Thursday, Jul 17, 2025 // (IG): BB // GITHUB // SN R&D
PROJECT UPDATE:
This scrapes, parses, and dedupes stories every six hours. It’s not evaluated, but it’s a great way to get a glimpse of the news/threat-scape. (click the image)
NEWS:
US Moves to Ban Chinese Tech in Undersea Internet Cables Over Espionage Fears
NOTE:
Global Times, a Chinese Communist Party-affiliated outlet, published a strongly worded editorial condemning the U.S. Federal Communications Commission’s upcoming vote to restrict undersea cable projects involving Chinese technology. The paper quoted Zhou Mi of the Ministry of Commerce, who called the move “a unilateral measure” based on “subjective assumptions,” alleging it would harm U.S. infrastructure and global internet development. Citing past statements from China’s Foreign Ministry, the article accused Washington of “abusing state power,” constructing a “small yard with high fences,” and obstructing other countries’ rights to choose their tech partners. The article repeatedly invoked fairness, inclusiveness, and mutual benefit — core tropes in Chinese geopolitical rhetoric — while sidestepping legitimate national security concerns raised by U.S. agencies about surveillance and sabotage risks linked to state-backed Chinese firms. (GT)
Bottom Line Up Front (BLUF): The U.S. Federal Communications Commission (FCC) has announced plans to ban the use of Chinese technology in undersea telecommunications cables connecting the United States. The initiative aims to mitigate cyber and physical threats posed by foreign adversaries, especially China, to critical internet infrastructure.
Analyst Comments: This policy marks a significant expansion of U.S. efforts to decouple critical infrastructure from Chinese technology, reflecting growing concerns over espionage risks in global data transmission networks. Undersea cables carry most of international internet traffic, making them a high-value surveillance and sabotage target. The decision comes amid increased global scrutiny following past incidents of alleged sabotage and cable cuts. This move will likely further strain U.S.-China tech relations and could trigger retaliatory restrictions or new alliances among digital infrastructure providers.
FROM THE MEDIA: Chair Brendan Carr emphasized the threat posed by foreign adversaries, noting prior cases of cable link cancellations with Hong Kong and increased geopolitical tensions surrounding data infrastructure. The FCC cited specific risks tied to companies like Huawei, ZTE, China Mobile, and China Telecom, all previously listed as national security threats. The announcement follows incidents of suspected sabotage of submarine cables in the Baltic Sea and alleged Chinese involvement in cutting Taiwan’s internet connections in 2023.
READ THE STORY: AsiaOne
Unrestricted Warfare: U.S. Must Develop a Strategic Doctrine to Counter China’s Asymmetric Threats
Bottom Line Up Front (BLUF): China’s long-standing doctrine of “Unrestricted Warfare” has evolved into a blueprint for subverting global norms through cyber, economic, psychological, and legal tactics. A recent policy brief warns that the U.S. lacks a cohesive doctrine to counter these hybrid threats and risks mimicking authoritarian strategies without a strategic identity.
Analyst Comments: The U.S. response remains fragmented and reactive, lacking a unified framework to deal with below-threshold warfare. A coherent American doctrine must integrate cybersecurity, counterintelligence, economic statecraft, and influence operations, while retaining the core values of democratic governance. Failure to do so risks both strategic failure and the erosion of civil liberties.
FROM THE MEDIA: Shane McNeil examines China’s 1999 “Unrestricted Warfare” strategy's enduring relevance and impact on U.S. national security. The Chinese Communist Party has weaponized global interdependence, leveraging everything from telecom infrastructure to academic partnerships. The U.S., in contrast, continues to compartmentalize defense, diplomacy, and economic security. McNeil argues that the U.S. must counter China’s seamless approach with its integrated strategy rooted in transparency, resilience, and alliance-building—what he calls “total strategic competition.” The brief calls for offensive counterintelligence, ethical tech dominance, and stronger allied cyber norms to push back against authoritarian influence without sacrificing American identity.
READ THE STORY: Clearance Jobs
DoD Under Fire for Granting China-Based Engineers Access to Pentagon Systems
Bottom Line Up Front (BLUF): A ProPublica investigation revealed that Microsoft-employed engineers in China had access to U.S. Department of Defense (DoD) systems for nearly a decade. Working under loose supervision, these engineers could interact with sensitive military data via cloud system maintenance roles, raising major national security concerns amid escalating Chinese cyber threats.
Analyst Comments: The apparent failure to vet foreign nationals with access to “High Impact Level” military data is especially alarming given China’s aggressive cyber posture. As the U.S. works to safeguard its critical infrastructure, such oversights may offer adversaries backdoor entry points. Expect growing bipartisan pressure on Congress and federal agencies to overhaul contractor security policies and scrutinize relationships with multinational vendors like Microsoft.
FROM THE MEDIA: According to the Foundation for Defense of Democracies, a ProPublica report disclosed that Microsoft-employed engineers in mainland China helped maintain the Pentagon’s cloud systems. These engineers were allowed access via “digital escorts”—underqualified U.S. staff who manually entered commands on their behalf. This setup potentially exposed classified or sensitive military data to Chinese operatives. The loophole illustrates broader third-party software risks, reminiscent of recent Chinese-linked intrusions involving BeyondTrust and Microsoft email servers. The policy brief also links the issue to China’s ongoing cyber campaigns, such as “Volt Typhoon” and “Flax Typhoon,” which aim to pre-position within U.S. infrastructure for potential future disruption.
READ THE STORY: FDD
Claude Desktop Exploited via Gmail Message in Groundbreaking AI Self-Hack Scenario
Bottom Line Up Front (BLUF): A cybersecurity researcher has demonstrated a novel exploit chain involving Gmail and Claude Desktop, Anthropic’s AI assistant. The attacker used Model Context Protocol (MCP) integrations to socially engineer Claude into crafting its exploit, ultimately triggering code execution without exploiting any traditional software vulnerabilities.
Analyst Comments: The fact that Claude aided in refining the exploit — and even offered to co-author a disclosure — highlights the unpredictable dynamics introduced by agentic AI. As LLM-powered systems gain execution rights and app access, these interaction-based exploits could become common. It calls for AI security models to move beyond patching individual components and instead focus on secure orchestration, trust boundaries, and delegation protocols.
FROM THE MEDIA: Using the Model Context Protocol (MCP), the researcher tricked Claude into helping refine phishing-style payloads that ultimately triggered code execution on the local system. The exploit didn’t involve zero-days but relied on Claude’s lack of memory persistence across sessions, enabling the researcher to iterate on attack content. The assistant offered feedback after each failure and eventually provided successful payload suggestions. The root of the vulnerability lies in compositional risk — how multiple secure systems, when integrated, can become insecure in tandem. The incident has prompted renewed calls for AI-specific security standards, particularly for agents integrated with tools that can execute commands or access user systems.
READ THE STORY: GBhackers
Matanbuchus 3.0’ Loader Supercharges Targeted Ransomware Attacks
Bottom Line Up Front (BLUF): An upgraded version of the premium malware loader Matanbuchus 3.0 enables highly targeted ransomware attacks by evading endpoint detection and leveraging advanced stealth techniques. Sold as malware-as-a-service (MaaS) on the dark web, the loader now supports DNS-based command-and-control (C2), impersonates legitimate apps, and facilitates in-memory execution of malicious payloads.
Analyst Comments: Its DNS-based C2 and EDR-detection capabilities highlight increasing sophistication among threat actors seeking to bypass enterprise-grade defenses. As MaaS markets grow more refined, defenders must anticipate advanced evasion techniques embedded in what were once considered “secondary” payloads. Expect tools like Matanbuchus to play a central role in high-value ransomware operations through 2025 and beyond.
FROM THE MEDIA: Matanbuchus 3.0, a high-end malware loader sold for $10,000–$15,000/month, has been rewritten to support stealthy ransomware delivery. First observed in campaigns beginning in late 2024, the loader has since been deployed via IT help desk impersonation scams, often through Microsoft Teams. Attackers persuade targets to enable Quick Assist, which downloads and sideloads the loader. Matanbuchus identifies installed EDR/XDR tools (e.g., CrowdStrike, SentinelOne, Trellix) and adapts its tactics accordingly. New features include DNS-based C2 (harder to block), in-memory execution, obfuscated persistence mechanisms, and anti-analysis techniques. Its use has been documented in attacks against the finance and real estate sectors across the U.S. and Europe.
READ THE STORY: DR
North Korean Hackers Exploit Ivanti and Fortinet VPN Vulnerabilities to Breach Japanese Firms
Bottom Line Up Front (BLUF): A sharp rise in cyber espionage attacks against Japanese companies during FY2024 has been linked to North Korean threat actors exploiting zero-day vulnerabilities in Ivanti and Fortinet VPN appliances. The attackers targeted high-value sectors such as manufacturing and finance, using malware like BeaverTail, RokRAT, and PlugX, spear phishing, social engineering, and infected USBs to gain initial access.
Analyst Comments: By targeting developer environments and leveraging "living off the land" techniques, these actors reduce their forensic footprint, complicating detection and response. The use of cloud services for data exfiltration and the targeting of cryptocurrency wallets reflect a hybrid strategy of espionage and financial gain. As VPN infrastructure remains a critical attack vector, Japanese firms—and global enterprises alike—must accelerate patching, EDR hardening, and zero-trust architecture adoption.
FROM THE MEDIA: Japan-based organizations were hit by a surge of cyberattacks during FY2024 (April 2024–March 2025), with researchers from Macnica’s Security Research Center attributing many of these to North Korean APT groups. Attackers often used spear phishing and social engineering via LinkedIn to infect systems with BeaverTail, InvisibleFerret, and PlugX malware. The RokRAT backdoor was used to exfiltrate data into cloud services stealthily. Attackers exploited zero-day RCE vulnerabilities in Ivanti and Fortinet VPN devices, particularly in overseas branches of Japanese manufacturing firms. Techniques included USB-based propagation and evasion of EDR systems using tools like WinDivert. Targets included the technology, finance, and manufacturing sectors.
READ THE STORY: GBhackers
Iran’s President Orders Overhaul of Cyber Defense After Israeli and U.S. Attacks
Bottom Line Up Front (BLUF): Iranian President Masoud Pezeshkian has called for a sweeping review of national cybersecurity protocols following a surge in cyberattacks by Israel and the U.S. during a 12-day conflict. The directive emphasizes strengthening multi-layered protections and updating defensive strategies to secure Iran’s digital infrastructure.
Analyst Comments: The recent cyber assaults and kinetic strikes reveal how state adversaries are integrating cyberwarfare into broader military strategies. Iran’s shift toward formalizing and modernizing its cybersecurity architecture signals an intent to deter future intrusions and increase retaliatory capability in cyberspace.
FROM THE MEDIA: President Masoud Pezeshkian urged the Supreme Council of Cyberspace to conduct a comprehensive review of Iran’s national data protection protocols. The announcement follows recent cyberattacks launched by Israel and the U.S. during a joint offensive that targeted Iranian nuclear facilities and military figures. The report detailed how Israeli cyber operations disabled banking systems and state TV broadcasts, prompting retaliatory missile strikes from Iran, including one that reportedly bypassed Israel’s air defense. In the wake of these events, Iran’s National Cyberspace Center briefed the president on repelled threats, and Pezeshkian ordered protocol updates and defense process re-engineering to harden critical infrastructure.
READ THE STORY: IFP
China-linked hackers target Taiwan's chip industry with increasing attacks
Bottom Line Up Front (BLUF): Multiple Chinese-affiliated cyber espionage groups have ramped up attacks on Taiwan’s semiconductor industry, according to new research by Proofpoint. At least 15–20 organizations, including chipmakers and investment analysts, were targeted between March and June 2025 amid escalating U.S.-China tensions over chip exports.
Analyst Comments: As geopolitical competition intensifies—particularly over AI and critical infrastructure—the cyber threat landscape for semiconductor firms will grow increasingly complex. Though not new in objective, these attacks are becoming more sophisticated and diversified in delivery tactics, such as spear-phishing via academic or job-seeking disguises. Defensive posture must include enhanced vigilance on third-party communications and cross-sector coordination, especially among smaller suppliers and financial analysts linked to chip investments.
FROM THE MEDIA: The tactics included spear-phishing emails from compromised university accounts and fake investment collaboration requests. Victims included small businesses and analysts at an unnamed U.S.-headquartered bank. Though specific company names were not disclosed, Taiwan’s top chip firms such as TSMC, MediaTek, UMC, and Nanya were likely of interest. A parallel finding by Taiwan-based cybersecurity firm TeamT5 noted a similar uptick in phishing activity tied to a group known as “Amoeba,” which recently targeted a chemical supplier in the chip supply chain. Beijing denies involvement, maintaining a public stance against cybercrime.
READ THE STORY: Reuters
Operation Eastwood disrupted operations of pro-Russian hacker group NoName057(16)
Bottom Line Up Front (BLUF): International law enforcement agencies have dismantled major infrastructure tied to the pro-Russian hacktivist group NoName057(16). Operation Eastwood, conducted between July 14–17, 2025, led to two arrests, seven arrest warrants, and the takedown of over 100 servers involved in orchestrating DDoS attacks on Ukraine-supporting nations.
Analyst Comments: NoName057(16)’s operational model—low-skill, ideologically driven actors enabled by gamified incentives and tools like DDoSia—demonstrates how nation-state-aligned hacktivism can scale globally. While infrastructure disruption weakens immediate operations, the group's decentralized and ideologically motivated nature may facilitate rapid regrouping. Expect continued propaganda and opportunistic strikes, possibly retaliatory, as the group adapts.
FROM THE MEDIA: According to Europol, Operation Eastwood was executed with coordination across 13 core nations, supported by 7 others, and private sector entities like ShadowServer and abuse.ch. The crackdown resulted in 24 house searches and outreach to over 1,000 group supporters, some of whom were warned of legal repercussions. NoName057(16) primarily conducts DDoS attacks and has targeted institutions in Germany, Sweden, Switzerland, and the Netherlands since 2023. They use social media, forums, and niche apps for recruitment, bolstered by cryptocurrency incentives and gamified tactics such as leaderboards. Five suspects are now listed on the EU Most Wanted website, and a significant portion of the group's infrastructure has been taken offline.
READ THE STORY: Security Affairs
Malware Campaign Weaponizes WordPress Core File to Redirect Users and Poison SEO
Bottom Line Up Front (BLUF): A sophisticated malware campaign has compromised WordPress websites by injecting malicious PHP code into core files, enabling redirects to phishing sites and manipulating SEO. The attack centers on a modified wp-settings.php file that loads hidden payloads from a ZIP archive, evading detection while silently hijacking site behavior.
Analyst Comments: The use of obfuscated ZIP-based loaders, dynamic C2 routing, and anti-bot evasion indicates a well-resourced threat actor likely targeting high-traffic WordPress environments for profit and manipulation. SEO poisoning adds reputational and operational risk beyond traditional malware infections, especially for organizations reliant on organic traffic. Web admins must treat CMS core file integrity as a high-priority security issue.
FROM THE MEDIA: The injected code uses the zip:// stream wrapper to include malicious scripts from a concealed win.zip archive. These scripts dynamically determine their behavior based on the URI path and visitor profile, enabling content injection, redirection to malicious domains, and search engine manipulation. SEO poisoning techniques include falsified Google verification responses and rogue robots.txt entries that direct crawlers to attacker-controlled sitemaps. The campaign employs anti-bot mechanisms to suppress malicious actions when accessed by search engine crawlers, improving evasion and longevity. Redirect destinations include domains like enturbioaj[.]xyz and icercanokt[.]xyz, associated with spam and phishing activity.
READ THE STORY: GBhackers
Items of interest
Middle East Conflict Spurs Surge in Defense Tech and Cybersecurity Investments
Bottom Line Up Front (BLUF): Ongoing instability and escalating tensions in the Middle East drive a significant uptick in global defense technology and cybersecurity investments. Private equity firms and sovereign wealth funds are directing capital toward military AI, drone platforms, and critical infrastructure protection, especially in light of increasing hybrid threats.
Analyst Comments: The fusion of traditional arms manufacturing with advanced cyber capabilities—especially around AI-driven surveillance, autonomous drones, and critical infrastructure hardening—signals a broader shift toward hybrid defense postures. Expect further M&A activity and increased government-private sector collaboration as demand for “war tech” accelerates. Cybersecurity vendors that provide OT/ICS protection are particularly well-positioned for growth.
FROM THE MEDIA: Recent funding rounds have favored companies specializing in AI-driven missile defense, battlefield autonomy, and dual-use cybersecurity applications. Analysts highlight the 2024 Gaza conflict and Iranian cyber offensives as catalysts for the current spike. Defense-tech firms in Israel, the U.S., and Gulf states have seen valuations climb, with cyber startups targeting oil and water infrastructure defense securing key government contracts. Sovereign funds from the UAE and Saudi Arabia have reportedly increased allocations to national security-related tech portfolios.
READ THE STORY: Ainvest
Latest Developments in Combating Russian Influence Operations in CEE: Voice of Europe and Storm 1516 (Video)
FROM THE MEDIA: Ms. Nathalie Vogel discusses "Latest Developments in Combating Russian Influence Operations in CEE: Voice of Europe and Storm 1516."
How a false story about assassinating Tucker Carlson spread from a Russian disinformation campaign (Video)
FROM THE MEDIA: This is how one Russian propaganda campaign started. Successful efforts to spread disinformation, including this false conspiracy theory about Ukraine and #TuckerCarlson, have reached huge American audiences, top political creators and even members of Congress.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.