Daily Drop (1111)
08-16-25
Saturday, Aug 16, 2025 // (IG): BB // GITHUB // SN R&D
Chinese APT Group UAT-7237 Targets Taiwanese Web Hosting with Customized Open-Source Tools
NOTE:
UAT-7237’s campaign demonstrates how Chinese-linked operators refine tradecraft by weaponizing customized open-source tools rather than bespoke malware alone. Their pivot from noisy web shells toward VPN-based access and selective deployment suggests improved operational discipline. Taiwan’s web and cloud ecosystems remain priority targets for espionage, not just for data theft but also for potential disruption of infrastructure underpinning democratic institutions and cross-Strait resilience.
Bottom Line Up Front (BLUF): Cisco Talos has attributed intrusions against Taiwanese web infrastructure to UAT-7237, a Chinese-speaking APT subgroup of UAT-5918. The group exploited unpatched servers to gain access, deployed a custom shellcode loader called SoundBill, and used tools like SoftEther VPN, JuicyPotato, and Mimikatz to maintain persistence, escalate privileges, and steal credentials. The campaign highlights Beijing-linked interests in Taiwan’s critical digital infrastructure.
Analyst Comments: UAT-7237’s reliance on customized open-source tools illustrates a broader Chinese cyber trend: blending commodity malware with bespoke loaders to evade detection while maintaining long-term persistence. Their use of SoftEther VPN and selective web shell deployment marks an evolution from UAT-5918’s noisier methods, suggesting lessons learned in stealth and operational security. Taiwan’s strategic value makes its hosting and cloud providers prime espionage targets, and these intrusions could be precursors to broader campaigns against infrastructure supporting democratic resilience and cross-Strait stability. Organizations in the region should prioritize patching externally exposed servers, monitor for anomalous VPN usage, and hunt for SoundBill-related indicators of compromise (IOCs).
FROM THE MEDIA: The attackers exploited known vulnerabilities on exposed servers, conducted reconnaissance via standard Windows commands and WMI tools, and deployed SoundBill, a Chinese-written shellcode loader capable of running Cobalt Strike payloads. Other tools included JuicyPotato for privilege escalation, Mimikatz for credential theft, and FScan for network scanning. Unlike its parent group, UAT-5918, UAT-7237 favors RDP and SoftEther VPN access over widespread web shells. Indicators of compromise published by Talos include domains, hashes, and IP addresses tied to the group’s operations. Both The Hacker News and The Register corroborated Talos’ findings, noting that the activity fits a long-running pattern of Chinese cyber operations targeting Taiwan’s digital backbone.
READ THE STORY: THN // GBhackers // TheRegister
Microsoft Unveils Project Ire: AI-Driven Malware Detection Prototype
Bottom Line Up Front (BLUF): Microsoft has introduced Project Ire, an experimental AI system designed to autonomously detect and analyze malware directly in memory, without relying on traditional signatures or manual review. The prototype achieved up to 98% precision in lab tests and will eventually be integrated into Microsoft Defender as a next-generation binary analyzer.
Analyst Comments: If successfully productized, it could reduce zero-day malware’s “detection gap” by eliminating human bottlenecks in triage. However, with early recall rates as low as 26% in live trials, attackers may still find ways to bypass detection. The project also raises questions around false positives, transparency, and adversarial AI attacks, as cybercriminals will undoubtedly adapt malware to exploit weaknesses in AI-based analysis. As Microsoft integrates Ire into Defender, its adoption across enterprise ecosystems could set a new industry standard.
FROM THE MEDIA: Project Ire uses AI models combined with reverse engineering frameworks such as Ghidra and angr to disassemble binaries and analyze suspicious code in real time. Unlike traditional antivirus, which waits for signature updates or requires samples to be sent to vendors, Ire performs on-device malware classification and produces a transparent “chain of evidence” to explain its verdicts. Initial tests showed high precision (98%) but lower recall rates in real-world Defender triage datasets, where it flagged only about a quarter of malicious files under review. Microsoft confirmed that Ire remains a research prototype, with no release date, but expects it to become part of the Defender platform in the future.
READ THE STORY: Redmond
Ukrainian Cyber Alliance Co-Founder: “Russia Is Not a Cyber Superpower”
NOTE:
Russia qualifies as a cyber superpower due to its globally impactful offensive campaigns, integration of cyber into military doctrine, and sustained ecosystem of state–criminal collaboration. However, its dominance has plateaued: while still top-tier alongside the U.S. and China, Russia’s innovation has stagnated, its defensive resilience is weak, and its reliance on brute-force hybrid tactics shows the erosion of its once uncontested status.
Bottom Line Up Front (BLUF): Andriy Baranovich (aka Sean Townsend), co-founder of the Ukrainian Cyber Alliance, said in an interview that Russia has reached its ceiling in cyber capabilities and should not be considered a superpower. He emphasized that Ukraine, despite lacking formal “cyber troops,” has reached a state of parity with Russian intelligence services through a mix of official operations and independent hacker initiatives.
Analyst Comments: While Russian groups remain dangerous, their reliance on simple phishing against high-value intelligence targets suggests organizational weaknesses. Ukraine’s decentralized cyber ecosystem—blending state bodies like the SBU and GUR with volunteer hacker groups—has proven resilient and adaptive. However, the lack of a unified cyber command structure may limit Ukraine’s long-term ability to scale operations. As the war continues, both states will likely refine their strategies, with Russia leaning on entrenched units while Ukraine may institutionalize its cyber capabilities.
FROM THE MEDIA: YouTube channel Hack Your Mom, Sean Townsend stated that Russia’s cyber agencies, including the FSB, have been active for over 15 years but have plateaued in terms of sophistication. He noted that even basic phishing attacks are being used to compromise Russian intelligence officers, pointing to internal dysfunction. Townsend also observed that Ukraine has not yet built official “cyber troops,” despite years of discussions and strategies. Instead, Ukraine’s intelligence services, including the SBU and GUR, conduct operations independently or alongside volunteer hacker collectives. The Ukrainian Cyber Alliance has previously claimed responsibility for the 2023 hack of Russian satellite operator Dozor-Teleport, an incident initially attributed to the Wagner Group during its rebellion.
READ THE STORY: DEV UA
UK Ministry of Defence Contractor Leak Exposes Data of Afghan Refugees and Former Ministers
Bottom Line Up Front (BLUF): A ransomware attack on UK airport contractor Inflite has resulted in a data breach affecting over 3,500 individuals, including Afghan refugees, former UK ministers, and military personnel. The leak included sensitive personal information such as names, passport numbers, and refugee IDs tied to the UK’s Afghan resettlement programme.
Analyst Comments: Although no direct compromise of government systems occurred, the leak could still endanger Afghan individuals with ties to the UK. The incident comes just weeks after a more severe breach involving UK forces, raising questions about the Ministry of Defence’s oversight of subcontractors. As geopolitical tensions rise and refugee data becomes more politicized, such exposures could have long-term implications for trust in UK resettlement and security programs.
FROM THE MEDIA: The company, which operates a Jet Centre at Stansted Airport and supports government flights, was found to have leaked names, dates of birth, passport numbers, and other identifiers connected to the UK’s Afghan relocation efforts. Among the 3,500 affected are approximately 100 Britons, including ex-government officials and defence personnel who used Inflite’s services between January and March 2024. UK authorities, including the National Crime Agency and the National Cyber Security Centre, are involved in the investigation. While the government claimed no immediate risk to safety or systems, opposition leaders have called for an independent inquiry into repeated security lapses involving sensitive data.
READ THE STORY: FT
Russian Group EncryptHub Exploits Microsoft EvilTwin Vulnerability to Deploy Fickle Stealer
NOTE:
The Russian cybercriminal group EncryptHub is actively exploiting CVE-2025-26633 — a Windows Management Console flaw dubbed MSC EvilTwin — to deliver the Fickle Stealer malware. The campaign blends malicious MSC files, social engineering, and abuse of legitimate platforms (e.g., Brave Support) to infiltrate networks, harvest data, and maintain persistence.
Bottom Line Up Front (BLUF): The Russian cybercriminal group EncryptHub is actively exploiting CVE-2025-26633, a Windows Management Console flaw dubbed MSC EvilTwin, to deliver the Fickle Stealer malware. The campaign combines social engineering, malicious MSC files, and abuse of trusted platforms like Brave Support to infiltrate networks and maintain persistence.
Analyst Comments: Their tactic of blending benign and malicious MSC files makes exploitation stealthier, while layering in social engineering (fake IT support, Teams invites, and video conferencing lures) further increases effectiveness. By leveraging legitimate platforms such as Brave Support for payload hosting, EncryptHub complicates attribution and detection. This campaign highlights the urgent need for patching CVE-2025-26633 and user awareness training to resist social engineering vectors.
FROM THE MEDIA: Attackers masquerade as IT staff via Microsoft Teams, persuading victims to run rogue MSC files that exploit CVE-2025-26633, leading to backdoor installation. Once executed, the malicious file downloads PowerShell scripts that harvest system data, establish persistence, and execute encrypted attacker commands. Other payloads include a Go-based loader (“SilentCrystal”) and secondary backdoors like SilentPrism and DarkWisp. Researchers found evidence of attackers abusing Brave Support’s file-hosting features with compromised accounts to distribute MSC malware bundles. EncryptHub also uses fake video conferencing tools (e.g., RivaTalk) to lure victims into installing malicious MSI packages, enabling DLL sideloading and further compromise.
READ THE STORY: TrendMicro
UK Telecom Provider Colt Suffers Cyber Incident, Ransomware Gang Claims Responsibility
NOTE:
UK telecom provider Colt Technology Services confirmed a cyberattack disrupted Colt Online and its Voice API platform. The company took internal systems offline as a protective measure, leaving operations degraded and forcing manual fallback for monitoring. A threat actor claiming affiliation with the WarLock ransomware gang has advertised 1 million allegedly stolen documents for $200,000, though Colt has not confirmed data theft.
Bottom Line Up Front (BLUF): Colt Technology Services, a primary UK-based telecom provider, confirmed a cyber incident on August 12, 2025, that disrupted its Colt Online and Voice API platforms. While Colt insists customer infrastructure remains unaffected, operations have slowed as the company shifted to manual monitoring. A threat actor claiming to be from the WarLock ransomware gang is offering 1 million allegedly stolen documents, including financial, employee, and customer data, for $200,000. Colt has not confirmed these claims.
Analyst Comments: While Colt has not confirmed data theft, claims by a threat actor linked to the WarLock ransomware gang suggest potential compromise of sensitive data. The targeting of telecom infrastructure aligns with recent patterns of cyber activity aimed at entities with wide attack surfaces and valuable data. If substantiated, the alleged data breach could carry regulatory and reputational consequences, particularly given Colt's business-to-business focus.
FROM THE MEDIA: The company, which Fidelity Investments own, emphasized that customer-facing infrastructure was not affected. In a public update, Colt stated that some systems were proactively taken offline as a security precaution, contributing to delays in support services. On August 15, Colt reported it had not yet fully restored its internal systems and was managing incidents manually. Meanwhile, a threat actor claiming to be associated with the WarLock ransomware group has taken responsibility for the attack, offering allegedly stolen Colt data for $200,000. Colt has not publicly responded to the extortion claim or confirmed any data breach. Telecommunications providers in other regions, including France and the U.S., have reported similar incidents in recent months.
READ THE STORY: DR // The Record
ERMAC V3.0 Banking Trojan Source Code Leaked, Exposes Criminal Infrastructure and Weak Security Practices
NOTE:
ERMAC 3.0 exemplifies the contradiction in modern cybercrime: sophisticated malware, sloppy operators. It features AES-CBC encrypted C2 communications, widespread form injection, and targeting of more than 700 banking, shopping, and crypto apps worldwide. Yet, poor security practices—hardcoded JWT secrets, default root credentials, and open admin registration—leave the infrastructure vulnerable to disruption.
The leak is a windfall for defenders: direct insight into ERMAC’s architecture enables new YARA rules, traffic signatures, and threat-hunting playbooks. Strategically, it also offers rare visibility into Eastern European cybercriminal ecosystems, where affiliate MaaS operations thrive.
Bottom Line Up Front (BLUF): Cybersecurity firm Hunt.io has uncovered and analyzed the complete source code of ERMAC V3.0, a sophisticated Android banking malware, after it was left exposed behind the weak default password “changemeplease.” The leak includes the malware’s backend, frontend, exfiltration server, and APK builder, giving defenders unprecedented access to the malware's inner workings and revealing serious operational security flaws.
Analyst Comments: Despite ERMAC's advanced capabilities—such as wide-scale form injection and encrypted command-and-control (C2) communications—the exposed infrastructure and hardcoded credentials expose its operators to takedown efforts. The discovery also highlights how poor cyber hygiene, even among cybercriminals, can severely undermine complex operations. This event could shift the dynamics of mobile malware threat intelligence, providing insight into Eastern European cybercrime groups and their evolving tactics.
FROM THE MEDIA: ERMAC targets over 700 global financial, shopping, and cryptocurrency apps using form injection techniques to harvest credentials. Analysis showed critical vulnerabilities, including hardcoded JWT tokens, root credentials set to “changemeplease,” and exposed admin panels with open registration. Infrastructure analysis connected the leaked code to several active C2 and exfiltration servers still used in live campaigns. Despite its operational sophistication, ERMAC’s poor security practices allow defenders to disrupt ongoing attacks and develop improved detection rules.
READ THE STORY: GBhackers
Dutch Prosecution Service Cyberattack Leaves Speed Cameras Offline Nationwide
Bottom Line Up Front (BLUF): A cyberattack exploiting Citrix NetScaler zero-day vulnerabilities (linked to CVE-2025 series) has disrupted the Netherlands’ Public Prosecution Service (OM), leaving dozens of speed cameras offline. While the cameras were not directly compromised, the attack has prevented their reactivation since July 17, raising concerns about cascading effects on interconnected justice systems.
Analyst Comments: By exploiting Citrix flaws—reportedly in use as far back as May—threat actors disrupted the OM’s Central Processing Office (CVOM), delaying speed camera enforcement across major highways. The incident illustrates the systemic risks of shared IT dependencies across law enforcement, judiciary, and transportation. If attackers were motivated by disruption rather than financial gain, the attack highlights a potential blueprint for targeting civic order without directly striking critical operational technologies.
FROM THE MEDIA: The CVOM confirmed this week that while cameras had been disabled for maintenance-like reasons, they remain offline due to a technical inability to restart them. Affected devices include fixed, average, and mobile “flex” speed cameras on both A (motorway) and N (secondary) roads. The Dutch NCSC later revealed that exploitation of the Citrix flaws had been ongoing since early May, with multiple critical organizations compromised. On August 5, prosecutors announced a cautious phased relaunch to minimize risks across linked justice systems, restoring email access first. Officials warned that full recovery would take weeks, urging staff and stakeholders to be patient.
READ THE STORY: The Register
Items of interest
Codeberg Flooded by AI Bots, Struggles to Contain Automated Abuse
Bottom Line Up Front (BLUF): Codeberg, a non-profit Git-based code hosting platform, is being disrupted by waves of AI-driven bots creating accounts, spamming repositories, and overloading moderation systems. Administrators report that the surge in automated activity is straining resources and forcing new restrictions on account creation and project hosting.
Analyst Comments: Unlike GitHub or GitLab, Codeberg lacks the same scale of anti-abuse infrastructure, making it more vulnerable to automated spam and malicious repo creation. Such abuse risks undermining community trust while diverting resources from development to moderation. In the broader context, malicious actors could weaponize bot-driven repo spamming to host malware, manipulate supply-chain dependencies, or flood open-source ecosystems with noise that complicates threat intelligence analysis. Expect similar pressures on alternative hosting services as AI-driven automation becomes more accessible.
FROM THE MEDIA: The non-profit platform, founded in 2019 as a privacy-friendly alternative to GitHub, has seen a sharp rise in automated abuse throughout 2025. Administrators said the bots use scripted sign-ups to generate junk repositories and spam content, overwhelming moderation teams and consuming server resources. To counter the attacks, Codeberg has begun restricting automated account creation, implementing stricter CAPTCHAs, and temporarily limiting repository features for new accounts. While no security breach has been reported, the spam scale has disrupted legitimate developer activity and slowed project hosting.
READ THE STORY: The Register
AI is Revolutionizing Web Security - Bots, Agents, & Real-Time Defense (Video)
FROM THE MEDIA: Arcjet CEO David Mytton sits down with a16z partner Joel de la Garza to discuss the increasing complexity of managing who can access websites and other web apps and what they can do there. A primary challenge is determining whether automated traffic is coming from bad actors and troublesome bots, or perhaps AI agents trying to buy a product on behalf of a real customer.
This AI Bot Runs Events, Roasts Players, And Delivers 2x Community Engagement (Video)
FROM THE MEDIA: Simon Davis, CEO of GOAT Gaming, joins our hosts Peggy Anne Salz and Brian Baglow to talk about Amy—an AI agent who roasts players, runs events, and doubled community engagement overnight. She’s not just a chatbot. She’s the future of player interaction.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.