Daily Drop (1146)
10-02-25
Thursday, Oct 02, 2025 // (IG): BB // GITHUB // SN R&D
Ukrainian Naval Drones Hit Russian Oil Ports, Signal Shift in Maritime Warfare
Bottom Line Up Front (BLUF): Ukraine has escalated its use of maritime drones (USVs) with a September 24 strike targeting Russian oil terminals in Novorossiysk and Tuapse—marking the first confirmed use of naval drones against Russian energy infrastructure. Ukraine’s increasingly advanced USV fleet, including the Magura and SeaBaby drones, has already disabled nearly a third of Russia’s Black Sea Fleet. Controlled exports of these battle-proven systems are now under consideration, while Russia and China accelerate their maritime drone development.
Analyst Comments: This latest strike shows that Ukraine’s USV program has matured beyond harassing naval targets—it’s now capable of strategic, long-range infrastructure attacks. That makes naval drones not just a tactical tool but a strategic one, opening a new front in the hybrid war at sea. The shift also underscores a growing trend: drones as primary strike platforms in contested domains, not just ISR assets. The fact that Magura drones have hit both ships and aircraft further demonstrates a level of operational versatility that traditional navies are not yet fully equipped to counter.
READ THE STORY: Jamestown
Ukraine Turns Battle-Tested Drones into Global Export Strategy
Bottom Line Up Front (BLUF): Ukraine is shifting from a war-driven necessity to a global defense disruptor by exporting its domestically developed drones. With combat-proven capabilities and cost-effective designs, these drones are already drawing interest from buyers across NATO, the Middle East, and Africa. President Zelensky aims to turn drone exports into a funding mechanism for the war effort and a path to long-term strategic autonomy in defense tech.
Analyst Comments: These aren’t lab-built prototypes; they’ve been hardened on the frontlines, refined through daily engagement with Russian forces. That gives Ukraine’s drone industry field credibility that few Western manufacturers can match. Expect ripple effects: NATO allies are watching closely, especially countries like Poland and Estonia, which need effective, budget-friendly ISR and strike options. Meanwhile, lower-cost exports into Africa and the Middle East risk sparking regional drone proliferation—along with the inevitable rise in counter-drone arms races. Ukraine’s entry into this market also raises long-term questions about post-war arms control, dual-use tech, and the diffusion of battlefield innovation to fragile states and non-state actors.
READ THE STORY: MD
ENISA: Russian and Chinese Nation-State Attacks Surge Across EU Targets
Bottom Line Up Front (BLUF): According to the European Union Agency for Cybersecurity (ENISA), 46 nation-state-backed cyberattacks were recorded between July 2024 and July 2025, impacting nearly every EU member state. Most activity came from Russian and Chinese APTs, with attacks focusing on public administration, diplomacy, defense, and telecom infrastructure. Groups like APT29 (Russia) and Mustang Panda (China) continue to escalate cyberespionage against European institutions and critical industries.
Analyst Comments: This is one of the most direct assessments from a European agency linking sustained cyberespionage to Russia and China—not just isolated campaigns, but persistent multi-vector operations. ENISA’s language points to intensification, not just continuity, signaling that Europe is now a central theater in global cyber conflict, particularly as the war in Ukraine drags on and China seeks economic leverage through IP theft. Russia’s traditional operators—APT29, APT28 (Fancy Bear), and Sandworm—are operating in their typical lanes: credential theft, lateral movement, and targeting government and NATO-affiliated infrastructure. Meanwhile, China’s playbook focuses more on strategic IP acquisition and long-term infiltration, particularly of telecoms, maritime, and semiconductor industries.
READ THE STORY: BankinfoSec
Chinese OSINT Roadmap Released: Visual Guide Maps Tools from Beginner to Expert Level
Bottom Line Up Front (BLUF): A visual roadmap from FreeBuf illustrates the progression of open-source intelligence (OSINT) capabilities across four skill tiers—from bare enumeration to advanced adversarial analysis. The guide lays out toolsets and workflows by topic (e.g., domain recon, social media scraping, metadata analysis), giving practitioners a structured learning path that’s both practical and scalable.
Analyst Comments: This is the most structured OSINT skill tree in Chinese-language cybersecurity circles. Rather than just naming tools, it organizes them by operational use case and maturity level. Beginners can get value from day one using Shodan, HaveIBeenPwned, or Sherlock, while more advanced analysts are pointed toward Recon-ng, SpiderFoot, and code leak detection with GitLeaks. The roadmap also emphasizes modern intelligence challenges—like blockchain analysis (via Arkham) and Telegram data mining—reflecting the shift toward decentralized and encrypted platforms. This blueprint is worth adopting for any team building an OSINT capability or training new analysts.
READ THE STORY: Loren Lin (Freebuf)
CISA and Allied Nations Issue Unified OT Architecture Guidance to Strengthen Critical Infrastructure Defense
Bottom Line Up Front (BLUF): The U.S. CISA, alongside cybersecurity agencies from the U.K., Australia, Canada, New Zealand, the Netherlands, and Germany, has released a unified guideline titled “Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture.” The document aims to help OT operators, integrators, and vendors build and maintain an accurate, continuously updated view of their OT environment—a foundational step for asset visibility, risk prioritization, and resilient defense.
Analyst Comments: This joint guidance reflects the growing urgency across Western nations to secure OT systems, especially in light of increased cyber threats targeting critical infrastructure. While most OT environments suffer from fragmented documentation and poor asset visibility, this guidance emphasizes treating asset records as a strategic security asset—not just inventory, but a living map that underpins the entire risk management lifecycle.
READ THE STORY: SECRSS
Salt Typhoon Targets Global Telecoms via Network Edge Devices for Long-Term SIGINT
Bottom Line Up Front (BLUF): A Chinese state-aligned threat actor, Salt Typhoon, has compromised telecom infrastructure across the U.S., U.K., EU, and Taiwan since at least 2019. Operating under the Ministry of State Security (MSS), the group exploits routers, VPN gateways, and firewalls to gain persistent access and exfiltrate lawful intercept data, VoIP configs, and subscriber metadata. Their hybrid model blends bespoke implants with infrastructure support from pseudo-private contractors like i-SOON, Juxinhe, and others, enabling stealth and scalability.
Analyst Comments: Salt Typhoon represents China’s modern cyber espionage doctrine: state-directed objectives masked by commercial contractor ecosystems. Their tradecraft—firmware implants, LOLBINs, and backdoored updates—reflects an intent to live in the wire undetected, often for years. The exposure of i-SOON’s GitHub code and front-company infrastructure in 2024 provided rare visibility into how the MSS industrializes intrusion support while maintaining plausible deniability.
READ THE STORY: GBhackers
FlipSwitch Rootkit Bypasses Modern Linux Kernel Defenses via Syscall Dispatcher Abuse
Bottom Line Up Front (BLUF): A newly discovered rootkit technique called FlipSwitch exploits recent changes to the Linux kernel’s syscall dispatcher in version 6.9, bypassing traditional syscall table protections. Rather than directly tampering with the syscall table, FlipSwitch abuses the x64_syscall switch-based dispatcher by modifying relative jump offsets, enabling stealthy and persistent syscall hijacking. Elastic Security researchers discovered a PoC embedded in a legitimate kernel module, confirming in-the-wild experimentation.
Analyst Comments: By manipulating byte-level opcode offsets inside the new switch-case dispatcher (x64_syscall), attackers can stealthily reroute syscalls like kill to malicious functions without touching global data structures. The key to this attack is disabling memory write protections (via CR0 WP bit manipulation) just long enough to patch the jump offset, then restoring protection. The result? Almost no forensic traces and no persistent loader remain after execution. FlipSwitch leaves no module loaded and no modified syscall table entries—classic signs defenders watch for.
READ THE STORY: Emmas (Freebuf)
GlareShell – Graph-Based PHP Webshell Detection for Industrial Web Servers
Bottom Line Up Front (BLUF): A research team led by Pengbin Feng has introduced GlareShell, a PHP webshell detection framework purpose-built for industrial internet servers. GlareShell combines semantic embeddings, risk-weighting, and graph neural networks (GNNs) to analyze static code via interprocedural control flow graphs (ICFGs). On a test set of over 13,000 scripts, it achieved a near-optimal F1 score of 0.9887, offering real-time, zero-dependency protection against evasive webshells.
Analyst Comments: Webshells remain a primary backdoor for lateral movement and data theft—especially in industrial environments where patching and runtime monitoring lag behind. GlareShell’s static analysis approach sidesteps the coverage limitations of behavioral tools and targets a gap in traditional AST/opcode analysis by mapping full execution paths. ICFGs and GNNs aren’t new in academic security research, but this implementation hits practical marks: high detection accuracy, low false positives, and potential for real-time deployment. One caveat—real-world integration will hinge on performance under real traffic, not just clean lab datasets. Still, GlareShell offers a promising detection layer for industrial systems stuck running legacy PHP apps.
READ THE STORY: SECRSS
Phantom Taurus: Chinese APT Group Targets Middle East and South Asia with NET-STAR Malware
Bottom Line Up Front (BLUF): Unit 42 researchers have attributed a new Chinese state-backed threat actor, Phantom Taurus, to a series of cyber-espionage campaigns targeting diplomatic entities in Afghanistan, Pakistan, and likely beyond. The group leverages a custom .NET-based malware suite dubbed NET-STAR, aiming to steal emails and database content from ministries, embassies, and government systems. Its infrastructure and tactics overlap with known groups like BackdoorDiplomacy and Mustang Panda, signaling a coordinated state-directed SIGINT effort.
Analyst Comments: Phantom Taurus is another cog in Beijing’s expanding APT ecosystem, which increasingly leverages tailored malware, shared C2 infrastructure, and regionally focused targeting to fulfill strategic intelligence objectives. While the complete delivery method remains unknown, spear-phishing and zero-day exploitation are likely vectors, consistent with other Chinese APTs. The malware, NET-STAR, is notable for its evasion techniques and deep integration with .NET—suggesting the group has internal expertise in Windows-based enterprise environments. Its development reflects the evolution of China’s cyber playbook: fewer “smash-and-grab” implants and more modular espionage platforms with stealth and longevity in mind.
READ THE STORY: TechRadar
Siemens Launches SINEC Secure Connect to Bring Zero Trust to OT Environments
Bottom Line Up Front (BLUF): Siemens has unveiled SINEC Secure Connect, a software-based zero trust platform that provides virtualized, encrypted connectivity for operational technology (OT) networks. Designed to simplify remote access and reduce reliance on traditional VPNs, the solution uses overlay networks to secure machine-to-machine, machine-to-cloud, and machine-to-datacenter communications, while enforcing fine-grained access policies in line with IEC 62443 standards.
Analyst Comments: OT environments are complex to secure due to legacy equipment, long refresh cycles, and a lack of network segmentation. Siemens’ approach with SINEC Secure Connect is notable because it brings zero trust concepts—identity-first, policy-enforced access—to a space still dominated by perimeter security and flat networks. Unlike conventional VPN solutions, which often grant broad access once connected, this platform builds encrypted tunnels only between explicitly authorized nodes, mitigating lateral movement and misconfiguration risks. The decision to move away from firewall-heavy deployments also reflects the operational constraints of industrial systems, where firewall rule complexity often becomes a liability.
READ THE STORY: Loren lin (Freebuf)
Items of interest
ChkUp Reveals Widespread Firmware Update Flaws Across 12,000 Embedded Devices
Bottom Line Up Front (BLUF): Researchers from Washington University, Tsinghua University, and George Mason have developed ChkUp, a novel static-dynamic analysis framework that exposes firmware update vulnerabilities across embedded systems. Analyzing over 12,000 firmware images, ChkUp uncovered dozens of critical and previously unknown flaws—leading to 25 CVEs and 1 PSV ID. Most issues stemmed from missing or improperly implemented verification of firmware authenticity, integrity, freshness, and compatibility.
Analyst Comments: ChkUp fills a long-standing blind spot in firmware security: the update logic. Most firmware security tools focus on memory safety or static code bugs, ignoring the sprawling and often undocumented update paths involving web UIs, shell scripts, binaries, and IPC mechanisms. his research shows how widespread and dangerous weak update flows are in real-world devices—particularly the use of MD5 for integrity checks, missing signature verification, or incorrectly validating version strings. These aren’t just minor oversights; they’re systemic security design failures that enable rollback attacks, malicious firmware injection, and device hijacking.
READ THE STORY: The Record
USENIX Security ‘24 - Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities (Video)
FROM THE MEDIA: Ransomware, espionage, and nation-state cyber threats are colliding in dangerous new ways. In this episode of Cyber Focus, host Frank Cilluffo sits down with Cynthia Kaiser, senior vice president at Halcyon and former deputy assistant director for cyber at the FBI.
Finding Vulnerabilities in IoT Firmware (Video)
FROM THE MEDIA: Heath Adams (The Cyber Mentor) demonstrates practical firmware analysis for IoT devices using a deliberately vulnerable OpenWrt image (OWASP IoTGoat). He shows manual techniques (binwalk → dd → unsquashfs → filesystem review) and automated analysis with the BugProve/BugProof platform (free tier available), including zero-day hunting on extracted binaries.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.