Sunday, Sep 21, 2025 // (IG): BB // GITHUB // SN R&D
Leaked GoLaxy Documents Expose China's AI-Powered Precision Propaganda Machine
NOTE:
While no direct evidence confirms this connection, the parallels are striking enough to warrant consideration. Tencent's PERSONA HUB, capable of generating "1 billion diverse personas" for "synthetic data creation," provides exactly the technical infrastructure that GoLaxy would need for its influence operations. Both systems share critical characteristics: massive scale persona generation, connections to the Chinese Academy of Sciences, and the ability to simulate diverse human perspectives.
Bottom Line Up Front (BLUF): Leaked internal documents from Chinese AI firm GoLaxy reveal a sweeping influence operation using AI-generated personas to manipulate political narratives with surgical precision. GoLaxy built detailed psychological profiles on over 2,000 American political figures—including 117 members of Congress—and deployed generative AI to create realistic digital “doubles” used in propaganda campaigns across Hong Kong, Taiwan, and potentially the U.S. The 399-page archive, released by Vanderbilt’s Institute of National Security, confirms that these operations are already live, not hypothetical.
Analyst Comments: Where Russia’s 2016 playbook was meme factories and troll farms, China’s GoLaxy operation is a highly automated system using AI personas that listen, learn, and manipulate individuals based on detailed psychological blueprints. These personas don’t just post; they converse. They adapt. And they’re indistinguishable from real people to the average user. The leaked material suggests these aren't experiments—they're deployments. What’s most concerning is GoLaxy’s emphasis on targeting individual cognition, not just group sentiment. If DeepSeek, China’s ChatGPT equivalent, can be used to custom-tailor propaganda to individual voters or policymakers, we’re no longer dealing with information warfare. We’re facing AI-powered persuasion-as-a-service, potentially scalable to millions.
FROM THE MEDIA: Leaked documents from Chinese AI firm GoLaxy outline a system designed to scrape millions of social media posts and construct “dynamic psychological profiles” of individuals, capturing their beliefs, emotional triggers, and cognitive vulnerabilities. These profiles fuel AI-generated personas powered by DeepSeek (China’s equivalent to ChatGPT) and distributed via a proprietary platform dubbed GoPro. Unlike conventional bots, GoLaxy’s personas are interactive, adaptive, and emotionally resonant—capable of sustained engagement to gain trust and shape opinions within targeted communities.
READ THE STORY: The Record // GITHUB
China Mandates 4-Hour Reporting for Major Cybersecurity Incidents Under New CAC
Bottom Line Up Front (BLUF): China’s Cyberspace Administration (CAC) has issued binding cybersecurity incident reporting regulations that will take effect November 1, 2025. The rules require all network operators—including foreign firms operating in China—to report “relatively large” cybersecurity incidents within four hours. For more severe breaches, such as leaks involving over 100 million citizens, tighter deadlines and escalating government notifications apply. Failure to comply can result in administrative fines and enhanced penalties for responsible individuals.
Analyst Comments: This is China’s most aggressive regulatory move yet in cybersecurity incident handling—aimed at domestic tech giants and all foreign firms with a digital footprint in China. The four-hour reporting window rivals the strictest global standards and will challenge multinational firms operating across time zones, particularly those without localized incident response capabilities. Expect enforcement to be uneven at first, but foreign companies that delay or mishandle reports—especially involving data on Chinese citizens—could become high-profile examples. The inclusion of third-party vendor accountability in contracts is a significant operational challenge. Security teams must prepare now with localization of incident response plans, mandatory vendor clauses, and Chinese-language reporting capability.
FROM THE MEDIA: The Measures, issued September 11 and effective November 1, apply to any “network operator” within China, including foreign companies offering online services or operating IT infrastructure. Reportable incidents include ransomware, data leaks, service outages, or attacks that impact national security, social stability, or public infrastructure. Critical Information Infrastructure (CII) operators face even tighter deadlines: 1 hour to notify the authorities, with escalation to national agencies within 30 minutes. Reporting must include incident type, impact, suspected cause, ransomware details (if applicable), and source-tracing indicators. A follow-up remediation report is required within 30 days.
READ THE STORY: Morgan Lewis
Study Exposes Major Security Flaws in Popular VPNs: Users in Authoritarian States Face Serious Risk
Bottom Line Up Front (BLUF): A new investigation by the Open Technology Fund has revealed critical vulnerabilities in popular VPN apps used by over 700 million users globally. Many of these apps—especially those developed by companies linked to China—lack basic security, contain hard-coded passwords, and collect user location data. Users relying on these VPNs for anonymity, especially in authoritarian regimes, may be exposing themselves to surveillance, arrest, or worse.
Analyst Comments: VPNs are often seen as digital lifelines for activists, journalists, and dissidents in repressive regimes. But what happens when those lifelines are covertly controlled by companies linked to hostile states? According to this research, some of the most downloaded VPNs on the planet—including TurboVPN and VPN Proxy Master—are not just insecure, they may be outright surveillance tools. The technical flaws are egregious: weak or non-existent encryption (via outdated tunneling protocols like Shadowsocks), hard-coded credentials, opaque ownership structures, and location tracking directly contradict user expectations of privacy. For threat actors—state or criminal—these apps are soft targets that offer a backdoor into encrypted communications.
FROM THE MEDIA: Deutsche Welle reports that VPN apps operated by companies including Innovative Connecting, Autumn Breeze, and Lemon Clove—allegedly registered in Singapore but effectively controlled from mainland China—pose significant privacy threats. Open-source or audited VPNs like ProtonVPN, Mullvad, Lantern, and Psiphon were considered more trustworthy alternatives. For maximum anonymity, experts recommend using the Tor browser, which remains outside the jurisdiction of hostile state actors and doesn’t rely on centralized infrastructure.
READ THE STORY: DW
Chinese Counterfeit ID Network “ForgeCraft” Moves 6,500 Fakes into U.S. and Canada
Bottom Line Up Front (BLUF): A China-based cybercrime syndicate, ForgeCraft, sold over 6,500 fake U.S. and Canadian IDs to more than 4,500 buyers, earning an estimated $785,000. The operation, uncovered by CloudSEK, used 83 online platforms to market high-quality forgeries with scannable barcodes, UV features, and holograms. The fake documents are linked to risks such as SIM swaps, financial fraud, and unauthorized government and commercial services access.
Analyst Comments: ForgeCraft is a digitally agile forgery enterprise operating with impunity at a global scale. High-fidelity IDs and efficient delivery networks enable a broad spectrum of cyber-enabled crime—from wire fraud to SIM hijacking to regulatory evasion. This isn’t just fake plastic—it’s a threat vector disguised as a wallet card.
FROM THE MEDIA: The sheer quality of the forgeries and ForgeCraft’s ability to distribute them globally without detection speaks to a mature cybercrime-as-a-service model. Fake IDs are entry points for banking fraud, voter manipulation, logistics infiltration, and money laundering. One order alone included 42 commercial driver’s licenses tied to firms with regulatory flags—this isn’t petty crime; it’s industrial-scale access facilitation. Using mainstream couriers (FedEx, USPS) and concealed packaging techniques (toys, purses, cartons) shows how threat actors exploit traditional logistics. Payment processing through PayPal, LianLian Pay, and crypto highlights a hybrid laundering mechanism that crosses regulatory boundaries. ForgeCraft’s integration of social media ads, tutorial videos, and order tracking mirrors e-commerce models—only for crime. This demonstrates how digitally enabled fraud has matured to a level requiring a national security response, not just law enforcement cleanup.
READ THE STORY: The 420
Russian Botnet Exploits DNS Misconfigs and MikroTik Routers for Global Malspam Campaign
Bottom Line Up Front (BLUF): Researchers uncovered a Russian-operated botnet of ~13,000 compromised MikroTik routers, used to launch a global malspam campaign that distributed malware under the guise of DHL invoices. The operation relied on DNS SPF misconfigurations across ~20,000 domains to bypass anti-spoofing controls, allowing attackers to push ZIP-based malware at scale. Impact includes email spoofing, malware delivery, DDoS, and proxy-enabled anonymity for broader threat activity.
Analyst Comments: By chaining router exploitation with DNS SPF misconfigs, Russian operators built a resilient, high-volume malware distribution network. This is a low-complexity, high-impact tradecraft—easy to replicate, hard to filter. Organizations must harden network gear and clean up DNS hygiene before these same techniques are repurposed for even more disruptive attacks.
FROM THE MEDIA: On one side, you’ve got MikroTik routers—already notorious for weak defaults and persistent exploits—pressed into service as SOCKS4 proxy relays. Conversely, lax DNS SPF records with +all flags effectively granted adversaries a free license to spoof tens of thousands of legitimate domains. That combination allowed Russian operators to run high-delivery malspam campaigns with global reach and very low detection rates. The scale—routers across multiple firmware generations and domains spanning 20k+ organizations—demonstrates how attackers chain network infrastructure hijacking with email security gaps for maximum effect. This isn’t just spam. With MikroTik relays and open SPF, the botnet becomes a multi-use infrastructure: malware distribution today, DDoS, and credential-stuffing tomorrow. Anyone still running older MikroTik devices or sloppy SPF configs should assume exposure.
READ THE STORY: GBhackers
Cyber Fallout and Infrastructure Risks: Foreign Adversaries Exploit Gaps in Trump’s National Security Strategy
Bottom Line Up Front (BLUF): New reporting and policy analysis highlight a growing cyber threat landscape exacerbated by former President Trump’s foreign policy decisions. His disengagement from global alliances, rollback of USAID programs, and trade antagonism have reportedly emboldened state-backed threat actors from China and Russia, who are now positioned to target critical U.S. infrastructure, including water, power, and communications systems.
Analyst Comments: The warning signs are familiar: weakened diplomatic channels, retaliation-based trade policy, and isolation from global cybersecurity coalitions. The result is a more permissive environment for foreign adversaries—particularly China and Russia—to escalate cyber operations against U.S. targets. The elimination of multilateral aid and cooperation has created vacuums now filled by Chinese and Russian influence, expanding their soft power and intelligence reach. Trump’s transactional posture toward international relations appears to have traded away deterrence for short-term political optics. The fallout? Chinese cyber actors have a more straightforward path to probe and disrupt U.S. utilities, while Russian-supported groups have increased campaigns against government and corporate networks. With frayed diplomatic relationships and federal cybersecurity budgets frozen or politicized, incident response coordination may be slower or obstructed.
FROM THE MEDIA: According to a September 20th opinion piece by Professor Steve Corbin, the Trump administration’s foreign policy has created domestic and international vulnerabilities—particularly in cybersecurity. Corbin outlines how Trump’s failure to engage constructively with China has given Chinese threat actors more opportunity to target critical U.S. infrastructure. Citing the administration’s elimination of foreign aid programs and isolation from traditional allies, the piece claims China and Russia are expanding their global cyber and geopolitical influence. Chinese military posturing around Taiwan and ongoing cyber reconnaissance of U.S. systems are framed as direct challenges to American global leadership.
READ THE STORY: The Fulcrum
Heathrow, Brussels, Berlin Disrupted by Suspected Russian Cyber Attack on Collins Aerospace Check-In Systems
Bottom Line Up Front (BLUF): On September 20, a cyber incident at Collins Aerospace, supplier of airline check-in and boarding technology to ~100 airports worldwide, forced Heathrow, Brussels, and Berlin airports into manual operations. Hundreds of flights were delayed or cancelled, and experts warned disruptions could ripple for days. While attribution remains unconfirmed, UK and EU officials suspect Russian state-linked actors, citing hybrid warfare patterns and concurrent Russian military provocations in Europe.
Analyst Comments: Whether Russian state-directed or not, this incident proves aviation IT is a single point of failure ripe for exploitation. Airports, airlines, and governments must treat supply chain cyber resilience as part of critical infrastructure defense—passengers don’t care if it’s a hack or a glitch; the planes still don’t fly.
FROM THE MEDIA: This is a classic supply-chain strike against aviation infrastructure: no direct breach of airports, but a single vendor outage cascaded across multiple hubs. Even without confirmed attribution, the timing (Russian airspace violations, drone activity in Poland/Romania) suggests this may be part of Moscow’s broader strategy of hybrid pressure operations on NATO states. Using Collins Aerospace as the pivot highlights a chronic weakness: over-reliance on centralized IT vendors for critical operations. Just as CrowdStrike’s 2024 update failure grounded U.S. flights, this shows adversaries—and opportunistic criminals—can cripple aviation by exploiting chokepoints in third-party service providers.
READ THE STORY: The Standard
ShadowLeak Zero-Click Exploit Let Attackers Hijack Data from ChatGPT’s Deep Research Agent
Bottom Line Up Front (BLUF): A zero-click vulnerability dubbed ShadowLeak allowed attackers to extract sensitive user data from OpenAI’s ChatGPT Deep Research agent, exploiting its ability to ingest and summarize personal emails. Discovered by Radware, the flaw allowed malicious emails to trigger autonomous actions by the AI, exfiltrating data to attacker-controlled URLs without user interaction. OpenAI patched the issue by August 2025 after coordinated disclosure.
Analyst Comments: ShadowLeak shows how AI agents can become invisible exfiltration tools—reading and acting on prompts users never see. Organizations adopting autonomous tools must treat prompt injection as an attack surface, not an edge case. As more AI systems get wired into private data stores, security controls must shift from output filtering to input sanitization and action gating.
FROM THE MEDIA: The attack is elegant in its simplicity: an adversary embeds hidden commands in an email, the user asks ChatGPT to “summarize” their inbox, and the AI obediently follows instructions it was never supposed to see: no clicks, no alerts, no logs—just quiet data loss over HTTPS. The exploit abuses AI’s integration with tools like Gmail, where "helpful" behavior becomes a liability. Deep Research ingests the full content of emails—including invisible prompt injections in white text or tiny fonts—and then unknowingly triggers private web requests. Context override makes this especially dangerous: the injected prompt asserts legitimacy, telling the agent the data is public and the target URL is for compliance validation. It’s social engineering for machines—and it worked.
READ THE STORY: The Record
Nokia CBIS/NCS Manager API Flaw Enables Full Authentication Bypass (CVE-2023-49564)
Bottom Line Up Front (BLUF): A critical vulnerability in Nokia’s CloudBand Infrastructure Software (CBIS) and Nokia Container Services (NCS) Manager API (CVE-2023-49564, CVSS 9.6) allows unauthenticated attackers to bypass login controls and access privileged management endpoints. Orange Cert disclosed the flaw, which affects CBIS 22 and NCS 22.12 and could lead to a full takeover of telco infrastructure where network segmentation is weak or misconfigured.
Analyst Comments: If you run CBIS or NCS, assume exposure until patched. CVE-2023-49564 is a zero-friction authentication bypass with root-level consequences. Telcos and cloud operators should treat this as an urgent infrastructure risk, especially where CBIS/NCS intersects with 5G, IoT, or critical network slices. This isn’t just a patch—it’s a wake-up call on API trust boundaries.
FROM THE MEDIA: With no user interaction, no credentials, and only network-level access required, CVE-2023-49564 lets an attacker go straight to the control plane. The vulnerable API fails to validate custom HTTP headers in Podman-based Nginx containers, making it trivial to bypass authentication and hit admin-only endpoints. Once inside, attackers can deploy containers, modify network slices, or exfiltrate tenant data—without triggering standard auth mechanisms. In real-world terms, that means supply chain insertion, service disruption, or cross-tenant lateral movement. Given the centrality of CBIS/NCS to 5G and edge rollouts, this isn’t just a misconfig—it’s a platform-level blind spot.evel requiring a national security response, not just law enforcement cleanup.
READ THE STORY: GBhackers
Items of interest
Kim Jong Un Declares AI Drone Development a “Top Priority” for North Korea’s Military
Bottom Line Up Front (BLUF): North Korean leader Kim Jong Un has publicly elevated AI-powered drones to the top of Pyongyang’s military modernization agenda. During a visit to the Unmanned Aeronautical Technology Complex in Pyongyang, Kim oversaw performance tests of tactical surveillance UAVs and multipurpose drones, stressing that artificial intelligence and mass production of unmanned systems are critical to the DPRK’s future warfighting strategy.
Analyst Comments: This is more than rhetoric—it’s a strategic pivot. North Korea is pairing AI with unmanned systems to offset its technological disadvantages in conventional warfare. Suicide drones, reconnaissance UAVs, and AI-enabled targeting platforms fit neatly into Pyongyang’s asymmetric playbook: They’re cheaper than fighter jets, harder to intercept at scale, and ideal for harassment campaigns against South Korea and U.S. forces.
FROM THE MEDIA: North Korea is openly declaring AI drones as a cornerstone of its future force. Expect rapid scaling, with deployment aimed at South Korea, Japan, and potentially export to aligned states or non-state proxies.
READ THE STORY: CN
Kim Jong Un Flaunts His Big Drone (Video)
FROM THE MEDIA: North Korean state media released images on Thursday of leader Kim Jong Un inspecting drone and missile exercises.
North Korean state media show Kim Jong Un inspecting drone and missile exercises (Video)
FROM THE MEDIA: North Korean state media released images on Thursday of leader Kim Jong Un inspecting drone and missile exercises.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.