Tuesday, Jul 29, 2025 // (IG): BB // GITHUB // SN R&D
China’s Vulnerability Reporting Law Fuels Cyber Exploits and Zero-Day Stockpiling
NOTE:
China’s 2021 vulnerability disclosure law effectively funnels all zero-day reports from researchers and companies to the state within 48 hours, before vendors or the public are notified. This centralized control gives Chinese intelligence agencies early access to exploitable flaws, enabling state-sponsored hacking and stockpiling. Experts warn that the law legalizes cyber hoarding, undermines global disclosure norms, and facilitates offensive operations by groups linked to China’s Ministry of State Security. Evidence already shows a sharp rise in zero-day exploitation by Chinese APTs, while public vulnerability disclosures from China have plummeted. The global cybersecurity community views the law as a strategic threat cloaked in regulation.
Bottom Line Up Front (BLUF): Chinese government regulations mandate centralized reporting of software vulnerabilities within 48 hours, banning public disclosure and requiring coordination with state agencies. This system has bolstered China's cyber offense capabilities by enabling systematic vulnerability collection, analysis, and weaponization, particularly through agencies like the Ministry of State Security (MSS) and military-linked research units.
Analyst Comments: The Regulations on the Management of Network Product Security Vulnerabilities (RMSV) effectively convert China's vulnerability research pipeline into a cyber warfare asset. By mandating non-disclosure and funneling all vulnerabilities into state-run databases, China gains a first-mover advantage on zero-day usage while withholding disclosures from global defenders. The reduced number of ICS vulnerabilities published by CNVD and delayed CNNVD postings suggests selective publication for offensive use. In contrast, Western systems remain reactive, fragmented, and reliant on voluntary reporting, leaving a strategic gap in vulnerability intelligence.
FROM THE MEDIA: Reports flow through the MIIT’s NVDB platform, which interfaces with the CNVD and CNNVD, aggregating zero-day vulnerabilities across sectors, including ICS, mobile apps, and government systems. Analysts found that disclosures of ICS vulnerabilities dropped sharply after 2021, suggesting intentional withholding. These databases feed intelligence operations led by the MSS, People’s Liberation Army (PLA), and affiliated institutions. U.S. agencies like CISA observed increased exploitation of ICS vulnerabilities, many likely undisclosed by CNVD. Microsoft’s 2022 Digital Defense Report noted a surge in China-linked zero-day exploitation tied directly to this opaque, state-integrated vulnerability ecosystem.
READ THE STORY: GBhackers
China Threatens Retaliation Over Ukrainian Sanctions Targeting Pro-Russia Entities
Bottom Line Up Front (BLUF): China has condemned Ukraine’s July 27 sanctions on 53 Chinese individuals and entities for allegedly supporting Russia’s war effort. Beijing dismissed the measures as illegitimate and warned of retaliatory action to protect its companies. The sanctions follow intelligence claims that China has supplied dual-use goods to Russian military industries.
Analyst Comments: Ukraine’s bold move to sanction Chinese entities indicates a hardening stance toward nations perceived as enabling Russia’s invasion, even at the risk of antagonizing major global powers. This adds a new layer of complexity to the geopolitical fallout from the war, especially given China's economic leverage and expanding influence in global supply chains. If Beijing follows retaliatory measures, Ukraine could face trade restrictions or reduced diplomatic engagement. The sanctions may also embolden U.S.-led efforts to isolate China economically over its alignment with Moscow.
FROM THE MEDIA: President Zelensky imposed the sanctions a day earlier through a decree targeting individuals and entities from Russia and allied nations for actions deemed hostile toward Ukraine. China claims the sanctions lack UN authorization and violate international norms. Ukraine's Foreign Intelligence Service has accused China of providing Russia with materials such as gunpowder and dual-use chemicals used in drone and missile production. China has denied these allegations. The issue further escalates tensions before Putin’s scheduled visit to China in September.
READ THE STORY: The Kyiv Independent
UNC3886 Targets Singapore’s Critical Infrastructure Using Zero-Day Exploits
NOTE:
The group’s toolset includes highly sophisticated software rarely seen outside military or intelligence contexts—kernel-level rootkits like Reptile and Medusa that can hide files, mask user activity, and grant attackers nearly invisible control over servers and network devices. These programs don’t just exploit software flaws—they are engineered to operate beneath the radar of conventional security tools, often altering core system behavior at the operating system level. According to experts, malware of this caliber is typically developed by teams with significant funding, access to proprietary information, and deep technical expertise—resources generally available only to elite cyber units within national governments. “You’re talking about a level of capability that most commercial threat actors simply don’t have,” said Paul John Bardon, a threat hunter at Trend Micro. The result is a growing concern among security professionals that such advanced tools are being used for espionage and potentially to prepare the ground for critical infrastructure sabotage.
Bottom Line Up Front (BLUF): China-linked APT group UNC3886 actively targets Singapore’s critical infrastructure by exploiting unpatched zero-day vulnerabilities in Fortinet, VMware, and Juniper platforms. The attackers employ advanced persistence and lateral movement techniques, posing severe operational and national security risks across energy, finance, and government services sectors.
Analyst Comments: The group’s use of living-off-the-land tactics, GitHub, and Google Drive for C2, as well as stealthy credential harvesting, reflects a strategic espionage agenda with potential for disruptive impacts. This aligns with a broader trend in which Chinese APTs blend traditional cyber-espionage with operational sabotage readiness. The group’s tactics make early detection difficult, highlighting the need for enhanced firmware integrity monitoring, credential rotation policies, and collective sector-wide threat sharing initiatives.
FROM THE MEDIA: The group was first identified by Mandiant in 2022 and linked to bespoke malware families such as MOPSLED, RIFLESPINE, and VIRTUALPIE. In the latest wave of attacks, UNC3886 has focused on disabling forensic logging, harvesting SSH credentials, and maintaining long-term access in enterprise hypervisors and network edge devices. The campaign could lead to significant energy, water, healthcare, and financial disruptions. Singaporean authorities have issued TLP:CLEAR alerts urging immediate patching, MFA enforcement, and integration of IOCs and MITRE ATT&CK TTPs for defense.
READ THE STORY: GBhackers
Security Teams Drowning in Threat Intelligence, Google-Backed Report Warns
Bottom Line Up Front (BLUF): A global study commissioned by Google Cloud reveals that 61% of security leaders feel overwhelmed by the sheer volume of threat intelligence data. In comparison, 60% lack the analysts needed to process it. The result: most organizations remain reactive, not proactive, in their cybersecurity posture, leaving them vulnerable to increasingly complex and tailored threats.
Analyst Comments: In OT-heavy sectors like manufacturing, standard IT-focused threat feeds miss context-critical indicators. This imbalance between data and human interpretation will lead to slower threat response times and increased breaches if not addressed. Organizations must prioritize threat intelligence as a dynamic capability—not a static product—and invest in contextual analysis, enrichment workflows, and tailored use-case development.
FROM THE MEDIA: Manufacturing emerged as the sector with the most concern, with 89% citing alert overload and fears of missing real attacks, which are likely tied to an uptick in ransomware targeting industrial systems. Top threats over the next year include phishing (46%), ransomware (44%), AI prompt injections (34%), and supply chain attacks (41%). The report warns that threat intel feeds become noise rather than value without proper filtering, contextualization, and analyst capacity. The study recommends reframing intelligence as a process supported by skilled analysts, not just a flood of indicators, to enable more intelligent decision-making and threat mitigation.
READ THE STORY: The Register
Google Launches OSS Rebuild to Counter Open-Source Supply Chain Attacks
Bottom Line Up Front (BLUF): Google has introduced the OSS Rebuild initiative to detect and prevent software supply chain attacks by independently rebuilding and verifying open-source packages from ecosystems like PyPI, npm, and crates.io. The project produces cryptographic attestations that confirm a binary’s integrity against its source code, helping identify tampering and promoting greater transparency across software development pipelines.
Analyst Comments: Google's OSS Rebuild marks a pivotal shift in addressing one of the most pressing threats in modern cybersecurity: the compromise of upstream software dependencies. By automating reproducibility and leveraging complementary tools like Sigstore and SLSA, Google is laying the groundwork for enforceable integrity standards. The approach may drive the adoption of Software Bills of Materials (SBOMs) and reshape compliance frameworks in regulated industries. However, scaling to cover smaller and less reproducible packages will remain a technical and logistical hurdle requiring broad industry collaboration.
FROM THE MEDIA: The system independently rebuilds widely used open-source packages in controlled environments to verify their consistency with source code. This verification process generates cryptographic attestations that can flag manipulated binaries, protecting users from hidden backdoors like the one seen in the XZ Utils incident. Developers can use public dashboards to check for mismatches before deploying code. Though focused initially on top packages, Google plans to expand OSS Rebuild’s reach and open-source the tooling to encourage broader community adoption and scalability.
READ THE STORY: WPN
Atomic macOS Stealer Evolves into Full Remote Access Trojan with Persistent Backdoor
Bottom Line Up Front (BLUF): The Atomic macOS Stealer (AMOS), a known infostealer malware targeting Apple systems, has been upgraded with a stealthy remote access backdoor, giving attackers persistent control over infected macOS devices. This evolution transforms AMOS into a Remote Access Trojan (RAT) capable of executing commands, deploying payloads, and maintaining long-term access.
Analyst Comments: With a growing number of high-value users on Apple devices, including features like LaunchDaemon persistence, obfuscated command-and-control polling, and virtual environment detection, AMOS is in the same class as nation-state tooling. Its malware-as-a-service (MaaS) distribution model further amplifies risk by democratizing advanced threat capabilities. This evolution highlights the need for macOS users and organizations to adopt EDR solutions and tighten application control.
FROM THE MEDIA: AMOS installs a hidden .helper binary with a wrapper .agent script in the user’s home directory and creates a LaunchDaemon entry (com.finder.helper) using elevated permissions obtained via social engineering or phishing. The malware communicates with its C2 server every 60 seconds and can execute remote commands, manipulate files, or drop additional payloads. AMOS also includes anti-analysis measures, aborting in sandbox environments, and obfuscating its code. Its primary distribution vectors include phishing lures disguised as job interviews and cracked software downloads, often targeting crypto users and freelancers. Its global spread now includes victims in over 120 countries.
READ THE STORY: GBhackers
Taiwan to Procure Nearly 50,000 Indigenous Drones by 2027 in Asymmetric Warfare Push
Bottom Line Up Front (BLUF): Taiwan plans to acquire 48,750 domestically manufactured drones by the end of 2027 to strengthen its asymmetric defense capabilities against increasing Chinese military pressure. The drones span five categories, emphasizing multi-role, long-range, and modular systems — all designed, assembled, and sourced entirely within Taiwan.
Analyst Comments: This procurement signals Taiwan’s strategic pivot toward scalable, decentralized drone warfare, a tactic validated by recent conflicts such as Ukraine’s use of low-cost UAVs. Excluding Chinese components and investors reflects heightened counterintelligence and supply chain security concerns. Taiwan’s emphasis on modularity, range, and domestic production underscores its long-term defense-industrial resilience, especially as traditional defense procurement faces geopolitical and logistical hurdles. If successfully implemented, this drone fleet could be a formidable deterrent by complicating Chinese operational planning across land, air, and maritime domains.
FROM THE MEDIA: Taiwan’s Ministry of National Defense issued a procurement notice on July 23 outlining a plan to purchase 48,750 drones between 2026 and 2027. The drones are categorized from Type A to E, including VTOL multi-rotors and catapult-launched fixed-wing UAVs. All drones must be made in Taiwan with zero Chinese components or investment links. For example, the Type A drone can carry 2.5kg and remain airborne for 30+ minutes, while the Type C drone offers a 180km range and over two hours of flight time. The move comes amid intensified Chinese military activity around the Taiwan Strait, prompting Taipei to ramp up indigenous defense production and readiness reforms.
READ THE STORY: DIGI TIMES ASIA
Supply Chain Attack Infects Millions Through Popular JavaScript Library ‘is’
Bottom Line Up Front (BLUF): A widespread supply chain attack compromised the JavaScript utility package “is,” affecting millions of downstream projects. Attackers used phishing to steal NPM developer credentials and published malicious versions (v3.3.1 to v5.0.0) that remained live for six hours, enabling remote code execution via WebSocket connections.
Analyst Comments: Exploiting such a small, widely used dependency exemplifies how minimal components can become high-risk attack vectors. Dynamic WebSocket loaders and accompanying spyware (Scavanger) further amplify concerns about automated updates and lack of version pinning. As threat actors increasingly target the open-source ecosystem, proactive developer hygiene—such as lock files, static analysis, and credential compartmentalization—must become standard practice.
FROM THE MEDIA: The attackers deployed malicious versions of the package between July 18–19, silently replacing legitimate code with a JavaScript loader that established a reverse WebSocket connection to execute arbitrary code remotely. In parallel, other packages like eslint-config-prettier, got-fetch, and @pkgr/core were also compromised in a coordinated campaign. These were distributed using credentials obtained through a spoofed phishing domain, npnjs[.]com. The malware included a Windows-focused spyware variant named “Scavanger,” capable of stealing browser passwords and communicating with encrypted C2 servers. Experts advise freezing dependencies and resetting credentials to mitigate risk.
READ THE STORY: Red Hot Cyber
Google Invests in CO₂ ‘Gas Bag’ Energy Storage to Offset Growing AI Power Demands
Bottom Line Up Front (BLUF): Google has partnered with Italian startup Energy Dome to deploy long-duration energy storage (LDES) systems using CO₂ gas compression technology. The initiative aims to offset the tech giant’s surging data center energy consumption, which has grown 48% since 2019, even as the company maintains its commitment to reach carbon neutrality by 2030.
Analyst Comments: While unconventional, CO₂-based LDES could offer a faster, modular alternative to more speculative clean energy projects like nuclear or fusion. However, without transparency around deployment details, capacity metrics, or integration strategies, it's unclear whether this solution can meaningfully scale to match the pace of Google's energy growth. Still, the focus on grid-level deployments suggests strategic intent to shore up renewable reliability in AI-intensive regions.
FROM THE MEDIA: These closed-loop systems compress carbon dioxide into liquid when surplus renewable energy is available, then expand it into gas to generate electricity during shortages. The process is site-specific, uses off-the-shelf components, and is already operational at a 20MW/200MWh facility in Italy. While Google did not disclose investment amounts or deployment timelines, it framed the technology as a near-term solution compared to more complex alternatives in its clean energy portfolio. The deployment model will likely favor on-grid installations over colocated datacenter solutions, though specifics remain undisclosed.
READ THE STORY: The Register
Oyster Backdoor Masquerades as PuTTY and KeyPass in SEO Poisoning Campaign Targeting IT Admins
Bottom Line Up Front (BLUF): Threat actors are distributing the Oyster backdoor (a.k.a. Broomstick or CleanupLoader) via trojanized versions of PuTTY, WinSCP, and possibly KeyPass, using SEO poisoning and malicious ads to lure IT administrators. The malware establishes persistence and enables remote access, command execution, and data exfiltration, acting as an initial access vector for broader intrusions, including ransomware.
Analyst Comments: The Oyster campaign demonstrates a refined use of social engineering by leveraging SEO and malvertising to compromise high-value technical users through trusted tools. The abuse of revoked certificates and legitimate utility installers shows the attackers' focus on credibility and stealth. With ties to ransomware deployment and lateral movement, this threat represents a growing convergence between commodity malware and advanced intrusion operations. Defenders should prioritize download source validation and monitor for DLL executions via rundll32.exe, especially when tied to scheduled tasks.
FROM THE MEDIA: Researchers at Arctic Wolf and CyberProof identified an ongoing campaign where malicious versions of PuTTY and WinSCP distribute the Oyster backdoor through search engine manipulation. Fake download sites serve trojanized installers, which deploy DLLs like zqin.dll via rundll32.exe, and establish persistence using scheduled tasks named “FireFox Agent INC.” In one instance, a fake PuTTY installer with SHA-256 hash a8e9f0da26a3d6729e744a6ea566c4fd4e372ceb4b2e7fc01d08844bfc5c3abb was signed with a revoked certificate and traced to a spoofed download URL. The malware allows attackers to steal credentials, perform system reconnaissance, and drop further payloads. SEO poisoning tactics exploit platforms like Bing to manipulate search rankings and lure IT professionals.
READ THE STORY: GBhackers
US Tariffs Target Chinese Drones Amid National Security Push for Domestic Alternatives
Bottom Line Up Front (BLUF): Amid escalating tensions with China, the U.S. has imposed cumulative tariffs of up to 170% on Chinese drones, particularly targeting DJI. The Biden and Trump administrations cite concerns over surveillance data exfiltration risks posed by Chinese-made drones, widely used by U.S. law enforcement and public safety agencies. As domestic drone production lags, agencies are urged to retrofit current fleets with secure American-made communication systems.
Analyst Comments: The U.S. is shifting from foreign dependency to strategic autonomy in its drone ecosystem, driven by national security and technological sovereignty. However, the operational reality is that most law enforcement agencies are still reliant on Chinese drones and face significant cost and supply hurdles when transitioning to American alternatives. Retrofit solutions—rather than complete replacements—represent a crucial stopgap. Meanwhile, China's export restrictions on rare earth elements further complicate U.S. supply chains, highlighting the need for long-term domestic industrial policy.
FROM THE MEDIA: The U.S. government has enacted sweeping tariffs on Chinese-made drones in response to mounting concerns over foreign data transmission risks. DJI drones, which most U.S. police departments still use, are central to the debate. In response, China has imposed retaliatory sanctions on U.S. drone companies and restricted exports of rare earths, which are crucial for drone production. Chinese firms continue pushing low-cost drone offerings in U.S. markets despite tariffs. With U.S. manufacturers unable to meet demand quickly, interim solutions like secure retrofitting of existing DJI fleets are being adopted to maintain operational continuity and protect sensitive data.
READ THE STORY: SECMAG
Items of interest
China’s Proposed London “Super Embassy” Raises Espionage Fears and Threatens Intelligence Alliances
Bottom Line Up Front (BLUF): China’s proposed 614,000-square-foot embassy in central London has sparked serious national security concerns from UK intelligence agencies and international allies, including the United States. The planned complex sits atop critical fiber-optic cables and near major data centers, raising fears of physical surveillance and digital interception. The UK government is expected to make a final decision by September 9, 2025, amid growing geopolitical and domestic pressure.
Analyst Comments: With underground facilities, a tunnel system, and a rooftop structure of unclear purpose, the project aligns with tactics previously flagged by Western security agencies. Approval could strain U.S.-UK relations and jeopardize the Five Eyes intelligence-sharing alliance. For the UK, this dilemma underscores the tension between economic incentives from China and national security imperatives. Any green light may embolden Beijing to replicate similar tactics in other allied capitals.
FROM THE MEDIA: Intelligence services, including MI5, GCHQ, and the Bank of England, as well as U.S. officials, have voiced concerns over the site’s proximity to high-capacity communication cables and BT infrastructure. In January 2025, Deputy PM Angela Rayner “called in” the planning application, removing local council authority. Beijing has tied approval of the UK’s embassy renovation in Beijing to this project’s outcome, pressuring the Labour government during trade talks and investment negotiations. Meanwhile, residents and dissident groups fear the embassy could expand Chinese surveillance and repression operations in London.
READ THE STORY: CSIS
China’s New London “Super Embassy”: Soft Power Hub or Security Risk? (Video)
FROM THE MEDIA: China’s new “super embassy” in central London sits directly above sensitive communication and fiber-optic cables that connect the city’s major financial hubs. The compound will likely include multiple underground rooms, a tunnel that could enable cable tapping, and multistory buildings that could support line-of-sight signals intelligence (SIGINT) collection of important surrounding buildings.
Thousands Protest Against Chinese 'Mega-Embassy' in London (Video)
FROM THE MEDIA: Thousands are protesting a proposed Chinese "mega-embassy" in London, which would be Beijing's largest diplomatic mission in the world. Opponents say the complex could be used to monitor and harass dissidents living abroad.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.