors in structure and protocol. These developments suggest that AI R&D will become more siloed and secretive, potentially stifling collaboration while fueling global mistrust in the AI arms race.
FROM THE MEDIA: OpenAI has ramped up its cybersecurity measures following allegations that Chinese AI start-up DeepSeek, illicitly copied its models using a distillation technique. Since early 2024, OpenAI has tightened internal data access, introduced biometric checkpoints, and confined sensitive systems to offline “tented” environments. These steps are designed to prevent critical technologies like model weights and architecture leakage. The company has also expanded its security team, hiring Palantir’s former CISO and welcoming retired U.S. General Paul Nakasone to its board. U.S. intelligence officials have warned tech firms about increasing foreign cyberespionage risks, especially from China. Despite these precautions, the moves raise questions about balancing open innovation with national and corporate security interests.
READ THE STORY: FT
Items of interest
Butian Vulnerability Platform: Forging China's Next Generation of White Hat Hackers
Bottom Line Up Front (BLUF): Qi An Xin’s Butian Platform has emerged as China’s leading white hat hacker development ecosystem, blending bug bounty programs with live-fire offensive training. Butian supports domestic defense and potential offensive cyber capabilities aligned with state priorities by incentivizing ethical hacking and cultivating vulnerability research talent.
Analyst Comments: Through mentorship pipelines, gamified progression, and state-linked partnerships, it effectively channels ethical hacking toward national security goals. While it aims to deter black market participation, the profit-driven allure of underground vulnerability sales remains a persistent challenge. Similar models could proliferate as AI-driven vulnerabilities and hybrid cyber threats grow more complex.
FROM THE MEDIA: Originally dubbed the “Trouser Belt Project,” it was later renamed “Butian” (补天), referencing the mythological goddess NüWa, who patched the sky—an allegory for fixing vulnerabilities. The platform supports state vulnerability databases like CNVD and has prioritized AI-related bugs, recently boosting rewards in those domains. Butian’s structured programs guide university students through six growth phases, from newcomers to elite hackers, using mentorship, live-fire exercises, and certification tracks. Despite generous bounties and professional pathways, the platform still competes with black-market payouts that can be exponentially higher, raising questions about the long-term retention of ethical hackers.
READ THE STORY: NATTO TEAMS
ResolverFuzz: Automated Discovery of DNS Resolver Vulnerabilities with Query-Response Fuzzing (Video)
FROM THE MEDIA: Domain Name System (DNS) is a critical component of the Internet. DNS resolvers, which act as the cache between DNS clients and DNS nameservers, are the central piece of the DNS infrastructure, essential to the scalability of DNS. However, finding the resolver vulnerabilities is non-trivial, and this problem is not well addressed by the existing tools. To list a few reasons, first, most of the known resolver vulnerabilities are non-crash bugs that cannot be directly detected by the existing oracles (or sanitizers). Second, there lacks rigorous specifications to be used as references to classify a test case as a resolver bug. Third, DNS resolvers are stateful, and stateful fuzzing is still challenging due to the large input space.
Analysis of NXDOMAIN data from an openresolver perspective in China (Video)
FROM THE MEDIA: To uncover anomalies within this data, we clustered NXDOMAIN names into distinct patterns based on their string characteristics and analysed the causes of these patterns. We found that the causes ranged from server misconfiguration such as DNS suffixes, to application-related causes, such as DNS blacklisting, reverse lookups, or chromids. By monitoring the long-tail, non-patterned NXDOMAIN query names, the proposed system can identify and actively monitor the domain name patterns of recent large-scale NXDOMAIN events. In addition, from a regional perspective, there are significant differences in the rate of NXDOMAIN responses between different provinces in China, likely due to the specific equipment used by local operators.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.