Thursday, Sep 25, 2025 // (IG): BB // GITHUB // SN R&D
Google Uncovers China-Linked Supply Chain Espionage Using Stealth Malware ‘Brickstorm’
Bottom Line Up Front (BLUF): Google has revealed a major, ongoing cyberespionage campaign by a China-linked threat group UNC5221 targeting tech vendors, SaaS providers, and legal firms in the U.S. and beyond. The campaign exploits edge infrastructure, evades detection using malware that avoids traditional endpoint tools, and enables long-term access to sensitive networks—posing serious risks to supply chain integrity and national security.
Analyst Comments: Brickstorm malware on systems that can’t run EDR (e.g., VMware ESXi, email gateways, vulnerability scanners) shows a deliberate focus on non-traditional attack surfaces. The 393-day average dwell time should set off alarms across the sector: this isn’t just persistence—it’s strategic positioning for multi-phase operations.
UNC5221 is playing a long game. By exfiltrating source code from enterprise tech vendors, the group is likely mapping future attack pathways—backdooring dependencies, fingerprinting vulnerabilities, or reverse-engineering proprietary defenses. This campaign echoes SolarWinds, but with more patience and subtlety.
The targets—legal firms, SaaS vendors, software developers—underscore that attackers are deliberately choosing upstream nodes in the digital supply chain. This isn’t about disruption. It’s about intelligence collection, tradecraft evolution, and access at scale. The impact will ripple for years.
One Weak Password Triggers Collapse of 158-Year-Old UK Logistics Firm
Bottom Line Up Front (BLUF): A single guessed password led to the total shutdown of KNP Logistics Group, a 158-year-old UK transport company, after the Akira ransomware group hit it in June 2025. Lacking MFA and relying on weak credential security, KNP lost access to all business-critical systems and data. With backups wiped and unable to pay the £5M ransom, the company collapsed into administration, resulting in 700 layoffs.
Analyst Comments: This incident is a brutal reminder that basic credential hygiene is still one of the most significant gaps in enterprise security. The attackers didn’t exploit a zero-day, need phishing kits, or use social engineering. They guessed a weak password on an internet-facing system with no MFA and took down a firm with nearly two centuries of operational resilience.
Once inside, Akira deployed ransomware, destroyed backups, and left KNP with no path to recovery. The company had cyber insurance and claimed compliance with industry standards, but these proved meaningless in the face of foundational failures.
KNP is now a case study in why password security and layered defense matter more than compliance checkboxes. For every enterprise still tolerating weak passwords or deferring MFA rollouts, this is the canary in the coal mine. You don’t need to be targeted to be vulnerable—just accessible.
Expect Akira and similar RaaS outfits to continue preying on under-defended mid-size firms. Their tactics are low-effort, high-impact, and the margin for error—especially with ransomware that deletes backups—is razor thin.
READ THE STORY: THN
China-Linked Hackers Target US Law Firms and Tech Providers Amid Escalating Trade Tensions
Bottom Line Up Front (BLUF): According to Mandiant and U.S. officials, a Chinese state-linked hacking group has infiltrated multiple U.S. software vendors, law firms, and cloud service providers in an active cyber-espionage campaign. The attackers have remained undetected in some environments for over a year, targeting proprietary tech, trade policy intelligence, and national security data. The FBI is investigating, and analysts are comparing the scale to the SolarWinds breach.
Analyst Comments: This is strategic espionage—not smash-and-grab. Targeting law firms and SaaS vendors is deliberate: these are upstream intelligence sources that handle sensitive trade negotiations, government relations, and proprietary product data. With U.S.–China trade tensions escalating following new tariffs, the intrusions appear timed to gain diplomatic and economic leverage, not just tech secrets.
The UNC5221 campaign, recently exposed by Google, tracks the intrusion methodology: long dwell times, stealth malware like Brickstorm, and exploitation of edge devices and non-EDR infrastructure. The scale and intent suggest coordination across multiple China-linked units, likely under MSS direction.
Mandiant’s framing of this as “a milestone hack” is significant—it places the campaign in the same tier as Russia’s SolarWinds breach, but with a broader and potentially longer-lasting impact due to the blend of legal, software, and cloud-based targets. These aren’t just C2 nodes—they’re trust hubs in the U.S. digital supply chain.
Expect additional victims and disclosures over the coming months as incident response teams catch up to breaches that may have started in 2023 or earlier.
READ THE STORY: CNN
Third Cyber Security Summit (Tianjin): China Expands Domestic Cyber Capabilities While Pushing Global Governance Narrative
Bottom Line Up Front (BLUF): This wasn’t just another staged conference. The Tianjin summit represents China’s multi-track strategy in cyberspace: consolidate domestic infrastructure, control threat intelligence pipelines, and shape the global conversation on internet governance. The participation of figures like Interpol’s cybercrime chief and the promotion of a “Tianjin solution” for joint cyber governance shows Beijing’s intent to expand its diplomatic footprint in the cyber domain.
Analyst Comments: Held in Tianjin’s Binhai New Area—home to the National Computer Virus Emergency Response Center—the summit was organized by city authorities with support from China’s Ministry of Public Security and the Cyberspace Administration. Over 800 attendees, including officials, foreign government representatives, cybersecurity companies, academics, and law enforcement, attended.
Key sessions tackled threats from AI-powered cyberattacks, drone system vulnerabilities, malware proliferation, and the security challenges of China’s “Xinchuang” (indigenous IT) sector. High-profile speakers included Zhou Hongyi (Qihoo 360) and Qi Xiangdong (Qi-Anxin), who addressed AI’s dual role as a threat vector and defensive asset. Interpol’s cybercrime director advocated for broader international collaboration, while Chinese academics proposed a decentralized internet architecture as a long-term resilience measure.
READ THE STORY: Xinhua (State-Sponsored)
RedNovember Espionage Group Linked to China Targets Global Government and Defense Networks
Bottom Line Up Front (BLUF): A state-sponsored Chinese APT group tracked as RedNovember (aka Microsoft’s Storm-2077) has conducted a global cyberespionage campaign targeting government agencies, defense contractors, aerospace firms, and law firms across five continents. From June 2024 to July 2025, the group exploited perimeter appliance vulnerabilities and deployed open-source tools like Pantegana, Spark RAT, and Cobalt Strike to establish persistent access. Victims include U.S. defense firms, European manufacturers, and Southeast Asian ministries.
Analyst Comments: RedNovember is the latest example of China’s evolution in cyberespionage: agile, modular, and strategically global. Its toolset—rooted in widely available open-source malware—suggests deliberate obfuscation of attribution while enabling advanced post-exploitation activity. By targeting internet-facing devices from vendors like Ivanti, Palo Alto Networks, Citrix, Check Point, and SonicWall, the group sidesteps traditional EDR coverage and gains access to internal networks via weakly defended vectors.
The group’s use of Go-based malware (Pantegana, LESLIELOADER) points to cross-platform compatibility and high operational stealth. Coupled with VPN services like ExpressVPN and Warp VPN to obscure C2 infrastructure, this adversary is focused on long-term access and deep data exfiltration, not smash-and-grab operations.
What’s particularly significant is their geographic and sectoral spread: ministries, law firms, military contractors, and intergovernmental organizations. This broad targeting suggests an expansive intelligence mandate—possibly coordinated at the MSS level—and a priority on shaping global economic, defense, and policy landscapes through stolen information.
READ THE STORY: THN
Drone Incursion Shuts Down Copenhagen Airport; Russia Suspected in Escalating Hybrid Threat Campaign
Bottom Line Up Front (BLUF): On September 22, 2025, multiple large drones—likely operated by a capable actor—breached airspace over Copenhagen Airport, forcing a four-hour shutdown. Danish officials have not ruled out Russian involvement. This follows a wave of similar airspace violations across NATO countries, prompting increased calls for more explicit engagement rules and new air defense strategies. NATO and the EU condemned the activity as part of a pattern of “irresponsible” and “escalatory” Russian behavior targeting critical infrastructure.
Analyst Comments: This isn’t an isolated incident—it fits a growing pattern of Russian-linked gray zone tactics aimed at testing NATO’s response thresholds. Drones over a major civilian airport raise the stakes. These intrusions blur the line between provocation and sabotage, complicating the alliance’s ability to calibrate a response.
The fact that Danish authorities didn’t intercept the drones—due to safety concerns—shows how current doctrine lags behind operational threats. Civilian airspace is being exploited precisely because the rules of engagement are so restrictive. The strategic calculus is to operate just under the threshold of armed response, erode confidence in national defenses, and force NATO to react without firing a shot.
READ THE STORY: Reuters
Russia Targets Moldovan Election in Disinformation Play
Bottom Line Up Front (BLUF): A Kremlin-linked disinformation campaign is targeting Moldova’s Sept. 28 parliamentary elections to derail the country’s EU accession efforts. Researchers at Silent Push have attributed the campaign to Russian actor Storm-1679 (aka Matryoshka), tying its infrastructure and tactics to a prior 2022 operation known as Absatz. The campaign uses fake news sites with anti-EU, anti-government narratives and shows clear signs of coordinated infrastructure reuse.
Analyst Comments: This is a textbook Russian influence op — minimal malware, maximum reach. By avoiding malware payloads, Storm-1679 lowers the chances of takedown and legal scrutiny, keeping its psychological operations live longer. The link back to Absatz via technical fingerprints like shared IPs and reused code suggests a well-resourced operation with continuity across election cycles. Moldova is geopolitically strategic: expect more of this as the country moves closer to the EU. For defenders in Europe and beyond, the takeaway is clear — disinfo ops aren’t just about bots and content farms; they have real infrastructure that can be tracked, attributed, and eventually disrupted.
READ THE STORY: DR
Iranian APT ‘Nimbus Manticore’ Expands Focus to Western Europe in Sophisticated Critical Infrastructure Campaign
Bottom Line Up Front (BLUF): Iranian APT group Nimbus Manticore (also known as UNC1549, Smoke Sandstorm, and tied to the Iranian Dream Job campaign) is actively targeting critical infrastructure sectors across Western Europe, the Middle East, and Asia, with a specific focus on defense, aerospace, telecommunications, and satellite providers. The group uses advanced phishing tactics, custom malware (Minibike/MiniJunk, MiniBrowse), and stealth techniques including signed binaries, code padding, and DLL side-loading to evade detection. Check Point warns that operations continued even during the Iran-Israel conflict, signaling high operational tempo and resilience.
Analyst Comments: Nimbus Manticore represents the cutting edge of Iranian cyber tradecraft: modular implants, layered obfuscation, and infrastructure blending make this one of the most evasive IRGC-linked threat actors observed. What distinguishes this campaign isn’t just the technical sophistication—it’s the targeting precision, with spoofed job portals tailored to lure personnel in specific high-value sectors like satellite communications, aviation, and defense manufacturing.
The use of Minibike/MiniJunk and MiniBrowse strongly emphasizes access and post-exploitation credential theft. The malware’s LLVM-based obfuscation, junk code inflation, and SSL code signing help bypass many endpoint detection models, particularly those with size or resource caps. Adding Cloudflare + Azure App Service for C2 infrastructure reflects strategic resiliency and anonymity investments.
This actor’s legitimate cloud services, tailored spearphishing, and dynamic infrastructure rotation push it into the upper tier of nation-state operations. Western European organizations—primarily in Denmark, Sweden, and Portugal—are now clearly in scope.
Defenders should consider this a persistent threat actor with advanced tooling, high OPSEC discipline, and region-specific intent. Cloud-staged C2, compiler-level obfuscation, and code signing require defenders to go beyond signature detection and focus on behavioral analytics, memory-based forensics, and zero-trust segmentation.
READ THE STORY: Industrial
Hikvision Cameras Exploited Again: 8-Year-Old CVE-2017-7921 Resurfaces in IoT Attack Surge
Bottom Line Up Front (BLUF): Attackers are once again exploiting CVE-2017-7921, a critical vulnerability in Hikvision IP cameras first disclosed in 2017. Despite patches being available for years, mass exploitation continues as threat actors use simple brute-force techniques to access devices still exposed to the public internet. This highlights the systemic risk posed by unmanaged and unpatched IoT infrastructure — particularly in surveillance systems resold under OEM brands.
Analyst Comments: This isn’t a zero-day. It’s a zombie-day — a known vulnerability that refuses to die. That makes it more dangerous, not less. The continued exploitation of CVE-2017-7921, with a CVSS score of 10.0, underlines how vulnerable the IoT landscape remains when firmware patching is neglected or when end users can’t even identify who manufactured their device due to OEM rebranding.
What’s more telling is the attack method: no malware, no zero-click exploit — just URL-based brute-forcing using base64-encoded default credentials like admin:11. Once inside, attackers can steal footage, alter credentials, or use the device for lateral movement into internal networks. Devices acting as passive sensors are being turned into active threat vectors.
READ THE STORY: FB
Nvidia’s $100B Problem: Cash Pile Fuels Strategic Shift Toward Infrastructure and AI Integration
Bottom Line Up Front (BLUF): Nvidia is entering a new phase in its corporate evolution—not by selling more chips, but by figuring out what to do with its growing war chest. Recent disclosures suggest a pivot toward massive investments in ecosystem control: $5B into Intel and a proposed $100B multi-year commitment to OpenAI signal a strategy of vertical integration and long-term AI dominance. With M&A off the table due to regulatory roadblocks, Nvidia opts to build instead of buy.
Analyst Comments: This isn’t just about parking cash. Nvidia is playing a long game to entrench itself as the core infrastructure provider for the AI economy. By funneling money into OpenAI—one of its biggest customers—and Intel, a key (and struggling) foundry partner, Nvidia is securing demand and influencing supply. It’s a dual play: keep GPU pipelines full while derisking future fabrication constraints.
The rumored $100B investment in OpenAI isn’t traditional VC-style equity—it’s likely structured around compute credits and capacity reservation in Nvidia’s own GPU cloud/data centers. In essence, Nvidia is creating a closed-loop system: build the data centers, invest in the companies that need them, then recognize revenue through consumption. It’s reminiscent of AWS’s early moves with startups—but on AI steroids.
READ THE STORY: WSJ
New YiBackdoor Malware Targets Windows Systems with Advanced Persistence and Command Execution
Bottom Line Up Front (BLUF): A newly identified malware strain named YiBackdoor is actively being analyzed for its advanced capabilities, including arbitrary command execution, data theft, and stealthy persistence techniques. First spotted in June 2025, the malware shares code with IcedID and Latrodectus, suggesting overlap with high-tier cybercrime groups. YiBackdoor is still in limited circulation but poses a high-risk threat as it matures.
Analyst Comments: YiBackdoor may still be in its early deployment phase, but its feature set is already enterprise-grade malware. This is not commodity malware—it’s a stealthy loader and access tool with anti-analysis, virtual machine detection, and injection techniques that indicate it’s either being developed by, or purchased by, groups with serious operational goals.
The way it injects into svchost.exe and hijacks RtlExitUserProcess() is particularly notable. That’s not something you see in standard commodity malware—it suggests development discipline and a goal of long-term stealth. Its overlap with IcedID, which evolved from banking fraud into a ransomware precursor, is concerning. We’re likely looking at a staging tool for future payloads, not just an infostealer.
READ THE STORY: FB
China Cracks Down on “Malicious Pessimism” in Two-Month Online Clean-Up Campaign
Bottom Line Up Front (BLUF): China’s Cyberspace Administration has launched a two-month enforcement campaign to suppress online expressions of defeatism, negativity, and AI-generated content depicting violence. Targets include “Sang culture” posts promoting hopelessness (e.g., “hard work is useless”), online trolling, conspiracy theories, and content that “incites negative emotions.” Platforms are expected to police user behavior and face penalties if they fail to comply.
Analyst Comments: This isn’t just digital hygiene—it’s cognitive security, Beijing-style. The campaign marks another escalation in China’s push to align online discourse with state-defined “positive energy,” particularly as the economy remains sluggish and social disillusionment among younger demographics spreads.
The crackdown is also a direct response to Sang culture, a term associated with resignation, burnout, and disaffection among youth navigating a stagnant job market, expensive urban life, and shrinking upward mobility. By framing emotional expression as a threat vector, the CCP links mental state to national stability.
READ THE STORY: The Register
Cisco SNMP 0-Day (CVE-2025-20352) Under Active Exploitation — RCE and DoS Risks to Network Core
Bottom Line Up Front (BLUF): Cisco has confirmed active exploitation of a critical stack overflow vulnerability (CVE-2025-20352) in the SNMP subsystem of IOS and IOS XE software. Depending on the attacker’s privileges, this flaw can result in remote code execution (RCE) or denial-of-service (DoS). There is no workaround, and all devices with SNMP enabled should be considered vulnerable unless explicitly hardened. Patches are available and should be applied immediately.
Analyst Comments: This kind of zero-day disrupts entire network architectures. SNMP is often enabled by default on networking gear — especially on legacy or mismanaged infrastructure. The fact that low-privilege attackers can cause reboots, and high-privilege attackers can gain root-level RCE, makes this a high-value exploit path for both nation-state actors and ransomware crews looking to knock out edge firewalls, core switches, or even entire site connectivity.
Cisco’s admission that the bug was discovered during TAC case resolution — not from internal testing or disclosure — is worrying. That suggests exploitation has been happening undetected in the wild for some time. With the impact of Meraki MS390 and Catalyst 9300 series, cloud-managed infrastructure isn’t immune.
READ THE STORY: GBhackers
Domain Fronting Returns: Attackers Abuse Google Services for Covert C2 Channels
Bottom Line Up Front (BLUF): Security researchers have uncovered a revived domain fronting technique that abuses trusted Google services—including Google Meet, YouTube, Chrome Update servers, and GCP endpoints—to tunnel command and control (C2) traffic. The technique leverages mismatches between the TLS SNI and the HTTP Host header, effectively hiding malicious traffic inside legitimate enterprise flows. Detection is challenging, and mitigation without breaking core services remains a significant challenge.
Analyst Comments: By fronting with a benign Google service in the SNI field, and routing the actual C2 request to a malicious backend (hosted on Cloud Run or App Engine), attackers gain a stealthy, encrypted tunnel with near-zero visibility in most enterprise environments.
Google previously disabled domain fronting in 2018, but the internal routing logic of some services still allows it, creating a fresh threat vector. This technique blends perfectly with allowed enterprise traffic and bypasses most TLS inspection tools due to certificate pinning and operational exceptions (e.g., not inspecting Chrome updates or Google Pay).
READ THE STORY: FB
Drone and Cyber Attacks Ground Russian Air Travel: Civil Aviation Disruption Becomes Strategic Pressure Point
Bottom Line Up Front (BLUF): Russia’s civil aviation sector is being repeatedly disrupted by a combination of Ukrainian drone attacks and cyber operations. The most recent wave hit Moscow on September 23, delaying or canceling over 200 flights. These incidents, including a July cyberattack that reportedly destroyed 7,000 Aeroflot servers, have grounded thousands of passengers, cost airlines billions of rubles, and exposed systemic weaknesses in airspace security and IT infrastructure.
Analyst Comments: Drone warfare is no longer limited to the battlefield—it’s hitting airport runways and airline balance sheets. While Russian state media has downplayed the strategic impact, the repeated grounding of flights in major hubs like Moscow, St. Petersburg, and Kazan signals real disruption.
July’s combined airspace closures and Aeroflot cyber breach marked a turning point: isolated delays and stacked vectors (kinetic + cyber) to undermine public confidence and stretch emergency response capacity. The Moscow Times now reports 43,000 ticket refunds, 2,000+ delays, and 20 billion rubles in losses—a financial bleed no airline can ignore.
READ THE STORY: The Moscow Times
US Authorities Dismantle Suspected Nation-State Telecom Threat Network Near UN Assembly
Bottom Line Up Front (BLUF): The U.S. Secret Service seized over 300 SIM servers and 100,000 SIM cards across the New York tri-state area during the 2025 UN General Assembly, disrupting what officials described as a network used to facilitate encrypted communications, denial-of-service attacks, and potential disruptions to mobile infrastructure. Preliminary analysis links the hardware to known foreign intelligence operatives and nation-state threat actors.
Analyst Comments: This wasn’t your typical burner-phone takedown—this was infrastructure. The scale and proximity of the network, timed with the UN General Assembly and high-profile U.S. government presence, suggest a high-stakes surveillance or disruption operation. More than 300 SIM servers with 100,000 active cards imply industrial-scale telecom manipulation—enough to mask command-and-control (C2) traffic, generate artificial mobile identities, or coordinate proxy attacks.
The hardware’s potential to disable cell towers and facilitate denial-of-service attacks is a red flag. It’s rare for public disclosures to mention such capabilities without strong confidence. The Secret Service explicitly stated that the network posed an “imminent threat” to its protective mission—language not used lightly.
READ THE STORY: Reuters
Items of interest
Chinese Cargo Ship Repeatedly Docks in Russian-Occupied Crimea, Masking Movements with Falsified Tracks
BOTTOM LINE UP FRONT (BLUF): A Chinese-owned, Panama-flagged cargo vessel — the Heng Yang 9 — has docked multiple times in Sevastopol, Crimea, despite international sanctions banning foreign ships from Russian-occupied Ukrainian ports since 2014. Satellite imagery, AIS spoofing analysis, and independent media verification confirm the visits, raising concerns of Beijing’s tacit support for Russia’s logistics through occupied territory. The ship falsified its transponder signals during voyages, a common evasion tactic among Russia’s “shadow fleet.”
ANALYST COMMENTS: While China has avoided overt violations of Western sanctions, allowing a commercial ship under its control to dock at a sanctioned Crimean port signals a growing willingness to test international resolve. The use of falsified AIS positions points to deliberate sanctions evasion — the same playbook seen in Russian oil tankers. If this pattern continues, expect calls in Washington and Brussels for secondary sanctions targeting Chinese shippers. For Ukraine, every foreign vessel calling at occupied ports undermines its sovereignty claims and risks normalizing Russia’s control. The absence of consequences so far may embolden others.
READ THE STORY: FT
A Chinese ship secretly entered Crimea (Video)
FROM THE MEDIA: A Chinese-owned, Panama-flagged container ship (Heng Yang 9) has called at Sevastopol multiple times, despite Western sanctions on Crimean ports since 2014. Open-source satellite imagery and AIS inconsistencies strongly indicate deliberate track falsification. Expect mounting pressure for secondary sanctions on Chinese maritime actors, tighter insurer scrutiny, and heightened operational risk for any vessel trading with occupied Ukrainian ports.
Invisible Ships: The Battle Against AIS Spoofing (Video)
FROM THE MEDIA: Discover how this deceptive practice manipulates maritime tracking systems, conceals illicit activities, and disrupts global trade. This episode examines the ripple effects on businesses, coastal economies, and maritime safety, while exploring cutting-edge technologies and strategies to combat spoofing. Gain insights into the challenges of achieving transparency at sea and the role of compliance in safeguarding global shipping.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.