Daily Drop (1165)
10-25-25
Saturday, Oct 25, 2025 // (IG): BB // GITHUB // SN R&D
Cairncross: U.S. Must Counter China’s Surveillance Exports with ‘Clean American Tech Stack’
Bottom Line Up Front (BLUF): Newly appointed National Cyber Director Sean Cairncross is signaling a more aggressive U.S. posture toward China’s global cyber influence, warning that Beijing is scaling efforts to embed surveillance infrastructure worldwide. At the 2025 Meridian Summit, Cairncross called for promoting American-made technology alternatives, renewing key information-sharing laws, and strengthening the Office of the National Cyber Director (ONCD) to meet its strategic mission.
Analyst Comments: At the Meridian Summit, Cairncross criticized the lack of consequences for Chinese cyber behavior, stating their operations “sit on our critical infrastructure systems and threaten chaos.” He emphasized that adversaries see U.S. cyber response as “cost-free” and urged a strategic reset. Cairncross also previewed the new national cyber strategy, promising it would be shorter and more directional than previous versions. CSC 2.0’s annual report, released the same week, warned that ONCD remains underpowered to execute its mission. According to CSC Executive Director Mark Montgomery, Cairncross’s personal relationships within the administration could help resolve this.
READ THE STORY: CyberScoop
When Propaganda Goes Viral: Chinese Influence Operations Target Taiwan’s Social Media Sphere
Bottom Line Up Front (BLUF): A viral AI-generated song based on a pro-independence Taiwanese legislator’s old remarks is the latest example of China’s increasingly subtle—and effective—information operations aimed at Taiwan. The episode, which repackaged political criticism into relatable pop culture content, underscores Beijing’s “friendly offensive” strategy: normalizing cross-strait unity through soft power, influencer engagement, and meme warfare rather than overt threats.s.
Analyst Comments: This is a textbook case of 5th-generation information warfare. Instead of coercion, China is co-opting Taiwanese identity through emotional, apolitical content—wrapping propaganda in relatability. The viral remix of Wang Shih-cheng’s remarks is a clever psychological operation (PSYOP) dressed as entertainment. What’s alarming isn’t the clip itself—it’s the normalization of Chinese narratives among Taiwan’s youth and influencers. The irony is sharp: Beijing is amplifying the words of a pro-independence lawmaker to build unity sentiment. This strategy is slow-burning, cumulative, and effective—and U.S. strategic comms remain largely absent in the ideological fight for Taiwan’s public opinion.
READ THE STORY: The Diplomat
Musk Weighs In on Silicon Valley Honey Trap Allegations with Flippant Tweet
Bottom Line Up Front (BLUF): Elon Musk responded to a Times investigation alleging that China and Russia deploy female spies to seduce tech insiders and steal trade secrets. His comment—“If she’s a 10, you’re an asset 100%”—has drawn criticism for trivializing the national security threat and potentially worsening bias against women in tech. The report details espionage cases where agents entered relationships or marriages to gain access to sensitive information in Silicon Valley and beyond.
Analyst Comments: Using honey traps isn’t new, but the shift toward tech sector targeting—particularly in AI, defense startups, and cloud infrastructure—is noteworthy. What’s new is the public framing: Musk’s viral response risks normalizing authentic espionage tradecraft as internet humor while potentially fueling mistrust of women in high-trust, high-clearance positions. There’s a legitimate threat here, but also a danger in overreaction. Expect counterintelligence agencies to intensify scrutiny of foreign influence operations under the guise of personal or romantic engagement. For security leads in tech firms, this reinforces the need for social engineering awareness—not just endpoint protection.
READ THE STORY: Cybernews
Huawei Pushes Back on Poland’s Cybersecurity Law Over ‘High-Risk Supplier’ Clause
Bottom Line Up Front (BLUF): Huawei has formally objected to a proposed amendment to Poland’s Cybersecurity Act, warning that new rules targeting “high-risk suppliers” could effectively ban the company from key sectors. The draft legislation, which critics say disproportionately affects non-EU and non-NATO firms, raises significant legal and geopolitical tensions, with Huawei threatening arbitration under the Energy Charter Treaty (ECT) if the law proceeds.
Analyst Comments: Huawei Technologies Cooperatief U.A., which holds a 90% stake in Huawei Polska, sent a letter to Poland’s prime minister, key ministers, and the general prosecutor, objecting to what it calls “discriminatory and unclear” provisions in the draft Cybersecurity Act amendment. The rules would allow authorities to restrict or ban vendors deemed “high-risk” in national infrastructure, potentially barring Huawei from sectors like telecom and energy. The company warned that the move may breach the China–Poland Bilateral Investment Treaty and the Energy Charter Treaty, with possible losses in the billions of PLN. While urging dialogue, Huawei reserved the right to seek arbitration under Article 26 of the ECT—a clause allowing investors to challenge state actions in international tribunals.
READ THE STORY: GAR
Iran-Israel Conflict Shows Hybrid War Has Gone Operational: Malware, Missiles, and Manipulation Collide
Bottom Line Up Front (BLUF): The recent Iran-Israel confrontation demonstrates the global normalization of hybrid warfare — the coordinated use of cyberattacks, kinetic strikes, and disinformation to destabilize adversaries. Iranian groups like Cyber Av3ngers and Israeli-linked actors such as Predatory Sparrow launched synchronous digital and physical operations against fuel systems, ports, and hospitals. The objective wasn’t just disruption—it was psychological destabilization. This conflict reflects a broader trend: hybrid war is now the default mode of geopolitical engagement.
Analyst Comments: In the latest escalation, Iranian-linked cyber actors like Cyber Av3ngers launched digital attacks against Israeli infrastructure timed to coincide with physical missile strikes. Israeli cyber operators, including Predatory Sparrow, retaliated by crippling Iranian ports, fuel stations, and financial systems. This mirrors an evolving hybrid doctrine first made visible during the 2010 Stuxnet attack. Researchers note that attacks now blend cyber sabotage, psychological warfare, and disinformation to fracture social cohesion and trust. In 2020, Iranian hackers reportedly attempted to contaminate Israel’s water supply; Israel’s response disabled vital port infrastructure. Globally, this mirrors other flashpoints—from Russian cyber/kinetic operations in Ukraine to Chinese infiltration campaigns against U.S. critical systems.
READ THE STORY: The Loop
Taliban Internet Restrictions Signal Escalating Information Control, Raise Security Concerns
Bottom Line Up Front (BLUF): The Taliban have intensified restrictions on internet access across Afghanistan, a calculated move to suppress dissent, obstruct independent media, and sever communication for marginalized communities—particularly women, ethnic minorities, and underground civil society groups. As the digital blackout spreads, analysts warn it will deepen radicalization, cripple humanitarian efforts, and enable unchecked atrocities under the cover of darkness.
Analyst Comments: Underground schools, women-led media, mobile health programs, and digital entrepreneurs—many relying on encrypted and VPN-based communications—are being cut off. Independent Afghan reporters continue to document killings, aid theft, and religious policing, but their reach is vanishing. The move also undermines international humanitarian monitoring and civil society coordination. Critics argue that global responses have been weak, focused more on diplomacy with Taliban leaders than meaningful action. The authors call for expanding targeted sanctions, enforcing travel bans, and supporting Afghan-led resistance initiatives, including underground education and digital journalism.
READ THE STORY: The Diplomat
JLR Cyberattack Freezes UK Car Output, Sparks £1.9B Fallout and National Response
Bottom Line Up Front (BLUF): A crippling cyberattack on Jaguar Land Rover (JLR) has cost the company an estimated £1.9 billion and triggered a 27% collapse in UK vehicle production for September 2025. With operations halted for five weeks across JLR’s three main plants, over 5,000 suppliers were disrupted. The UK government has stepped in with a £1.5B loan guarantee to stabilize the auto supply chain, but full recovery is not expected before early 2026. The breach is now considered the most financially damaging cyber incident in UK history.
Analyst Comments: No vehicles were produced for five weeks. UK car output fell by 27%, the worst September since 1952, with exports to major markets dropping 24.5%. The Cyber Monitoring Centre (CMC) classified the incident as a Category 3 cyber threat, citing external attribution and severe impact.
CMC Chair Ciaran Martin called it “by some distance, the single most financially damaging cyber event ever to hit the UK.” The government responded with a £1.5B loan guarantee via UK Export Finance to protect JLR’s supply chain. While production is now resuming in phases, industry leaders warn that recovery could take months, and national output targets are at risk.
READ THE STORY: Manufacturing
WhatsApp $1M Zero-Click Exploit Withdrawn at Pwn2Own—Now Under Private Review by Meta
Bottom Line Up Front (BLUF): A highly anticipated zero-click WhatsApp exploit expected to earn a record $1 million payout at the Pwn2Own 2025 event in Ireland was abruptly withdrawn just before its live demonstration. The exploit, claimed by hacker “Eugene” of Team Z3, was intended to showcase remote code execution on WhatsApp Messenger without user interaction—an elite-tier threat scenario. Instead of the demo, the vulnerability is now being shared privately with Meta via coordinated disclosure, raising speculation and concern across the security community.
Analyst Comments: Zero-click RCEs in apps like WhatsApp are the holy grail of mobile exploitation—and a nightmare for defenders. The fact that this exploit was pulled at the last minute suggests it’s not entirely stable or too dangerous for public release. But even without a live demo, the fact that Meta is taking the report seriously should be enough to ring alarm bells. Whether the bug is legitimate or overhyped, the incident underscores how consumer communication apps remain prime targets for elite attackers. If validated, expect a patch sprint from Meta and a flood of private sector demand for similar zero-click defense capabilities.
READ THE STORY: Forbes
Cyberattack on Russian Food Safety Agency Halts Shipments Across Key Sectors
Bottom Line Up Front (BLUF): A DDoS attack against Russia’s agricultural oversight agency, Rosselkhoznadzor, disrupted core digital platforms to certify and track food shipments nationwide. The outage—targeting the “Mercury” veterinary certification system—temporarily halted the distribution of dairy and baby food products, exposing a critical dependency on centralized digital infrastructure. No group has claimed responsibility.
Analyst Comments: Mercury is mandatory for moving animal-based goods across Russia—no certificate, no shipment. The fact that a denial-of-service attack could paralyze domestic food logistics in hours suggests both inadequate failover planning and poor crisis workflows. It’s the fourth hit on Mercury this year, and there’s still no emergency offline process in place. It worked if this were a dry run by a state-aligned actor testing economic pressure levers. Russia’s continued vulnerability to DDoS—rather than data exfiltration—also suggests either low investment in resilience or confidence that attribution is unlikely. Don’t dismiss agricultural and logistics platforms as peripheral: the food supply chain is just as strategic as the power grid in modern conflict.
READ THE STORY: The Record
North Korean Lazarus Group Targets European UAV Sector with Social Engineering and Custom RATs
Bottom Line Up Front (BLUF): ESET researchers have uncovered a targeted espionage campaign by North Korea’s Lazarus Group aimed at European defense contractors in the unmanned aerial vehicle (UAV) sector. Operating under the long-running “Operation DreamJob” guise, attackers used fake job offers and trojanized developer tools to deliver the ScoringMathTea RAT and exfiltrate sensitive drone technology. At least three companies across Southeastern and Central Europe were compromised.
Analyst Comments: Lazarus continues evolving beyond crypto theft, blending classic social engineering with trojanized open-source tools and DLL sideloading in highly targeted ops. Lure documents with job descriptions and poisoned PDF viewers show the group’s continued effectiveness in leveraging employee curiosity as an entry vector. The target selection—metal engineering, aircraft components, defense integrators—suggests a clear mandate: accelerate Pyongyang’s UAV program with stolen designs.
READ THE STORY: GBhackers // Bank InfoSec
iOS 26 Deletes Spyware Evidence, Collins Aerospace Hit, Shadow Escape Zero-Click Attack Emerges
Bottom Line Up Front (BLUF): Apple’s iOS 26 is overwriting the shutdown.log file on every reboot, effectively deleting forensic artifacts that could reveal infections from Pegasus, Predator, and similar spyware. Mobile security firm iVerify says this change poses a serious challenge to investigators and victims trying to confirm compromise—especially as spyware threats grow more common.
Analyst Comments: Forensic visibility on iOS has always been a battle, but this worsens it. The shutdown.log was one of the few remaining breadcrumbs investigators could use to detect elite mobile spyware. Now it’s wiped on reboot. Whether this was an intentional privacy feature or an oversight, the effect is the same: harder attribution, less accountability, and increased cover for spyware operators. Investigators and mobile EDR tools will need new detection strategies fast.
READ THE STORY: SecurityWeek
Russia’s Cybercrime Scene Shifts Underground Amid Domestic Crackdowns and Global Pressure
Bottom Line Up Front (BLUF): Russia is tightening its control over domestic cybercrime actors in response to global law enforcement actions like Operation Endgame. This marks a notable shift from its long-standing policy of passive tolerance. Cybercriminals adapt with increased operational security, moving from public ransomware-as-a-service (RaaS) marketplaces to semi-private, culturally gated recruitment models. Despite fewer public ads, the cybercrime economy remains active and lucrative.
Analyst Comments: With Western operations like Endgame and Hive takedowns applying pressure, Russia manages optics while retaining control. Expect more “selective enforcement” tactics: public arrests for expendable actors, while high-value cyber talent is either redirected to state-aligned operations or allowed to operate under stricter discretion. The drop in openly advertised RaaS affiliate programs doesn’t mean ransomware is fading—it just means it’s getting harder to track. Forums are quiet, access is tightening, and the bar for trust is rising. This fragmentation complicates attribution and creates new visibility gaps for defenders tracking ransomware via open-source intelligence.
READ THE STORY: SC MEDIA
China Uses Southeast Asia as Cyber Testing Ground Ahead of Global Campaigns, Experts Warn
Bottom Line Up Front (BLUF): China uses Southeast Asia as a low-risk incubator to refine cyberattack techniques later deployed against the U.S. and allies. Campaigns like Salt Typhoon and Volt Typhoon trace back to years of quiet intrusion and capability testing across ASEAN networks. Analysts now warn that the region offers early warning signals of Beijing’s broader strategic cyber operations—signals the U.S. continues underutilizing.
Analyst Comments: China’s chokehold on rare earth exports is the strategic equivalent of a tech blockade, and it’s aimed squarely at the industries Washington most wants to protect: EVs, defense, semiconductors, and AI. The U.S. can’t outproduce China on magnets or batteries overnight, but it can weaponize capital, alliances, and standards. Expect U.S. industrial policy to evolve into something resembling economic war-footing: tax credits for magnets, domestic refining incentives, and even a national stockpile of dysprosium or terbium. Meanwhile, the Global South becomes the next strategic battlefield—not just for trade routes, but for influence over tech norms, production hubs, and raw material rights. The messy middle—fragmented ecosystems, regulatory divergence, and rising costs—is the price of geopolitical stability in a polarized digital world.
READ THE STORY: RealClearDefense
Former L3Harris Executive Accused of Selling Cyber Tool Secrets to Russia for $1.3M
Bottom Line Up Front (BLUF): U.S. prosecutors have charged former L3Harris Trenchant executive Peter Williams with stealing and selling classified cyber intelligence trade secrets to a Russian buyer. The alleged theft spanned from 2022 to mid-2025, reportedly netting Williams $1.3 million. The compromised tools—linked to companies supporting U.S. national security operations—raise serious concerns about Russian intelligence gaining insight into U.S. cyber capabilities.
Analyst Comments: L3Harris Trenchant specializes in offensive cyber tools—potential zero-days, remote access frameworks, and tailored exploits—used by Western intelligence services. Selling this intellectual property to Russia could allow their security services to neutralize, reverse-engineer, or even repurpose these capabilities against the U.S. or its allies. The case underscores two issues: first, the insider threat risk among cleared contractors remains high, especially in globally integrated companies. Second, the lack of public attribution on what was stolen suggests the stolen tech may still be operational or classified. Expect follow-on counterintelligence reviews of existing tooling in use by federal cyber operations. The bar for vetting sensitive contractors—and keeping tabs on offshore execs—needs to rise, fast.
READ THE STORY: Reuters
APT Down Leak Raises Red Flags: Influence Operation or Insider Threat to the Hacker Talent Pipeline
Bottom Line Up Front (BLUF): The so-called “APT Down” leak, distributed at DEF CON and BSides in 2025, appears to expose real North Korean cyber-espionage data—but its highly polished presentation, anonymous authorship, and hard-copy distribution suggest it may be an influence operation targeting the Western hacker community itself. Whether orchestrated by a Five Eyes agency or a foreign adversary emulating one, the leak risks undermining trust in the underground communities that supply cyber talent to national defense.
Analyst Comments: Let’s be clear: the technical contents of APT Down are legit—Linux backdoors, phishing kits, RATs, operational logs—all useful for defenders. However, the way this data was packaged and shared is the story. Glossy copies of Phrack handed out at elite conferences? Pseudonymous authors nobody can trace? Intelligence-style polish and victim pre-notification? That doesn’t read like hacktivism—it reads like a psychological operation. If this were a Five Eyes move, it’s a risky one. If it wasn’t, then someone just expertly mimicked our playbook. Either way, the trust built between hacker communities and government over the past two decades is in play—and potentially in jeopardy.
READ THE STORY: War on the Rocks
APT36 Deploys DeskRAT to Target Indian Government Linux Systems in Cross-Platform Espionage Campaign
Bottom Line Up Front (BLUF): Pakistan-aligned APT36 (Transparent Tribe) is actively targeting Indian government entities using a Golang-based remote access trojan known as DeskRAT. The malware, first observed in August–September 2025, is delivered via spear-phishing campaigns designed to compromise BOSS Linux systems, the Indian government’s custom OS. The campaign is part of a broader, cross-platform espionage operation involving Linux and Windows variants with similar toolchains and persistence mechanisms.
Analyst Comments: Sekoia and QiAnXin XLab analysis reveals the campaign used malicious desktop files disguised as PDF loaders to lure victims—specifically a fake military directive (”CDS_Directive_Armed_Forces.pdf”). The loader fetches payloads from attacker-controlled domains like modgovindia[.]com and modgovindia[.]space, suggesting spoofed domestic themes for credibility.
READ THE STORY: THN
Snapback Sanctions Drive Iran Deeper Into Russia’s Orbit, Undermining Western Leverage
Bottom Line Up Front (BLUF): The reactivation of UN “snapback” sanctions by the E3 in September 2025 has accelerated Iran’s strategic alignment with Russia. Moscow rejects the legitimacy of these sanctions and is actively undermining their enforcement at the UN. This deepening Iran-Russia partnership—underpinned by mutual isolation and shared geopolitical goals—is expected to expand across nuclear, military, and economic sectors, further reducing Western influence and complicating any path back to nuclear diplomacy.
Analyst Comments: In September, the UK, France, and Germany triggered the JCPOA’s “snapback” clause, restoring pre-2015 UN sanctions on Iran. Despite having originally proposed the mechanism in 2015, Russia strongly opposed its reactivation. Moscow claims the E3 violated the agreement first and therefore lacks legal standing. A Russian-led resolution to block the sanctions failed at the Security Council. However, Moscow still has leverage: it can obstruct enforcement by paralyzing the 1737 Sanctions Committee and blocking panel appointments. Iran, already shifting eastward since the U.S. withdrew from the JCPOA in 2018, is doubling its alignment with Russia and China. The two states signed a Comprehensive Strategic Partnership Treaty earlier this year, and cooperation is expanding into nuclear, defense, and intelligence domains. Tehran views BRICS+ and the SCO as strategic counterweights to Western pressure, while talks with the West remain open but unlikely to yield results soon.
Warlock Ransomware Hits Hard with SharePoint ToolShell Zero-Day (CVE-2025-53770)
Bottom Line Up Front (BLUF): The Warlock ransomware group is actively exploiting a newly discovered zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770 and dubbed ToolShell. The group—believed to operate from China—has rapidly escalated its activity since July 2025, targeting organizations across multiple sectors worldwide. Warlock leverages DLL sideloading, custom C2 infrastructure (ak47c2), and stolen certificates to deploy ransomware variants, including a modified LockBit 3.0 payload.
Analyst Comments: Discovered on July 19, 2025, the ToolShell vulnerability (CVE-2025-53770) affects Microsoft SharePoint and allows remote attackers to gain code execution via maliciously crafted ToolShell extensions. Warlock actors—linked to the Storm-2603 cluster by Microsoft—used the flaw as a launchpad for ransomware deployment in finance and engineering sectors. Symantec and Carbon Black analysts report that the group uses DLL sideloading with the 7-Zip binary (7z.exe and 7z.dll) to execute payloads while avoiding detection. Encrypted files are marked with the .x2anylock extension. The ransomware is believed to be a rebranded Anylock variant with modular capabilities adapted from leaked LockBit 3.0 code.
READ THE STORY: CSN
US Fast-Tracks AI Datacenter Grid Access to Meet Surging Power Demand
Bottom Line Up Front (BLUF): The U.S. Department of Energy is pushing for a dramatic overhaul of how large-scale datacenters—particularly those supporting AI workloads—connect to the national power grid. A new proposal would require the Federal Energy Regulatory Commission (FERC) to approve interconnection requests for facilities over 20 MW within 60 days. The move comes amid historic delays, with some grid connection projects facing seven-year backlogs, and reflects the mounting pressure from AI infrastructure growth on America’s aging energy systems.
Analyst Comments: In a letter to FERC, Energy Secretary Chris Wright outlined a proposal to speed up interconnection timelines for large “load” projects—specifically datacenters over 20 MW. Currently, the grid approval process can take up to seven years. The proposal includes deadlines, standardized deposits, readiness requirements, and penalties for speculative projects. Priority access would be granted to applicants willing to operate as curtailable loads, meaning their power draw can be reduced during peak strain to stabilize the grid. The Department of Energy (DOE) says this is essential to maintain U.S. leadership in tech as electricity demand skyrockets due to AI and advanced computing needs. Wright also seeks to strip away roadblocks to hydroelectric permitting by barring third-party opposition as a valid reason to deny applications. This follows recent DOE efforts to pair datacenters with on-site nuclear and renewable power projects.
READ THE STORY: The Register
Items of interest
Decoupling in Action: U.S.–China Tech Split Deepens Amid Rare Earth Controls and Economic Realignment
Bottom Line Up Front (BLUF): China’s new export restrictions on rare earths are accelerating an already costly decoupling from the U.S., setting the stage for a bifurcated global tech and trade ecosystem. As Beijing tightens control over critical minerals, Washington is expected to respond with tariffs, subsidies, and strategic reshoring. The emerging world order points to two incompatible systems—one American, one Chinese—where supply chains, standards, and innovation no longer intersect.
Analyst Comments: China’s chokehold on rare earth exports is the strategic equivalent of a tech blockade, and it’s aimed squarely at the industries Washington most wants to protect: EVs, defense, semiconductors, and AI. The U.S. can’t outproduce China on magnets or batteries overnight, but it can weaponize capital, alliances, and standards. Expect U.S. industrial policy to evolve into something resembling economic war-footing: tax credits for magnets, domestic refining incentives, and even a national stockpile of dysprosium or terbium. Meanwhile, the Global South becomes the next strategic battlefield—not just for trade routes, but for influence over tech norms, production hubs, and raw material rights. The messy middle—fragmented ecosystems, regulatory divergence, and rising costs—is the price of geopolitical stability in a polarized digital world.
READ THE STORY: The Diplomat
China’s Rare Earth Dominance: How Secure Is Its Global Leverage? (Video)
FROM THE MEDIA: China dominates the world’s rare earth supply, which is critical for tech, defense, and green energy. Can global powers break free from Beijing’s grip? Discover the stakes behind China’s rare earth leverage in this deep dive from China Panorama.
US, Australia sign $8.5bn deal to curb China’s rare earth dominance (Video)
FROM THE MEDIA: The U.S. and Australia signed an 8.5 billion dollar deal to secure rare earths and cut reliance on China. They hope to tap Australia’s 53 billion dollars in mineral reserves. Over six months, they’ll invest billions, set price floors, and fast-track mining, reshaping clean energy and defense supply chains. Our experts also talk about the deal.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.