Daily Drop (1092)
07-25-25
Friday, Jul 25, 2025 // (IG): BB // GITHUB // SN R&D
PROJECT UPDATE:
This scrapes, parses, and dedupes stories every six hours. It’s not evaluated, but it’s a great way to get a glimpse of the news/threat-scape. (click the image)
NEWS:
Starlink Suffers Rare Global Outage Amid Expansion of Satellite Services
Bottom Line Up Front (BLUF): On July 24, 2025, Elon Musk’s Starlink network experienced a rare global outage, leaving tens of thousands of users without internet access for over two hours. The disruption followed the public launch of T-Mobile’s Starlink-powered “T-Satellite” service and was attributed to internal software failures affecting core network services.
Analyst Comments: The outage underscores the risks associated with the increasing centrality of satellite networks in global communications, particularly as Starlink expands into mobile and defense applications. While there is no evidence of a cyberattack, the timing—just after a major service rollout—raises concerns about operational readiness and resilience. If Starlink continues scaling to support critical services (including military and aviation), any systemic fault becomes a strategic vulnerability. Questions around redundancy, failover mechanisms, and cyber-hardening of space-based infrastructure are likely to grow louder.
FROM THE MEDIA: Starlink, the global satellite internet provider operated by SpaceX, confirmed a widespread outage on July 24 that affected users across the U.S., Europe, and Zimbabwe. According to Reuters, more than 60,000 outage reports were logged on Downdetector, with users experiencing a “total blackout” of service. Starlink Vice President Michael Nicolls later stated the cause was a failure in “key internal software services” running the core network. The outage lasted approximately 2.5 hours before service was mostly restored. Elon Musk personally apologized on X, promising a root cause analysis. Speculation from experts like Cornell’s Gregory Falco suggests the issue may have stemmed from a faulty software update, drawing comparisons to last year's CrowdStrike-triggered global Windows disruptions. The outage came one day after T-Mobile and Starlink launched their “T-Satellite” direct-to-phone service.
READ THE STORY: Aljazeera
Arizona Woman Sentenced in $17M North Korean IT Worker Scam
Bottom Line Up Front (BLUF): An Arizona woman, Christina Marie Chapman, has been sentenced to 8.5 years in prison for running a fraudulent “laptop farm” that helped North Korean operatives pose as remote U.S.-based IT workers. The scheme, which targeted over 300 American companies, enabled the laundering of $17 million to the DPRK and risked national security by attempting to infiltrate U.S. government agencies.
Analyst Comments: By mimicking legitimate job seekers, DPRK-linked actors could gain access to sensitive corporate environments, bypassing conventional cyber defenses. Chapman's operation reveals how insider threats can take nontraditional forms—such as infrastructure support—rather than direct hacking. Enterprises should reinforce remote employee vetting procedures and invest in digital identity verification tools. Government agencies remain high-priority infiltration targets, and the FBI’s guidance underscores the need for diligence across both public and private sectors.
FROM THE MEDIA: Chapman operated her scam between October 2020 and October 2023, shipping dozens of U.S.-based laptops overseas and hosting over 90 computers in her home to simulate U.S.-based logins for North Korean IT workers. These operatives used stolen identities to land jobs at Fortune 500 companies and attempted to breach two U.S. government agencies. Though those government attempts were thwarted, the broader scheme funneled millions into North Korea, potentially financing its weapons program. In addition to her sentence, Chapman must forfeit over $460,000. The Department of Justice called the case one of the largest North Korean IT scams prosecuted to date.
READ THE STORY: The Register
Global Operation "Checkmate" Dismantles BlackSuit Ransomware Infrastructure
Bottom Line Up Front (BLUF): Authorities from multiple countries, in coordination with private cybersecurity firms, have taken down the infrastructure of the BlackSuit ransomware group in a major multinational operation dubbed Operation Checkmate. The takedown included seizure of data leak sites and negotiation portals, severely disrupting BlackSuit's ability to extort victims.
Analyst Comments: BlackSuit’s dismantling signals progress in global anti-ransomware efforts, especially when targeting infrastructure critical to extortion operations. The coordinated seizure of leak sites cuts off communications and undermines the credibility of the group’s threats. However, given the resilience of the ransomware-as-a-service (RaaS) ecosystem, remnants of BlackSuit or affiliates may rebrand and reemerge. The group's possible lineage from Royal or Conti highlights persistent actors evolving across ransomware variants.
FROM THE MEDIA: The effort involved coordination from DHS, FBI, Europol, the U.K. National Crime Agency, and private partners like Bitdefender. BlackSuit operated a double-extortion model—encrypting files and leaking stolen data—targeting sectors like healthcare, education, and government. The seized dark web portals, previously used for ransom negotiations and data publication, now display law enforcement banners. While this disrupts BlackSuit’s operations, experts warn that new groups may rise from its remnants.
READ THE STORY: GBhackers
China-Linked Campaigns Deploy Ghost RAT and PhantomNet Against Tibetan Targets via Windows Exploits
Bottom Line Up Front (BLUF): Two coordinated malware campaigns—Operation GhostChat and Operation PhantomPrayers—have been uncovered targeting Tibetan users and organizations using advanced Windows exploitation techniques. The campaigns, attributed to Chinese state-sponsored actors, leveraged cultural events like the Dalai Lama’s 90th birthday to deploy Ghost RAT and PhantomNet backdoors via compromised websites and fake applications.
Analyst Comments: The campaigns employed sophisticated sideloading techniques, in-memory shellcode execution, and low-level Windows API usage to evade detection. The focus on DLL sideloading via signed binaries, including VLC and Element, underscores a shift toward abusing trusted software ecosystems. This may prompt defenders to reevaluate trust models and enhance behavior-based detection.
FROM THE MEDIA: Both used DLL sideloading via signed binaries (Element.exe and VLC.exe) to execute multistage payloads. The attacks culminated in the deployment of Ghost RAT and PhantomNet, which allowed full surveillance capabilities, including webcam and audio access. Researchers linked the infrastructure and tactics to Chinese APT groups, likely TA428, based on C2 IPs, malware signatures, and historical campaign overlaps.
READ THE STORY: Cyber Press
Cyber Crossfire in Orbit: Hacktivists Target Space Sector Amid Israel-Iran Conflict
Bottom Line Up Front (BLUF): A surge of cyber operations has emerged in parallel with kinetic warfare between Israel and Iran, with over 60 claimed attacks on space-related entities within 15 days. Hacktivist groups—mostly pro-Iranian, but also tied to other geopolitical causes—have launched DDoS attacks, leaked credentials, and claimed breaches of military satellite systems. However, most impacts remain limited to surface-level disruption.
Analyst Comments: While actual satellite systems remain uncompromised for now, the combination of widespread DDoS attacks and disinformation campaigns creates “background noise” that can obscure more sophisticated intrusions. This tactic—using large-scale hacktivist activity to distract from potential nation-state cyber operations—may become a norm in future space-related conflicts. The activation of platforms like Starlink in Iran and the use of Chinese satellite phones by Iranian forces suggest a likely expansion of the threat landscape beyond regional borders.
FROM THE MEDIA: At least 67 cyber operations were claimed, primarily targeting Israeli aerospace and defense firms such as Rafael, Elbit Systems, and Orbit Communication Systems. Group “Mr.Hamza” claimed 23 DDoS attacks, while “GhostSec” alleged they compromised Israeli military satellite terminals, though without evidence. Other groups like “LulzSec Black” and “Cyber Unit 89” claimed air navigation and missile system data access. Separately, “WeAreRootSec” offered Rafael credentials for sale. These events occurred alongside Iran’s internet throttling and increased Starlink use, raising concerns of cyber spillover across the region and possibly involving third-party technologies and services.
READ THE STORY: Via Satellite
Aeza Group Evades Sanctions by Migrating Bulletproof Hosting Infrastructure to New Autonomous System
Bottom Line Up Front (BLUF): The sanctioned bulletproof hosting provider, Aeza Group, has shifted core infrastructure to a newly created autonomous system, AS211522, operated by Hypercore LTD. This move, detected by Silent Push analysts, appears to be an attempt to bypass U.S. Treasury sanctions and continue supporting cybercriminal operations, including ransomware and darknet marketplaces.
Analyst Comments: Aeza’s infrastructure migration highlights a recurring pattern among bulletproof hosts: rebranding and reallocation to new IP ranges and ASNs to evade enforcement and maintain operations. The speed and structure of this transition suggest a deliberate attempt to obscure continuity. Network defenders should block the legacy ASNs (AS210644, AS216246) and proactively monitor for and block AS211522. Continued vigilance and community sharing of BGP telemetry and abuse reports will be essential to countering bulletproof hosting infrastructure fueling cybercrime.
FROM THE MEDIA: Silent Push’s IOFA™ feed first flagged the migration on July 20, when subnet 83.147.192.0/24 began dual announcements from both ASNs. Analysts view this as an apparent effort to dodge sanctions and maintain operations. Aeza was previously sanctioned for providing infrastructure for ransomware, darknet trafficking, and data theft. AS211522 already hosts more than 2,100 IPs, a rapid buildup consistent with Aeza’s past activity. Security experts warn that this is a classic bulletproof host evasion tactic, calling for coordinated blocking and law enforcement reporting.
READ THE STORY: GBhackers
Microsoft: China-Linked Hackers Exploit SharePoint Vulnerabilities to Breach Global Networks
Bottom Line Up Front (BLUF): Microsoft has confirmed that Chinese state-sponsored threat groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, exploit critical vulnerabilities in on-premises SharePoint servers. The ongoing campaign targets government, defense, education, healthcare, and finance organizations across the U.S., Europe, and East Asia.
Analyst Comments: This incident exemplifies the increasing sophistication and discipline of Chinese APT groups, who now focus on stealth, persistence, and credential theft. Even after patching, the ability to steal cryptographic keys and deploy backdoors across enterprise networks marks a shift toward long-term access operations. Exploiting a vulnerability disclosed at Pwn2Own just two months prior underscores China’s capacity to operationalize research-grade exploits rapidly. It also pressures enterprises to harden on-prem infrastructure or migrate to more secure cloud-hosted alternatives.
FROM THE MEDIA: Microsoft announced that at least three China-linked hacking groups have exploited unpatched vulnerabilities in SharePoint software to infiltrate high-value targets. The exploits were derived from a vulnerability disclosed at the Pwn2Own security conference in May and initially patched on July 8. However, Microsoft later admitted the patch was incomplete and issued follow-up updates. Cybersecurity firm Eye Security found over 400 servers already compromised. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed that critical infrastructure entities had been impacted. Experts believe attackers leverage the flaws to steal cryptographic keys and maintain persistent access even after remediation. Microsoft emphasized that the vulnerability affects only on-premises SharePoint installations, not cloud environments.
READ THE STORY: The New York Times
Fire Ant Campaign Exposes Global Risks of Hypervisor-Level Chinese Espionage
Bottom Line Up Front (BLUF): Sygnia has released new research detailing Fire Ant, a global cyber-espionage campaign linked to the Chinese threat group UNC3886. The campaign targeted VMware ESXi hypervisors and network appliances. The attackers leveraged stealthy, persistent access methods at the virtualization layer, bypassing traditional endpoint defenses to spy on government, telecom, and defense-related entities.
Analyst Comments: Fire Ant highlights an alarming evolution in cyber-espionage: attackers are now going beneath the operating system to exploit hypervisors—critical yet often under-monitored infrastructure. These intrusions are challenging to detect and eradicate, signaling a significant blind spot in enterprise and national security strategies. With links to past UNC3886 operations against Fortinet and Juniper platforms, Fire Ant underscores China's continuing push to silently pre-position itself in sensitive global networks. Expect elevated investment in hypervisor security and incident response playbooks following this disclosure.
FROM THE MEDIA: The campaign targets VMware ESXi and vCenter environments, using custom toolsets to maintain persistence and evade detection, even during active response operations. Sygnia’s Yoav Mazor described the attackers as highly adaptive, shifting tactics and tools in real time. Fire Ant’s tactics correlate with attacks previously attributed to UNC3886 in Singapore and other regions, including deploying backdoors in Fortinet and Juniper devices. Analysts conclude the campaign is aimed at strategic intelligence collection across critical sectors worldwide, including defense, telecom, and government.
READ THE STORY: CyberScoop // The Record
North Korean-Linked Threat Actors Deploy RokRAT Malware via Malicious HWP Documents
Bottom Line Up Front (BLUF): The AhnLab Security Intelligence Center (ASEC) has uncovered a targeted malware campaign using Hangul Word Processor (.hwp) files to deliver the RokRAT remote access trojan. These documents exploit Windows DLL sideloading via legitimate executables, enabling stealthy, fileless infections aimed at South Korean entities.
Analyst Comments: Threat actors enhance social engineering effectiveness while evading detection by shifting from LNK files to .hwp documents, which are trusted and widely used in South Korea. Using steganography to embed shellcode in image files and exploiting Windows DLL search order weaknesses demonstrates advanced tradecraft, consistent with North Korean APT behaviors. Organizations in government, defense, and media sectors should prioritize monitoring for side-loading patterns and implement stricter controls around macro-enabled files and hyperlinks.
FROM THE MEDIA: The files—disguised as tax documents or reports on North Korean grain operations—deliver RokRAT through DLL sideloading. When victims open the files, they unknowingly extract a signed executable (ShellRunas.exe) and a malicious DLL (credui.dll) into the system’s temp directory. Upon interaction, the DLL initiates fileless malware deployment using a steganographic image hosted on Dropbox. RokRAT loads into memory and begins data exfiltration, surveillance, and command execution. The campaign also employs other benign Windows utilities (e.g., accessenum.exe, hhc.exe) to avoid endpoint detection. ASEC released multiple MD5 hashes for threat hunting and defense.
READ THE STORY: GBhackers
Europol Shuts Down XSS Cybercrime Forum, Arrests Admin in Kyiv After 12-Year Reign
Bottom Line Up Front (BLUF): Europol and French law enforcement, with Ukrainian cooperation, arrested the administrator of the long-running cybercrime forum XSS.is on July 22, 2025, in Kyiv. Authorities also seized the forum’s clearnet domain, disrupting a significant hub for stolen data, hacking tools, and illicit services used by Russian-speaking cybercriminals.
Analyst Comments: The takedown of the administrator and the associated secure messaging platform thesecure.biz will likely disrupt operations in the short term, but splinter forums or rebrandings may emerge. Law enforcement’s increased cross-border cooperation, especially amid ongoing cyber conflict involving Russia and Ukraine, signals greater risk to operators previously considered out of reach.
FROM THE MEDIA: Europol, the French Police, and the Ukrainian SBU Cyber Department arrested the suspected administrator of XSS.is, formerly known as DaMaGeLaB. The forum had over 50,000 users and had operated since 2013 as a central platform for cybercrime activities, including ransomware coordination and stolen data trading. Investigators said the admin also ran thesecure.biz, an encrypted messaging service tailored for cybercriminals, and earned over €7 million from facilitation fees. XSS’s infrastructure included a reputation and escrow system, an encrypted Jabber server, and deep ties to several prominent threat actors. The domain now displays a seizure banner, and law enforcement emphasized continued efforts to dismantle the broader Russian-speaking cybercrime ecosystem.
READ THE STORY: THN
Items of interest
Op-Ed Warns of Domestic Power Grab Framed as Iranian Cyber Threat
Bottom Line Up Front (BLUF): A provocative opinion piece published by Eurasia Review argues that warnings about a potential Iranian cyberattack on U.S. infrastructure may serve as a pretext to expand government surveillance and implement digital identity systems. The author claims Iran is being positioned as a scapegoat for a possible “cyber 9/11,” similar to how past crises were used to justify sweeping policy changes.
Analyst Comments: Iran's actual cyber capabilities, though improving, are generally limited to regional disruption and nuisance-level operations. That said, cyberattacks attributed to state actors—real or staged—can be leveraged for political gain, particularly if they target critical infrastructure. Analysts should track how narratives surrounding Iran and cyber conflict evolve in policy and media spheres, as attribution and perception can influence legislation regardless of technical proof.
FROM THE MEDIA: Referencing past crises such as 9/11 and the COVID-19 pandemic, DeSimone asserts that governments exploit emergencies to consolidate power and normalize surveillance. He argues that Iran cannot conduct a major cyberattack on U.S. infrastructure and suggests that such an event—if it occurs—may be used to push forward a World Economic Forum-backed global “Digital ID” system. The article blends cyber policy critique with broader geopolitical skepticism, drawing on historical parallels and economic frameworks.
READ THE STORY: The Eurasia Review
Companies need to be on high alert from Iran cyber attacks, says TrustedSec CEO David Kennedy (Video)
FROM THE MEDIA: David Kennedy, TrustedSec CEO, joins 'The Exchange' to discuss the cybersecurity threat private companies could face from Iran.
The Problem with Iran’s Proxies (Video)
FROM THE MEDIA: Israel’s targeting of Iranian nuclear targets comes at a time when Iran has never been weaker. The abilities of Iran’s traditional proxies – Hamas, Hezbollah, and others often called on to launch attacks against enemies of the regime - have been all but decimated, so how will they try to reconstitute, and could Israel or the U.S. stop them? The Cipher Brief speaks with former Senior CIA Operations Officer Glenn Corn for an expert perspective.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.