Sunday, Jul 20, 2025 // (IG): BB // GITHUB // SN R&D
PROJECT UPDATE:
This scrapes, parses, and dedupes stories every six hours. It’s not evaluated, but it’s a great way to get a glimpse of the news/threat-scape. (click the image)
NEWS:
Chinese Threat Actors Operate 2,800 Malicious Domains to Distribute Windows Malware
Bottom Line Up Front (BLUF): Cybersecurity researchers have uncovered a massive infrastructure of over 2,800 malicious domains linked to Chinese state-backed threat actors. The network has been used to conduct cyber espionage and phishing attacks against global targets in government, defense, and critical industries.
Analyst Comments: The network size suggests a well-funded, organized threat actor with persistent access goals. Such large-scale infrastructure is often a precursor to widespread espionage or influence operations, especially amid growing geopolitical tensions. Organizations should prioritize domain monitoring, threat intelligence integration, and DNS filtering as frontline defenses.
FROM THE MEDIA: These domains were used in coordinated phishing, malware distribution, and command-and-control (C2) operations. The infrastructure has been active since at least 2021 and targets a range of global entities, including government agencies, telecommunications, and energy providers. The attackers are believed to be affiliated with China’s state-sponsored cyber apparatus, utilizing both bespoke and off-the-shelf tools to exploit victims. Infoblox noted that many domains mimicked legitimate services to deceive users and evade detection.
READ THE STORY: GBhackers
China Rebukes Singapore Media Over Cyber Espionage Claims Tied to UNC3886
Bottom Line Up Front (BLUF): China’s embassy in Singapore has condemned local media reports and official remarks linking cyberespionage group UNC3886 to Beijing. The backlash follows Singaporean Minister K. Shanmugam's attribution of cyberattacks on national infrastructure to the China-nexus APT, citing assessments from cybersecurity firm Mandiant.
Analyst Comments: UNC3886 has a documented history of stealthy, infrastructure-focused operations, often tied to Chinese state interests. Beijing’s vehement denial and emphasis on its own victimhood are common patterns in response to cyber attribution, aimed at preserving international standing and deflecting blame. The exchange highlights how cybersecurity discourse is now central to international relations, particularly in tech-savvy hubs like Singapore.
FROM THE MEDIA: The criticism was prompted by Coordinating Minister for National Security K. Shanmugam’s July 18 remarks, where he identified the group as a significant threat to Singapore's critical infrastructure and cited Google-owned Mandiant’s attribution of UNC3886 to China. In response, the embassy called these claims “groundless smears,” asserting that China opposes hacking and is itself a major victim of cyberattacks. Citing examples of foreign attacks on Chinese infrastructure, Beijing called for joint international cybersecurity efforts rather than public accusations.
READ THE STORY: TheOnlineCitizen
Firmware Vulnerabilities Continue to Plague Supply Chain
Bottom Line Up Front (BLUF): Gigabyte has disclosed four critical firmware vulnerabilities affecting older Intel-based motherboards. These flaws allow attackers to execute persistent implants in System Management Mode (SMM). Although originally patched by firmware vendor AMI years ago, these flaws were never fully propagated downstream, highlighting systemic weaknesses in firmware supply chain security.
Analyst Comments: As endpoint protections strengthen, firmware has become a soft underbelly for attackers, particularly in nation-state and espionage operations. This reinforces calls for stricter firmware lifecycle management, default-secure configurations, and the adoption of automated analysis tools. Expect growing regulatory attention on firmware integrity as persistent threats like UEFI boot kits rise.
FROM THE MEDIA: While the root flaws were addressed by BIOS vendor AMI years ago, many Gigabyte systems still ship with vulnerable code due to inadequate disclosure and patch distribution practices. The vulnerabilities allow attackers with local access to bypass Secure Boot and install stealthy implants resistant to traditional detection. The CERT/CC report warned that these vulnerabilities could enable complete system takeover, including tampering with BIOS firmware and disabling critical security mechanisms. Experts say firmware’s growing complexity and the competitive rush to market continue to sideline security considerations across the hardware ecosystem.
READ THE STORY: DR
From Code to Coercion: The Evolving Threat of North Korean Crypto Hackers
Bottom Line Up Front (BLUF): North Korea-linked hacking groups are responsible for nearly 70% of all crypto-related thefts in 2025, with losses already exceeding $2.17 billion in the first half of the year. The most significant incident so far, a $1.5 billion breach of the Bybit exchange, demonstrates the regime’s reliance on digital heists to evade sanctions.
Analyst Comments: The sophistication of these attacks—often exploiting insiders and bypassing security controls—reflects a mature threat ecosystem. With the rise of “wrench attacks,” physical coercion now complements digital theft, highlighting how crypto security must span both digital and physical realms. These hybrid tactics will likely persist and evolve without stronger global regulation and cross-border cooperation.
FROM THE MEDIA: North Korean hackers have been implicated in a majority of cryptocurrency thefts this year, totaling over $2.17 billion in stolen digital assets. The FBI attributes the $1.5 billion Bybit breach in February to North Korea’s “TraderTraitor” group, known for infiltrating crypto exchanges through social engineering and insider access. Once compromised, the attackers convert stolen assets into Bitcoin and launder funds across thousands of wallets. Alongside digital breaches, violent “wrench attacks” — including kidnappings and assaults — are on the rise globally. Victims have been identified across the U.S., Germany, Japan, and Southeast Asia, sparking calls for more comprehensive digital asset protection strategies.
READ THE STORY: The 420
Fancy Bear Hackers Target Governments and Military Entities with Advanced Tools
Bottom Line Up Front (BLUF): Russian state-backed threat group Fancy Bear (APT28) has expanded its global espionage efforts, targeting government and military institutions with advanced malware and exploitation techniques. Recent campaigns exploit known CVEs and sophisticated phishing vectors to breach high-value targets, particularly in Ukraine and its Western allies.
Analyst Comments: The group remains a dominant player in cyber espionage by adapting malware payloads and exploiting both technical and human vulnerabilities. Their alignment with the MITRE ATT&CK framework suggests a disciplined, modular approach that makes attribution and mitigation more difficult. With the ongoing Ukraine conflict and heightened geopolitical tensions, organizations involved in defense, logistics, and diplomacy remain high-risk targets.
FROM THE MEDIA: Fancy Bear (APT28, STRONTIUM, and Unit 26165) has intensified cyber operations against governments and military entities worldwide. The group is leveraging tools such as Mimikatz, Sedreco, and CHERRYSPY, and has deployed malware strains including Zebrocy and Drovorub. Exploits include CVE-2023-23397 (Microsoft Outlook), CVE-2023-38831 (WinRAR), and CVE-2023-20085 (Cisco IOS XE), with spearphishing campaigns using spoofed domains and XSS exploits in Roundcube and Zimbra. These efforts are part of an expansive attack framework aligned with MITRE ATT&CK tactics, spanning initial access to exfiltration and command-and-control. Intelligence sources confirm targeting of military contractors, diplomats, and logistics providers supporting Ukraine.
READ THE STORY: GBhackers
UK and NATO Accuse Russia’s GRU of Deploying Malware to Destabilize Europe
Bottom Line Up Front (BLUF): The UK and NATO have formally accused Russia's GRU military intelligence agency of orchestrating a widespread malware campaign aimed at undermining European stability. The malware, reportedly tailored to disrupt civilian infrastructure, is part of an escalating pattern of Russian hybrid warfare tactics.
Analyst Comments: The GRU's deployment of customized malware targeting European infrastructure reflects an aggressive pivot toward destabilization campaigns amid broader geopolitical tensions. NATO’s public accusation could serve as a precursor to collective cyber defense measures or sanctions. As attribution confidence grows, expect increased cyber readiness across European sectors and a potential surge in retaliatory cyber activity.
FROM THE MEDIA: Officials state the campaign, which has affected sectors including energy, transportation, and communications, is designed to sow confusion and erode trust in public systems. UK Foreign Secretary Emma Churchill cited "compelling technical evidence" linking the malware to GRU Unit 26165, previously tied to election interference and cyber espionage. NATO Secretary General Jens Stoltenberg emphasized that this activity violates international norms and threatens alliance members' security. The announcement follows months of joint investigations by cybersecurity agencies across the UK, Germany, and the Netherlands.
READ THE STORY: BreakingDefense // SCMedia
Bitcoin Hits Record High Amid Rising Concerns Over Quantum Computing Threats
Bottom Line Up Front (BLUF): As Bitcoin reaches a new all-time high, cybersecurity experts are warning that quantum computing advances could eventually undermine cryptocurrencies' cryptographic foundations. Traders celebrate market gains, but underlying discussions point to long-term existential risks for blockchain security.
Analyst Comments: While practical quantum attacks remain several years away, the growing investment in quantum R&D from countries like China and the U.S. suggests that crypto developers must prepare sooner rather than later. Post-quantum cryptography (PQC) adoption and protocol upgrades will be essential to future-proofing blockchain ecosystems. The crypto industry must begin transitioning before quantum capabilities reach critical thresholds.
FROM THE MEDIA: Bitcoin recently surged to an all-time high above $90,000, driven by renewed institutional interest and macroeconomic factors. However, behind the bullish sentiment, a parallel conversation is emerging around the threat quantum computing poses. Experts warn that quantum processors could one day break the elliptic curve cryptography (ECC) that secures Bitcoin wallets and transactions. Researchers and blockchain developers are exploring post-quantum encryption standards, but widespread implementation remains years away. The article cites voices in both finance and cybersecurity advocating for urgent planning to address this long-term vulnerability.
READ THE STORY: CoinDesk
U.S. Warns Spain Over Potential Security Risks From Huawei Government Contracts
Bottom Line Up Front (BLUF): The United States has issued a diplomatic warning to Spain regarding its engagement with Huawei in public sector contracts, citing national security concerns. Washington fears that Huawei's involvement could open the door to Chinese surveillance and jeopardize NATO intelligence sharing.
Analyst Comments: The U.S. has long opposed Huawei’s presence in 5G and critical infrastructure, viewing it as a vector for Chinese state espionage. Spain’s potential alignment with Huawei could strain transatlantic intelligence cooperation and provoke policy shifts within the EU. As tensions mount, more European states may be pressured to clarify their positions on Chinese tech vendors publicly.
FROM THE MEDIA: American officials expressed concern that Huawei’s access to Spanish government networks could compromise NATO’s secure communications and intelligence-sharing frameworks. Unlike many of its Western allies, Spain, a key NATO member, has not entirely banned Huawei from participating in national infrastructure projects. The article notes that U.S. diplomats emphasized the strategic risk of allowing a Chinese firm with alleged military ties into the public technology supply chain. The situation adds friction to U.S.-Spain relations when rising global cyber threats are testing NATO unity.
READ THE STORY: GBhackers
Ukrainian hackers wipe databases at Russia's Gazprom in major cyberattack
Bottom Line Up Front (BLUF): Ukraine’s military intelligence (HUR) claims responsibility for a large-scale cyberattack on Russia’s state-owned energy giant Gazprom, allegedly wiping key databases and damaging critical infrastructure systems. The operation reportedly disrupted administrative access for tens of thousands of users and affected nearly 400 Gazprom subsidiaries.
Analyst Comments: If verified, it demonstrates Ukraine’s growing cyber capabilities and strategic use of digital warfare to undermine Russia’s economic and military logistics. The scale of data destruction and system degradation, including BIOS-level damage, suggests an intent to create long-term operational disruption. Future retaliation or escalation in cyberspace is likely, as both nations continue to blend cyber operations with kinetic warfare.
FROM THE MEDIA: Screenshots and a video released by HUR show access to Gazprom’s internal systems, though independent verification is still pending. The attack reportedly disabled systems for around 20,000 administrators, wiped backup databases, and impacted 390 Gazprom-affiliated entities. Destroyed data includes contracts, supply schedules, payment and tax records, and operational analytics. Additionally, several servers running the 1C platform and SCADA components were rendered inoperable, with some BIOS firmware corrupted beyond remote recovery.
READ THE STORY: THE KYIV INDEPENDENT
Russian Vodka Producer Beluga Hit by Ransomware, 2,000+ Stores Disrupted
Bottom Line Up Front (BLUF): Russian beverage conglomerate NovaBev Group, owner of the Beluga vodka brand, confirmed a ransomware attack on July 14, 2025, that disrupted IT operations across its main business and subsidiary WineLab. Over 2,000 stores experienced outages, though customer data appears unaffected, and the company refuses to negotiate with attackers.
Analyst Comments: NovaBev’s refusal to pay ransom aligns with global best practices but may prolong recovery timelines and reputational fallout. The sophistication and persistence involved suggest an advanced threat actor—possibly an APT group—testing the resilience of Russia’s private sector. The incident further highlights the vulnerability of critical systems in the beverage and retail industries, often less fortified than traditional high-risk sectors like finance or healthcare.
FROM THE MEDIA: NovaBev Group suffered a “large-scale, coordinated” ransomware attack on July 14 that impacted IT infrastructure across its operations and retail arm, WineLab. Over 2,000 locations were affected by the outage. Despite advanced security protocols and continuous monitoring, attackers established persistence within the network before detection. The company has declined to engage with the attackers and is working with external cybersecurity experts to recover systems. Forensic analysis suggests no customer personal data was compromised, likely due to effective encryption and data loss prevention tools. The company has promised complete operational restoration and apologizes for the service disruptions.
READ THE STORY: Cyber Press
Ex-IDF Cyber Chief Warns Social Engineering Now Outpaces Zero-Days in Cyber Threat Landscape
Bottom Line Up Front (BLUF): Former IDF Unit 8200 cyber chief Ariel Parnes warns that social engineering, not zero-day exploits, now poses the most significant cyber threat, especially from actors like Iran-backed APTs and the Scattered Spider gang. The use of generative AI to automate reconnaissance and craft personalized phishing content is making such attacks more scalable and effective than ever.
Analyst Comments: Threat actors no longer need elite-level exploits when AI can help them socially engineer insiders or impersonate trusted services. Groups like Scattered Spider, which leverage native English proficiency and cultural familiarity, blur the lines between financially motivated and state-sponsored actors. The implications for defense are profound: organizations must now prioritize user awareness, behavioral monitoring, and counter-AI phishing defenses just as much as traditional vulnerability management.
FROM THE MEDIA: Ariel Parnes, co-founder of Mitiga and former IDF Unit 8200 colonel, emphasized how actors like Iran’s APT units and Scattered Spider excel at social engineering rather than exploiting zero-day vulnerabilities. Citing the 2020 Shirbit insurance breach and recent campaigns against U.S. infrastructure, Parnes noted that psychological and reputational impacts often outweigh technical ones. He warned that generative AI dramatically accelerates threat actors' ability to perform reconnaissance, craft phishing lures, and mimic legitimate communications. Parnes suggested that these developments could enable collaboration between financially motivated groups and state-sponsored operations, boosting the capabilities of less technically advanced adversaries.
READ THE STORY: The Register
SquidLoader Deploys Stealthy Malware with Near-Zero Detection to Evade Security Measures
Bottom Line Up Front (BLUF): A newly discovered variant of the SquidLoader malware is used in highly stealthy attacks against financial institutions in Hong Kong, Singapore, China, and Australia. Delivered via spear-phishing emails, it uses sophisticated anti-analysis and evasion tactics to deploy Cobalt Strike Beacons, allowing remote access and control with minimal detection.
Analyst Comments: By mimicking legitimate Microsoft binaries, incorporating heavy obfuscation, and exploiting advanced anti-sandbox techniques, attackers can achieve persistent access and evade most traditional scanning tools. The malware’s Kubernetes-themed C2 traffic adds another layer of stealth, signaling a trend toward blending malicious traffic with cloud-native patterns. The APAC region's financial institutions and government bodies should urgently update their detection capabilities and harden email defenses against sophisticated phishing payloads.
FROM THE MEDIA: Disguised as financial correspondence, the emails contain password-protected RAR files with PE executables masquerading as trusted applications. The malware relocates itself to public directories, uses control flow obfuscation, and resolves APIs dynamically to thwart detection. It checks for common sandbox usernames and debugging tools, and verifies runtime consistency via custom APC-based thread checks. Post-evasion, it contacts fake Kubernetes-themed C2 servers (e.g., https://39.107.156.136/api/v1/namespaces/kube-system/services) and downloads in-memory Beacon shellcode. Similar indicators were observed in Singapore, China, and Australia.
READ THE STORY: GBhackers
Arch Linux Pulls Malicious AUR Packages Delivering Chaos RAT Malware
Bottom Line Up Front (BLUF): Arch Linux maintainers have removed three community-submitted AUR packages after they were found to deliver the Chaos Remote Access Trojan (RAT). The malicious packages—librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin—executed malware during installation, granting full remote access to infected systems.
Analyst Comments: Using a trusted community platform like AUR to distribute malware shows how attackers are shifting toward supply chain infiltration as a stealthier and scalable tactic. Exploiting PKGBUILD scripts demonstrates the need for more rigorous community auditing and automated threat detection. Organizations relying on Linux systems should reevaluate the trustworthiness of third-party repositories and implement endpoint behavior monitoring to detect anomalous installs.
FROM THE MEDIA: The malware provided attackers full remote access capabilities, including file exfiltration, command execution, and reverse shell access. Community members on Reddit flagged the suspicious packages after a dormant account began promoting them. Arch Linux has warned users to delete the packages and check for a suspicious “systemd-initd” process in the /tmp directory. The C2 server tied to the RAT was traced to IP address 130.162[.]225[.]47:8080.
READ THE STORY: BleepingComputer
New PoisonedSeed Malware Bypasses FIDO Authentication Using Malicious QR Codes
Bottom Line Up Front (BLUF): Researchers have uncovered a sophisticated malware campaign dubbed "PoisonedSeed" that bypasses FIDO-based two-factor authentication (2FA) by tricking users into scanning malicious QR codes. The malware impersonates legitimate login workflows, capturing session tokens and enabling unauthorized access to secure systems.
Analyst Comments: Threat actors sidestep traditional credential theft barriers by abusing QR code-based login flows, which are often seen as user-friendly and secure. This approach indicates a growing trend of adversaries blending social engineering with technical subversion. Enterprises should reevaluate QR-based login procedures and implement browser-based origin checks, token binding, or biometric constraints to limit session hijacking risks.
FROM THE MEDIA: The attackers send victims a link that prompts them to scan a QR code, mimicking login prompts from trusted services like Microsoft or Google. When scanned, the code redirects to a spoofed server that harvests session tokens or authentication cookies, allowing the threat actor to impersonate the user without needing their credentials or FIDO device. The malware is capable of real-time browser manipulation, clipboard monitoring, and secure cookie exfiltration. Researchers note that this bypass works exceptionally well against users relying on FIDO tokens through mobile QR workflows.
READ THE STORY: HackRead
Experts Warn of Growing Threats to Operational Technology in Critical Infrastructure
Bottom Line Up Front (BLUF): Security experts are raising alarms about the escalating cyber risks facing Operational Technology (OT) systems used in critical infrastructure sectors like energy, manufacturing, and transportation. A lack of investment, outdated systems, and limited cyber-awareness in OT environments create vulnerabilities that attackers increasingly exploit.
Analyst Comments: Many OT environments still run legacy systems with poor visibility and minimal patching, making them ripe targets for disruptive attacks. If these gaps are not addressed, the likelihood of impactful cyber incidents—such as power grid disruptions or supply chain breakdowns—will continue to rise. Industry-wide collaboration and regulatory pressure may be necessary to force modernization and secure these high-risk environments.
FROM THE MEDIA: Experts point to incidents like the Colonial Pipeline ransomware attack and repeated disruptions in European rail systems as wake-up calls. However, many organizations still fail to apply basic security principles such as network segmentation and real-time monitoring in OT systems. Analysts warn that as digitization and remote access expand, OT environments remain dangerously exposed without proper controls.
READ THE STORY: ITPRO
Items of interest
U.S. Officials Accused of Concealing Afghan War Failures
Bottom Line Up Front (BLUF): A new exposé alleges that senior U.S. military and political leaders systematically misled the public about the progress of the war in Afghanistan. The report reveals internal documents and interviews showing that officials privately acknowledged the war was failing while publicly asserting success.
Analyst Comments: It may prompt renewed debate about oversight mechanisms for military engagements and the credibility of official war narratives. The revelations could also affect veterans’ communities and influence future U.S. foreign policy decisions. Expect increased scrutiny of internal documentation and decision-making processes in other ongoing or future conflicts.
FROM THE MEDIA: The piece draws heavily on interviews, internal memos, and reports from the Special Inspector General for Afghanistan Reconstruction (SIGAR). Officials from both Democratic and Republican administrations are implicated in downplaying failures and overstating the effectiveness of military strategies. Despite internal acknowledgments that core goals were unachievable, public communications emphasized progress, leading to continued funding and troop deployments. The investigation mirrors the 2019 “Afghanistan Papers” but provides expanded documentation and deeper analysis of the Pentagon’s internal communications.
READ THE STORY: RealClearDefense
‘Scandal of huge proportions’: Afghan asylum scheme in UK exposed by data breach (Video)
FROM THE MEDIA: Thousands of Afghans are being relocated to the UK in a secret program after a data breach, which multiple governments have tried to cover up.
In Full: Healey addresses Commons over secret Afghan asylum scheme (Video)
FROM THE MEDIA: Britain has offered asylum secretly to nearly 24,000 Afghan soldiers and their families caught up in the most serious data breach in history, it can be revealed.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.