Saturday, Jul 19, 2025 // (IG): BB // GITHUB // SN R&D
PROJECT UPDATE:
This scrapes, parses, and dedupes stories every six hours. It’s not evaluated, but it’s a great way to get a glimpse of the news/threat-scape. (click the image)
NEWS:
From Honkers to APTs: How China’s Patriotic Hackers Became Elite Cyberspies
Bottom Line Up Front (BLUF): A new investigation published by WIRED details how China’s early “Honker” hacker groups—once seen as loosely organized patriotic activists—evolved into the backbone of modern Chinese cyberespionage units. Many of these hackers, including notable figures like Tan Dailin, were later absorbed by the People’s Liberation Army (PLA) and Ministry of State Security (MSS), forming core components of groups like APT41.
Analyst Comments: Honkers laid the cultural and technical foundation for China’s modern cyber apparatus. By tracing these roots, the report helps contextualize China’s whole-of-society approach to cyber operations, blending patriotic sentiment, technical talent, and state sponsorship. As cyber tensions escalate globally, this legacy may continue to fuel China’s expansive cyber workforce and capacity for state-sanctioned digital operations.
FROM THE MEDIA: The piece centers on Tan Dailin (aka “Wicked Rose”), who transitioned from defacing foreign websites to building sophisticated malware and backdoors like GinWui and PlugX for the PLA. His group, the Network Crack Program Hacker (NCPH), was among the first Chinese collectives to conduct coordinated espionage on behalf of the state. Over time, other Honkers followed suit, joining intelligence-linked firms like Topsec and Venustech, or forming their own, such as NSFocus and i-Soon. These actors and their tools—including HTRAN, ShadowPad, and X-Scan—became central to Chinese APT operations. A recent report by ETH Zurich researcher Eugenio Benincasa expands on this legacy, highlighting how former Honkers now run firms implicated in ongoing MSS operations, reinforcing the long-term institutionalization of China’s hacker underground.
READ THE STORY: WIRED
Cloudflare Confirms BGP Hijack Overlap During Major 1.1.1.1 DNS Outage
Bottom Line Up Front (BLUF): Cloudflare has attributed the July 14, 2025, global outage of its 1.1.1.1 DNS resolver to an internal configuration error, not a cyberattack. However, a simultaneous BGP hijack by Tata Communications India complicated the recovery, momentarily redirecting traffic to unauthorized systems.
Analyst Comments: The convergence of a config rollback and an opportunistic hijack underscores the fragile interdependence of global internet routing. This should prompt urgency around BGP route validation (e.g., RPKI) and infrastructure segmentation in DNS networks. As Cloudflare handles massive volumes of DNS queries daily, even brief disruptions highlight the internet’s dependence on a small number of key infrastructure providers.
FROM THE MEDIA: Cloudflare experienced a 62-minute global outage of its 1.1.1.1 public DNS service on July 14 due to a misconfiguration from preparations for a future Data Localization Suite (DLS). The outage began at 21:52 UTC when a routine change mistakenly withdrew BGP announcements for IP ranges including 1.1.1.0/24 and 1.0.0.0/24. Tata Communications India (AS4755) began advertising the same prefix during the route withdrawal, creating a BGP hijack scenario. Cloudflare quickly reverted the changes, restoring 77% of traffic by 22:20 UTC and complete recovery by 22:54 UTC. The company emphasized the hijack was unrelated to the outage’s root cause but did introduce complications to the resolution. The event highlights the cascading risks of configuration changes in globally distributed systems.
READ THE STORY: GBhackers
North Korean Hackers Drive Record $2.17 Billion in Crypto Theft in First Half of 2025
Bottom Line Up Front (BLUF): According to Chainalysis, hackers stole $2.17 billion in cryptocurrency during the first half of 2025, with over $1.5 billion attributed to a North Korean attack on Bybit, a Dubai-based crypto exchange. The total surpasses all crypto theft in 2024 and represents the largest first-half loss since records began in 2022.
Analyst Comments: The focus on both institutional targets and personal wallets signals a broadening threat landscape, where advanced persistent threats (APTs) are now blending cyber intrusion with physical coercion ("wrench" attacks). With cryptocurrency adoption rising globally, especially in underregulated regions, policymakers face increased urgency to implement global standards and improve both personal and organizational cyber hygiene.
FROM THE MEDIA: The bulk of that—$1.5 billion—was stolen in a North Korea-linked breach of the Bybit exchange in February, making it the largest single crypto heist ever recorded. In addition to the Bybit breach, there has been a sharp rise in personal wallet compromises and physical attacks targeting crypto holders, suggesting a dangerous convergence of digital and kinetic tactics. Other major victims span the U.S., Germany, Russia, Canada, and South Korea. The trend aligns with previous TRM Labs findings and echoes a U.N. report tracking $3 billion stolen by North Korea over the past five years. Chainalysis warns that thefts could exceed $4 billion by year-end.
READ THE STORY: The Record
Iranian APT Hackers Target Transportation and Manufacturing Sectors in New Cyberespionage Campaign
Bottom Line Up Front (BLUF): An Iranian-linked Advanced Persistent Threat (APT) group actively targets transportation and manufacturing sectors in the Middle East and Europe. The campaign involves phishing, credential theft, and custom backdoors to gather intelligence and maintain persistent access to critical infrastructure environments.
Analyst Comments: Threat actors aim to undermine logistics, production, and supply chain stability by targeting transportation and manufacturing areas critical to economic and military readiness. Using stealthy backdoors and region-specific targeting suggests careful reconnaissance and long-term planning. Such campaigns may escalate if geopolitical tensions in the Gulf or Eastern Mediterranean intensify.
FROM THE MEDIA: The campaign was uncovered by security researchers at Microsoft and Mandiant, who observed phishing lures tailored to sector-specific personnel and malware deployment for surveillance and data exfiltration. The attackers use custom implants and tools that evade traditional defenses, with evidence of prolonged dwell time and lateral movement across compromised networks. Victims are primarily located in the Middle East, but extensions into European supply chains have been detected. Attribution links the activity to Mint Sandstorm (formerly Phosphorus or APT35), a known Iranian threat group.
READ THE STORY: GBhackers
NATO Endorses “Cyber Defence Pledge Plus” to Bolster Collective Resilience and Operational Readiness
Bottom Line Up Front (BLUF): At the Washington Summit in July 2025, NATO leaders adopted the “Cyber Defence Pledge Plus”, a renewed commitment to strengthen cyber defense capabilities across the Alliance. The initiative focuses on operational readiness, public-private partnerships, talent development, and resilience against hybrid and cyber threats.
Analyst Comments: The inclusion of industry collaboration and talent pipelines signals a shift from purely state-centric defense to a broader ecosystem approach. With adversaries increasingly targeting critical infrastructure and communication networks, especially in Eastern Europe and the Indo-Pacific, NATO’s emphasis on joint resilience and proactive defense planning is timely. Implementation will depend heavily on individual member states aligning policy and investment priorities with the pledge’s framework.
FROM THE MEDIA: The updated agreement includes enhanced commitments to operational collaboration, increased military cyber integration, and the expansion of cyber training and workforce development. It also reaffirms NATO’s deterrence posture, stating that a significant cyberattack could trigger Article 5. The pledge calls for greater intelligence-sharing and interoperability between member states, especially in light of recent hybrid threats and offensive cyber campaigns targeting NATO infrastructure. The initiative aligns with NATO’s Digital Transformation vision and complements its growing cyber partnerships with EU and Indo-Pacific partners.
READ THE STORY: NATO
Hackers Use DNS Records to Hide Malware and Launch Prompt Injection Attacks
Bottom Line Up Front (BLUF): An Iranian-linked Advanced Persistent Threat (APT) group actively targets transportation and manufacturing sectors in the Middle East and Europe. The campaign involves phishing, credential theft, and custom backdoors to gather intelligence and maintain persistent access to critical infrastructure environments.
Analyst Comments: While DNS abuse for command-and-control (C2) channels is well-known, embedding malware payloads and LLM-specific attacks in TXT records is subtle and scalable. As DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) adoption grows, encrypted DNS traffic will further obscure malicious lookups from network-based monitoring. Enterprises should consider integrating DNS behavior analytics and enforcing strict outbound DNS resolution policies. This attack method also signals a concerning fusion of traditional malware delivery and AI-specific exploitation.
FROM THE MEDIA: The malicious binary, used in a nuisance program dubbed Joke Screenmate, was encoded into hexadecimal, broken into hundreds of pieces, and stored across multiple subdomains of whitetreecollective[.]com. Once inside a compromised network, an attacker could send innocuous DNS requests to retrieve and reconstruct the full payload. The method avoids detection by antivirus and endpoint solutions that don’t inspect DNS traffic. In a more alarming twist, researchers also found prompt injection text payloads embedded in DNS records—designed to manipulate AI models into executing unauthorized commands, such as deleting data or returning random information. These findings underscore how DNS, often overlooked, can be weaponized in both traditional malware operations and next-generation AI attacks.
READ THE STORY: WIRED
‘Waffled’: New Technique Evades WAFs to Target Web Applications with Stealth Payload Delivery
Bottom Line Up Front (BLUF): Threat actors are actively using a novel attack technique named “Waffled” to bypass Web Application Firewalls (WAFs) and infiltrate web applications. The method exploits header manipulation and HTTP smuggling to deliver malicious payloads undetected, posing a serious risk to cloud-hosted services and API-driven applications.
Analyst Comments: The technique is hazardous for applications that rely on cloud-native APIs, microservices, or edge networks, where WAF misconfigurations are common. Organizations should expect a rise in low-and-slow WAF bypass tactics and proactively deploy behavioral anomaly detection and deep packet inspection. This also reinforces the need for continuous red teaming and secure coding practices at the application layer.
FROM THE MEDIA: The method involves manipulating HTTP headers, using fragmented or malformed requests that WAFs may fail to parse correctly. Once the malicious payload is injected, it reaches backend servers directly, sidestepping perimeter defenses. The researchers also demonstrated how Waffled could be used in credential harvesting, data exfiltration, and lateral movement within cloud environments. The technique has been tested against multiple commercial WAF products, with several showing vulnerability to the bypass. The attack has yet to be attributed to a specific threat group but is already being adopted in underground forums.
READ THE STORY: GBhackers
Singapore Confirms Cyber Espionage Attacks on Critical Infrastructure by Suspected Chinese Group UNC3886
Bottom Line Up Front (BLUF): Singapore has publicly acknowledged cyberattacks on its critical infrastructure by a state-linked espionage group known as UNC3886, believed to be aligned with Chinese intelligence interests. According to Mandiant, the group is known for targeting defense, telecom, and high-tech sectors across Asia and the U.S.
Analyst Comments: UNC3886’s focus on hard-to-defend systems, such as virtualized environments and out-of-band management infrastructure, reflects a broader trend toward stealthy, persistent access. Singapore’s transparency could prompt neighboring countries to reevaluate their exposure and incident disclosure practices. The targeting of national infrastructure reinforces the geopolitical dimension of cybersecurity in the Indo-Pacific.
FROM THE MEDIA: Coordinating Minister for National Security K. Shanmugam emphasized the group's ability to undermine national security by targeting essential services. However, no technical details were disclosed due to security concerns. Singapore’s critical infrastructure includes energy, finance, water, healthcare, and transportation sectors. Beijing has denied any involvement, reiterating its general opposition to cyberattacks. This disclosure follows similar espionage operations reported earlier this week targeting Taiwan’s semiconductor industry.
READ THE STORY: Reuters // The Record
Chinese State-Sponsored Hackers Target Global Semiconductor Industry in Coordinated Espionage Campaign
Bottom Line Up Front (BLUF): Chinese state-sponsored threat actors are conducting a sustained cyberespionage campaign against companies in the semiconductor sector, aiming to steal intellectual property and manufacturing secrets. The attacks involve spear-phishing, custom malware, and exploitation of known vulnerabilities.
Analyst Comments: Targeting global semiconductor firms enables Beijing to shortcut R&D timelines and mitigate the effects of U.S.-led export controls. As competition intensifies over chip manufacturing and AI capabilities, such cyber operations are expected to expand in scale and sophistication. Organizations in the chip supply chain must now treat IP protection as a frontline security issue.
FROM THE MEDIA: Researchers from Cyble and ThreatMon linked the campaign to groups like APT41 and Winnti, known for conducting dual-purpose cyberespionage on behalf of China’s Ministry of State Security. Attack vectors include phishing emails tailored to engineers and IT staff, backdoors such as ShadowPad, and exploitation of vulnerabilities in enterprise software (e.g., VPNs and ERP systems). The attackers aim to exfiltrate trade secrets, chip designs, and fabrication process data. These intrusions are highly persistent, often maintaining stealthy access for months before detection.
READ THE STORY: CSN
Hackers Exploit Microsoft ClickFix Campaign to Deliver Malware via Social Engineering
Bottom Line Up Front (BLUF): Threat actors are leveraging Microsoft’s ClickFix campaign materials to deceive users into executing malware payloads under the guise of legitimate tech support. Security researchers have observed a rise in social engineering attacks that exploit trust in Microsoft branding and tools, leading to infections by remote access trojans (RATs) and information stealers.
Analyst Comments: The abuse of ClickFix—a Microsoft initiative meant to simplify troubleshooting—demonstrates how threat actors weaponize trusted platforms to enhance social engineering effectiveness. These attacks reflect a broader trend where adversaries co-opt legitimate corporate messaging for phishing and malware delivery. As attackers increasingly target user psychology and brand trust, enterprises must strengthen awareness training and detection of misuse of brand assets. Expect further evolution in adversary tactics exploiting automation tools and support frameworks.
FROM THE MEDIA: These emails urge users to click on "fix now" buttons or download utilities that allegedly address system errors. In reality, the links lead to malicious executables delivering malware like DarkGate RAT and Lumma Stealer. The campaigns exploit visual similarities to Microsoft’s legitimate design, increasing the likelihood of user interaction. Researchers from ThreatMon and Cyble identified overlapping infrastructure tied to multiple malware families, confirming a coordinated campaign. The malicious payloads grant attackers remote control, credential theft capabilities, and system surveillance.
READ THE STORY: GBhackers
Israel Confirms Ongoing Iranian Cyber Assaults Despite Ceasefire in Kinetic Conflict
Bottom Line Up Front (BLUF): During and after the recent 12-day war with Iran, Israel has faced a sustained cyber offensive targeting civilian contractors and critical infrastructure. Although Iranian hackers achieved limited success against soft targets, their attempts to compromise military systems and Israel’s missile alert network failed, thanks to strong defensive measures and proactive cyber countermeasures by Israeli forces.
Analyst Comments: Iran’s focus on supply chain targets reflects a strategic pivot to exploit weak links in Israel’s defense ecosystem. While Israel has demonstrated superior cyber resilience and intelligence-driven precision strikes, experts warn that Tehran will intensify its cyber buildup. The Israeli assessment underscores a long-term campaign where cyber deterrence must be maintained through defense and offensive disruption of adversary capabilities.
FROM THE MEDIA: While none of these high-stakes attacks succeeded, groups like “Handala” and “Cyber Toufan” did manage to breach smaller companies and leak data for psychological effect. Israeli forces, including the IDF’s Cyber Defense Brigade and National Cyber Directorate, assisted affected firms in real-time. Shay Nachum, former IDF cyber chief, stated that Iran’s cyber units are deeply motivated and actively trying to breach critical infrastructure like electric utilities and defense institutions. He emphasized that although Israel currently holds an advantage, Iran’s cyber capabilities are growing and could pose a more serious threat in future conflicts.
READ THE STORY: JNS
Threat Actors Hijack GitHub Accounts to Spread Malware via Trusted Repositories
Bottom Line Up Front (BLUF): Cybercriminals are compromising legitimate GitHub accounts to host and distribute malware through trusted repositories. These attacks exploit user trust in GitHub-hosted code, enabling stealthy distribution of information stealers and remote access trojans.
Analyst Comments: Attackers bypass traditional defenses like domain reputation checks by weaponizing legitimate GitHub accounts. The technique may also hint at credential reuse or weak authentication among developers. This trend is likely to escalate unless platform security and user hygiene improve, particularly through universal enforcement of multi-factor authentication (MFA) and behavioral anomaly detection.,
FROM THE MEDIA: The attackers clone popular projects and subtly embed payloads such as info stealers or RATs. Unsuspecting developers or users downloading these repositories unknowingly infect their systems. In some instances, repositories were forked, modified with malicious code, and starred to boost visibility. Security researchers have linked some stolen credentials to earlier phishing or credential stuffing attacks, highlighting the importance of strong authentication practices. GitHub has acknowledged the problem and is encouraging all users to enable MFA.
READ THE STORY: GBhackers
Salt Typhoon Hacks Edge Devices in Global Telecom Espionage Campaign
Bottom Line Up Front (BLUF): Since February 2025, the Chinese state-linked hacking group Salt Typhoon has compromised edge devices—like routers and switches—tied to at least seven global telecommunications firms. The intrusions allowed attackers to pivot toward sensitive telecom networks, continuing a long-term espionage campaign targeting communications infrastructure.
Analyst Comments: These devices serve as high-leverage entry points for deeper network infiltration, especially in telecom environments with legacy systems or weak segmentation. The campaign also aligns with China's broader intelligence objectives: gaining persistent access to global communications systems, likely to prepare for geopolitical contingencies. Expect increased scrutiny of telecom supply chains and regulatory calls for mandatory edge-device patching and segmentation policies.
FROM THE MEDIA: While the compromised routers and switches were client-owned—not part of core infrastructure—cybersecurity firm Recorded Future said the attackers used this access to communicate with known threat actor infrastructure and attempt deeper penetration. U.S. officials previously accused Salt Typhoon of targeting senior political figures and siphoning millions of user records. The campaign reportedly relied on old, unpatched vulnerabilities, with researchers tracking an uptick in global indiscriminate scanning and exploitation of edge devices. Despite denials from Beijing, analysts warn this activity reflects a strategy of building quiet, long-term footholds inside essential communications networks.
READ THE STORY: Bloomberg
‘Daemon-Ex-Plist’ Vulnerability Exposes Apple macOS to Local Privilege Escalation Attacks
Bottom Line Up Front (BLUF): A newly disclosed macOS vulnerability dubbed Daemon-Ex-Plist allows local attackers to escalate privileges by exploiting misconfigured property list (plist) files associated with system daemons. The flaw affects macOS Ventura and earlier versions, posing risks especially on shared or multi-user systems.
Analyst Comments: While not exploitable remotely, Daemon-Ex-Plist provides a reliable path to complete system compromise once initial access is gained. Its abuse potential is high in targeted attacks, especially by APTs or insiders. Apple’s push toward hardening macOS may lead to more scrutiny of such configuration-based flaws in future releases.
FROM THE MEDIA: These property list files are responsible for defining system-level services and daemons managed by launchd. If a plist file is writable by non-privileged users, it can be altered to execute arbitrary code as root. Security researchers demonstrated a proof of concept by injecting malicious commands into a vulnerable plist, which were then executed at system boot. Apple has not yet issued an official CVE or patch at publication, though users are advised to audit plist permissions and enforce least-privilege access policies.
READ THE STORY: GBhackers
UNG0002 Cyber Group Targets Chinese and Hong Kong Entities in Espionage Campaign
Bottom Line Up Front (BLUF): A newly disclosed cyberespionage campaign by the threat group UNG0002 has targeted government, diplomatic, and academic institutions in China and Hong Kong. The attackers deployed custom malware and employed phishing techniques to exfiltrate sensitive data and conduct surveillance operations.
Analyst Comments: While attribution remains unclear, the campaign demonstrates increasing complexity, with multi-stage malware and obfuscation techniques that bypass traditional endpoint defenses. This incident may signal rising cyber tensions in East Asia and internal interest in controlling narratives or monitoring dissent. The targeting of academic institutions also raises concerns about intellectual property and research surveillance.
FROM THE MEDIA: The operation began in early June and relied on spear-phishing emails containing malicious attachments to deliver a bespoke remote access trojan (RAT) dubbed "SPICA". Once installed, the malware facilitated credential theft, keystroke logging, and file exfiltration. Researchers from ThreatMon reported that the group employed novel anti-analysis techniques and encrypted communications channels to maintain stealth. Targets included universities, diplomatic offices, and policy think tanks. The motives remain unclear, though the level of sophistication suggests a nation-state sponsor.
READ THE STORY: THN
NimDoor macOS Malware Abuses Zoom SDK Updates to Bypass Detection and Deliver Payloads
Bottom Line Up Front (BLUF): A new macOS malware strain, NimDoor, exploits Zoom SDK update mechanisms to deploy backdoors and evade security controls. The malware masquerades as legitimate Zoom-related software to gain initial access, particularly targeting business users and developers on macOS.
Analyst Comments: NimDoor reflects a growing trend of attackers abusing third-party SDKs and update mechanisms, especially on platforms like macOS that rely heavily on trust-based execution. The malware exploits brand trust and user familiarity by impersonating a legitimate tool like Zoom. Its use of Nim (a less familiar language) helps avoid static detection. Expect future variants to use similar techniques on other collaboration and video conferencing platforms, increasing the need for supply chain scrutiny and secure SDK deployment practices.
FROM THE MEDIA: Cybersecurity researchers discovered the malware, which is written in the Nim programming language, which is known for evading signature-based detection systems. Once executed, NimDoor installs a backdoor that enables remote access, data exfiltration, and command execution. Attackers are distributing the malware via phishing emails and fake update sites, specifically targeting developers and organizations using Zoom's SDK integration. The campaign highlights the rising risk of third-party development tools being used as vectors for initial compromise.
READ THE STORY: GBhackers
Items of interest
U.S. House Examines Legacy of Stuxnet and Its Impact on Critical Infrastructure Cybersecurity
Bottom Line Up Front (BLUF): The U.S. House Subcommittee on Cybersecurity and Infrastructure Protection will hold a hearing on July 23 to evaluate how Stuxnet, discovered 15 years ago, reshaped cyber warfare and influenced modern threats to operational technology (OT) and critical infrastructure. Lawmakers will hear from cybersecurity leaders and experts as they consider policy reforms, including changes to reporting timelines and potential offensive cyber postures.
Analyst Comments: Its legacy continues influencing adversary playbooks, including campaigns by actors like Volt Typhoon and APT41. The House hearing is not just retrospective; it signals growing bipartisan interest in rebalancing cyber doctrine toward resilience, offensive readiness, and streamlined regulation. With looming CIRCIA deadlines and debates over incident reporting timeframes, the testimony could shape future U.S. cyber policy, particularly regarding public-private coordination and response flexibility.
FROM THE MEDIA: Subcommittee Chair Rep. Andrew Garbarino (R-NY) framed the hearing as an opportunity to examine how the world's first digital weapon continues to influence threat actors targeting OT systems. Witnesses will include Kim Zetter (author of Countdown to Zero Day), Robert Lee (CEO of Dragos), and others from government labs and policy circles. The hearing also occurs amid major cyber legislation deadlines, including reauthorizing the Cybersecurity Information Sharing Act (CISA) and finalizing CIRCIA rules. Experts warn that legacy systems, reporting complexity, and threat evolution all demand updated policy and operational strategies.
READ THE STORY: SC Media
Stuxnet: The Full Story of the World's First Digital Superweapon that destroyed Iran's nuclear (Video)
FROM THE MEDIA: Have you ever heard of a weapon made of pure code? A gun that can cross any border, leap over any defense, and physically destroy a country's most protected infrastructure from the inside out?
STUXNET: The Virus that Almost Started WW3 (Video)
FROM THE MEDIA: In June last year, a computer virus called Stuxnet was discovered lurking in the data banks of power plants, traffic control systems, and factories worldwide. Pandora's box has been opened; on the new battlefield, the aggressors are anonymous, the shots are fired without starting wars, and the foot soldiers can pull their triggers without leaving their desks.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.