Monday, Jul 28, 2025 // (IG): BB // GITHUB // SN R&D
French Naval Group Hit by Major Data Leak of Submarine Combat System Blueprints
NOTE:
The 2016 Scorpène submarine data leak—which exposed over 22,000 pages of sensitive details about India’s advanced Scorpène-class submarines—represents more than just a security breach; it is a stark reminder of the vulnerabilities in the global defense industry. While the leak itself originated from an insider—likely a former French Navy officer subcontracted by DCNS—the broader implications point to a deliberate act of economic espionage.
This is not a tale of random hacking, but of strategic gain for India's regional adversaries, namely China and Pakistan. Both countries have long-standing military rivalries with India and are keenly focused on India’s growing naval capabilities. The exposed data, which includes classified details about sonar systems, stealth technology, and operational tactics, would be invaluable for countermeasures, especially for naval forces in the Indian Ocean, where the balance of power is increasingly at stake.
Given the geopolitical context, it is highly plausible that China and Pakistan—possessing advanced naval arsenals—sought to benefit from this breach, directly or indirectly. China, in particular, has been ramping up its maritime presence in the region and would have found this intelligence a critical addition to its growing naval strategy. Pakistan, meanwhile, has long been focused on countering India's military advantages, making this leak a potentially decisive blow in the ongoing strategic contest.
Ultimately, this leak underscores the importance of safeguarding military intelligence, not just from external threats but also from internal breaches that could jeopardize national security on an unprecedented scale. As India, France, and global defense partners respond, one thing is clear: In an era where espionage takes many forms, the cost of failing to protect sensitive information is higher than ever.
Bottom Line Up Front (BLUF): French defense contractor Naval Group is investigating a cyber attack that allegedly leaked 1TB of sensitive internal data, including source code and nuclear submarine combat systems documents. After a failed extortion attempt, a hacker named “Neferpitou” posted the stolen data on an underground forum, raising national security concerns for multiple countries.
Analyst Comments: If the leaked data proves authentic, this breach may significantly compromise French naval capabilities and those of its allied clients, including India and Brazil. The data's exposure — especially involving source code and system designs — introduces long-term strategic risks. The attacker’s message underscores the vulnerability of air-gapped or isolated networks, suggesting insider access or misconfigured “offline” systems. With no detected intrusion, the breach method may involve third-party compromise or outdated software, echoing recent SharePoint vulnerabilities.
FROM THE MEDIA: A hacker using the alias "Neferpitou" claimed responsibility for breaching Naval Group and offered 1TB of internal data for sale, releasing a 13GB sample as proof. The leaked files allegedly include weapons system software, internal documentation, and simulation environments tied to France’s nuclear submarines and frigates. The hacker issued a 72-hour ultimatum, which expired without a response, leading to the full leak on July 26. Naval Group confirmed the incident in a public statement, asserting that no intrusion into its IT environment had been detected, labeling it a “reputational attack” while continuing to verify the data’s authenticity. The leak’s timing coincides with Microsoft’s alert about Chinese exploitation of CVE-2025-53770 in SharePoint, although no direct connection has been established.
READ THE STORY: Bitdefender
Hackers Breach CIA-Linked Intelligence Portal in Suspected State-Sponsored Operation
Bottom Line Up Front (BLUF): Unidentified hackers have breached the Acquisition Research Center (ARC), a U.S. intelligence procurement portal used by the CIA and other agencies, compromising sensitive data tied to advanced surveillance technologies. The breach reportedly exposed proprietary information related to the CIA’s “Digital Hammer” program and occurred alongside separate Chinese cyber intrusions targeting U.S. nuclear infrastructure.
Analyst Comments: Using an unclassified portal for intelligence-related contract submissions highlights structural vulnerabilities in how sensitive government procurement is conducted. While attribution remains unofficial, the timing and scope align with known Chinese cyber espionage efforts, signaling a broader campaign targeting intelligence and energy sectors.
FROM THE MEDIA: Among the compromised programs is "Digital Hammer," which is focused on advanced surveillance technologies, including AI-based data gathering, micro-sensors, and counterintelligence tools. Federal law enforcement has launched an investigation, but officials have not confirmed the attacker’s identity. Concurrently, Microsoft disclosed that Chinese threat actors, including Linen Typhoon and Storm-2603, exploited SharePoint zero-days to breach the Department of Energy’s National Nuclear Security Administration. Analysts suggest the ARC breach is likely state-sponsored, citing the strategic value of the targeted data and similarities to previous Chinese cyber campaigns.
READ THE STORY: GBhackers
Backdoored AI Models Expose Critical Weakness in Open-Source Supply Chains
Bottom Line Up Front (BLUF): There are growing security threats from backdoored AI models embedded in open-source repositories. These malicious models, often undetectable by conventional tools, can trigger harmful behaviors when activated by specific inputs, posing serious risks across government, enterprise, and consumer systems.
Analyst Comments: As organizations rapidly integrate open-source AI, they import opaque, unverified artifacts into critical systems, often without sufficient safeguards. To mitigate risk, AI models must be treated as mutable software components with trackable provenance, enforced signing, and behavioral testing, especially as attackers target popular hubs like Hugging Face and GitHub.
FROM THE MEDIA: Researchers Ashish Verma and Deep Patel released an in-depth report detailing how open-source AI models can be compromised during training, storage, or deployment phases. The report describes attacks including data poisoning, label tampering, remote code execution via model deserialization, and malicious weight manipulation — tactics that evade standard detection tools. Notable examples include malicious models uploaded to Hugging Face, PyTorch dependency hijacking (torchtriton), and model containers with embedded scripts.
READ THE STORY: Trend Micro
Chinese-Linked 'Fire Ant' Hackers Target Global Virtualization Software in Stealth Espionage Campaign
Bottom Line Up Front (BLUF): A cyber-espionage group dubbed Fire Ant, suspected to be China-linked, is actively compromising VMware ESXi hypervisors used by enterprise and government networks worldwide. According to a report by cybersecurity firm Sygnia, the campaign enables persistent access while evading standard detection tools like EDR.
Analyst Comments: By exploiting ESXi hypervisors, attackers gain control beneath traditional monitoring layers, allowing covert surveillance and data exfiltration. Fire Ant’s tactics align closely with known Chinese APT behavior, particularly UNC3886, suggesting China’s ongoing focus on cyber persistence within global IT supply chains and national infrastructure. Security teams should treat hypervisors as Tier 0 assets and harden them accordingly.
FROM THE MEDIA: The campaign compromises VMware ESXi hypervisors—software platforms used to host virtual machines—through custom backdoors designed to avoid detection by endpoint detection and response systems. These operations allow persistent access to critical virtualized environments across enterprise and government targets. Fire Ant’s behavior bears similarities to UNC3886, a known Chinese APT actor. According to Sygnia’s incident response team, the attackers demonstrate advanced familiarity with virtualization internals and leverage their foothold to surveil infrastructure silently over extended periods.
READ THE STORY: HSTODAY
U.S. Secures Strategic Stake in Rare Earths to Counter Chinese Dominance
Bottom Line Up Front (BLUF): The U.S. Department of Defense announced a $400 million investment in MP Materials, owner of the only active rare earth mine in the U.S. The move aims to rebuild a domestic rare earth supply chain and reduce dependence on China, which controls over 85% of global processing capacity.
Analyst Comments: Reliance on rare earths for platforms like the F-35 and Virginia-class submarines makes supply security a national defense priority. While the MP Materials deal is a significant milestone, it marks only the beginning of a multi-year effort. Complete independence from Chinese sources remains distant without parallel investments in refining, magnet production, and allied supply chain agreements.
FROM THE MEDIA: DoD's equity purchase in MP Materials positions the U.S. government as the largest stakeholder in the company. The investment supports a new domestic facility to manufacture rare earth magnets, essential for weapons systems and clean energy technologies. The agreement comes amid escalating U.S.-China tensions and follows China’s retaliatory export restrictions on several rare earth elements in April 2025. Historically, the U.S. led global rare earth production until environmental regulations and cost concerns led to outsourcing to China. The renewed push under President Trump, including the use of the Defense Production Act, aims to correct that strategic vulnerability. Still, analysts caution that domestic production will take years to scale and must be balanced with innovative trade policies to avoid short-term disruptions.
READ THE STORY: Geopolitical Monitor
ToolShell Exploit Chain Targets Microsoft SharePoint via Five Critical CVEs
Bottom Line Up Front (BLUF): A sophisticated exploit chain dubbed ToolShell actively targets on-premise Microsoft SharePoint servers, combining deserialization flaws and authentication bypasses. The attack, involving CVEs such as CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770, allows remote code execution (RCE) and system takeover in multiple global sectors.
Analyst Comments: ToolShell demonstrates how adversaries exploit serialized data and minor misconfigurations to achieve privilege escalation and RCE in enterprise platforms like SharePoint. The exploit’s simplicity — requiring only slight changes to bypass Microsoft’s initial fixes — underscores the critical need for holistic, robust patching strategies. Given the campaign’s reach and public exploit availability, unpatched systems could become widespread entry points for espionage or ransomware operations reminiscent of ProxyLogon or EternalBlue-scale events.
FROM THE MEDIA: CVE-2025-49706 exploits a spoofing flaw in Microsoft.SharePoint.dll by abusing the HTTP Referrer header to bypass authentication. In tandem, CVE-2025-49704 leverages deserialization flaws to execute arbitrary code via malicious XML structures sent to the ToolPane.aspx endpoint. Microsoft’s initial patches were incomplete, prompting the assignment of additional CVEs — CVE-2025-53770 and CVE-2025-53771 — to address bypasses and enhance input validation. Attacks across Egypt, Russia, Jordan, Vietnam, and Zambia have been detected, affecting sectors from finance to agriculture. Kaspersky telemetry confirms a globally coordinated operation, with defenders urged to patch immediately and monitor for signs of compromise.
READ THE STORY: GBhackers
Pro-Ukraine Hackers Disrupt Aeroflot Flights in Politically Motivated Cyber Attack
Bottom Line Up Front (BLUF): Russian national airline Aeroflot canceled over 50 flights and delayed at least 10 more following a cyber attack allegedly carried out by pro-Ukraine hacktivist group Silent Crow, in collaboration with Belarusian group Cyber Partisans. The attackers claim to have compromised Aeroflot’s network, destroyed thousands of servers, and gained control of staff computers, including executives.
Analyst Comments: Silent Crow's alleged deep access into Aeroflot's internal systems suggests a year-long infiltration campaign, possibly involving significant reconnaissance and privilege escalation. While the group's claims have yet to be fully verified, the incident illustrates the growing threat of cyber activism amid the ongoing Russia-Ukraine conflict. Such attacks may increase in frequency and scope, especially against high-profile state-linked enterprises, signaling broader risks for other critical Russian institutions.
FROM THE MEDIA: The hacking group Silent Crow, working with Cyber Partisans, claimed responsibility, stating it had penetrated Aeroflot’s systems over a year, taken over senior staff computers, and destroyed 7,000 servers. The hackers threatened to release the personal data of all past Aeroflot passengers. This incident comes amid broader cyber warfare connected to Russia’s invasion of Ukraine, with Kyiv’s “IT Army” and other actors continuing asymmetric attacks on Russian infrastructure. Aeroflot passengers took to VK to express outrage over poor communication as the airline's digital platforms went offline.
READ THE STORY: The Guardian // BBC
ArmouryLoader Exploits ASUS Software to Deliver Sophisticated Multi-Stage Malware
Bottom Line Up Front (BLUF): ArmouryLoader is a recently analyzed malware loader exploiting ASUS Armoury Crate’s ArmouryA.dll to inject Trojan payloads through complex, stealthy methods. It bypasses endpoint defenses using GPU-based decryption, forged call stacks, COM hijacking, and scheduled tasks, posing a serious threat to enterprise systems.
Analyst Comments: Its ability to masquerade within trusted software and perform syscall obfuscation signals a shift toward more deeply embedded loader infrastructure. Organizations relying on brand-name utilities may unknowingly provide a launchpad for such threats. Security teams must reinforce detection capabilities at both kernel and behavioral levels, especially concerning DLL hijacking and GPU-assisted payload decryption.
FROM THE MEDIA: It uses gadget-based memory reads, XOR-based self-decryption, and OpenCL routines requiring GPU or 32-bit environments to avoid detection in virtualized sandboxes. The loader facilitates privilege escalation via CMSTPLUA or CMLuaUtil and gains persistence through scheduled tasks running every 10 to 30 minutes. It uses stealth techniques such as Halo’s Gate and Heaven’s Gate for syscall obfuscation and 64-bit code execution. Indicators of compromise include MD5 hashes 5A31B05D53C39D4A19C4B2B66139972F and 90065F3DE8466055B59F5356789001BA. Antiy CERT highlights its widespread use in campaigns deploying additional loaders like SmokeLoader and CoffeeLoader.
READ THE STORY: GBhackers
Ukrainian Drone Tactics Prompt Strategic Overhaul in U.S. Military Doctrine
Bottom Line Up Front (BLUF): Ukraine’s innovative use of drones in its defense against Russia is reshaping U.S. military thinking in real-time. From low-cost FPV drones to strategic long-range strikes, Ukraine's battlefield adaptation prompts Pentagon leaders to reassess doctrine, procurement priorities, and future combat preparedness.
Analyst Comments: The rapid evolution of Ukraine’s drone warfare — combining off-the-shelf components with sophisticated tactics — highlights the increasing role of asymmetric technologies in conventional warfare. U.S. commanders are observing how Ukraine neutralizes expensive Russian equipment using cheap, agile drones, an approach that challenges long-held American reliance on high-cost platforms. This shift could accelerate U.S. investments in counter-drone systems, electronic warfare, and swarming tactics, while reshaping future conflict scenarios, particularly with near-peer adversaries like China.
FROM THE MEDIA: Lt. Gen. Sean A. Gainey, head of the Pentagon’s Joint Counter-small Unmanned Aircraft Systems Office, confirmed that insights from Ukraine are driving real-time adaptations within the U.S. armed forces. Ukraine’s ability to saturate Russian air defenses and inflict heavy losses with cost-effective drones has impressed defense experts and challenged existing assumptions about air superiority and battlefield control. Analysts say this marks a doctrinal shift toward more agile, decentralized, and tech-savvy forms of warfare. The U.S. Department of Defense is reportedly adjusting training exercises and procurement based on these lessons.
READ THE STORY: United 24
U.S. Army Learns Hard Battlefield Lessons from Russia’s Drone-Driven, Brutal War in Ukraine
Bottom Line Up Front (BLUF): A new U.S. Army report, How Russia Fights, outlines how Russia has embraced a warfighting model based on mass, brutality, and technological improvisation in Ukraine. The document highlights how Russia’s widespread use of drones, electronic warfare, and mass artillery is influencing changes in U.S. Army training, doctrine, and modernization.
Analyst Comments: Russia's use of expendable drones and decentralized warfare mirrors Ukraine’s tactics, suggesting future wars will rely more on mass-production and adaptability than expensive, high-tech precision platforms. U.S. forces must rethink their technological assumptions and organizational structures to match adversaries with fewer constraints and faster adaptation cycles.
FROM THE MEDIA: The study reveals how Russia has adopted Soviet-era principles, prioritizing quantity, mass fires, and brute force over maneuver and precision. Drones are now central to Russia’s battlefield operations, with tens of thousands deployed monthly for ISR, target acquisition, and direct attacks. Russia’s sophisticated electronic warfare units are jamming GPS, spoofing drones, and disrupting Western precision munitions. Russian units adapt despite a mixed-quality force, with low-tier formations developing cohesion under fire. The U.S. Army is responding with updated training, drone integration at lower echelons, and modernization initiatives like Project Linchpin and TITAN, aiming to keep pace with these evolving threats.
READ THE STORY: Tasked Purpose
Items of interest
Vellox Reverser to Automate AI-Driven Malware Reverse Engineering
Bottom Line Up Front (BLUF): Booz Allen Hamilton has introduced Vellox Reverser, a cloud-based AI platform designed to automate reverse engineering of evasive malware. The product accelerates malware analysis by mimicking expert-level capabilities at machine speed, helping cybersecurity teams detect, analyze, and mitigate advanced threats more efficiently.
Analyst Comments: The debut of Vellox Reverser signals a significant advancement in automated malware analysis. With APTs increasingly using AI to craft sophisticated, evasive malware, traditional reverse engineering methods are often too slow and labor-intensive. Vellox’s swarm-based, AI-driven approach can reduce analysis from days to minutes, democratizing a capability once limited to elite analysts. As attackers iterate faster with generative techniques, tools like Vellox may prove essential in reducing dwell time and closing the attacker-defender speed gap.
FROM THE MEDIA: Developed from decades of U.S. government cyber defense experience, the platform offers standalone capabilities and a force multiplier for existing malware analysts. By simulating expert reverse engineering, Vellox can identify evasive behavior that static and dynamic tools often miss. Booz Allen describes the platform as adaptive, continuously analyzing all malware code paths and evolving alongside adversary tactics. The product is part of Booz Allen’s broader strategy to infuse mission-grade AI into cybersecurity infrastructure.
READ THE STORY: SiliconAngle
How does reverse malware engineering work? (Video)
FROM THE MEDIA: Threat detection teams are on the frontlines of detecting, inspecting, and publishing findings on new threats. But how do they get there? And what does it take to understand and dissect malware?
"Unmasking the Godfather - Reverse Engineering the Latest Android Banking Trojan" (Video)
FROM THE MEDIA: Banking malware has wreaked havoc on millions of Android users over the last few years, employing advanced stealth techniques to evade detection.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.