Daily Drop (1172)
11-04-25
Tuesday, Nov 04, 2025 // (IG): BB // GITHUB // SN R&D
China Eyes U.S. Electrical Grid as Leverage in Taiwan Crisis Scenario
Bottom Line Up Front (BLUF): China is reportedly pre-positioning cyber backdoors in U.S. power grid infrastructure, setting the stage for potential disruption of electrical services in a future Indo-Pacific crisis, particularly involving Taiwan. Utility executives and national security experts warn that U.S. critical infrastructure—especially power utilities—must actively prepare for geopolitical contingencies, not just cyberattacks. Preparation includes early threat monitoring, de-risking supply chains, and running realistic tabletop exercises to simulate high-impact grid disruptions.
Analyst Comments: Chinese state-sponsored actors have already embedded backdoors in US electrical infrastructure and supply chains. These footholds could be activated in a Taiwan-related conflict or regional standoff to coerce or punish US involvement. The authors outline a three-pronged strategy for utilities: (1) monitor geopolitical indicators like PLA exercises or sudden export controls; (2) harden grid systems now—especially China-sourced equipment; and (3) conduct regular tabletop exercises focused on decision-making under pressure. The report urges the energy sector to stop relying solely on federal agencies and begin internalizing these risks in core operations planning.
READ THE STORY: AC
Cybercriminals Exploit Remote Monitoring Tools to Hijack Freight Networks in Supply Chain Heists
Bottom Line Up Front (BLUF): Threat actors use legitimate remote monitoring and management (RMM) software to infiltrate logistics and freight companies, enabling real-world cargo theft. According to Proofpoint, the campaigns—active since at least June 2025—target carriers, brokers, and dispatchers using compromised email accounts and fraudulent load board listings to deploy tools like ScreenConnect, PDQ Connect, and SimpleHelp. The attackers then manipulate dispatch systems to redirect physical shipments under their control.
Analyst Comments: Proofpoint reports that attackers are leveraging RMM tools in a supply chain campaign targeting freight and logistics companies, with a focus on food and beverage cargo. The group, possibly working with organized crime, hijacks email threads and load board accounts to send phishing emails containing links to MSI installers or executables. These deliver RMM software including ScreenConnect, Fleetdeck, N-able, and LogMeIn Resolve. Once access is gained, the attackers conduct reconnaissance, drop credential theft tools like WebBrowserPassView, and in some cases, sabotage legitimate freight bookings. They then impersonate dispatchers or carriers to reassign shipments. These campaigns echo previous 2024 attacks using RATs like Lumma Stealer, but now rely more heavily on trusted IT tools to avoid detection.
READ THE STORY: THN
China Amends Cybersecurity Law: Tougher Penalties, AI Oversight, and Expanded Global Reach
Bottom Line Up Front (BLUF): China’s first significant amendments to its Cybersecurity Law since 2016 will take effect on January 1, 2026. The updates significantly raise financial penalties for violations, expand enforcement to cover foreign entities that impact China’s cyber environment, and introduce language signaling future regulation of AI. Operators of critical infrastructure and foreign tech vendors — especially those serving Chinese customers — face increased exposure and compliance burdens.
Analyst Comments: The most notable updates center on enforcement: fines for non-compliance have increased dramatically, with critical information infrastructure operators (CIIOs) now facing penalties up to RMB 10 million (~$1.41M USD), and non-CIIOs up to RMB 2 million (~$282K USD). Network operators that fail to act on illegal content may now be fined as much as RMB 10 million. The law also introduces penalties for supplying or using cybersecurity products that don’t meet national standards—extending liability to end users, including CIIOs, who may face fines up to 10 times the value of the purchase. The amendments expand the law’s extraterritorial reach, applying to any overseas activity undermining China’s cybersecurity.
READ THE STORY: JDSUPRA
CVE-2025-58726: Kerberos Reflection Flaw Enables Remote SYSTEM Access via Ghost SPNs
Bottom Line Up Front (BLUF): Researchers have disclosed CVE-2025-58726, a critical privilege escalation vulnerability in Windows SMB servers that allows attackers with low-privilege domain accounts to obtain SYSTEM-level access remotely. The flaw exploits a Kerberos authentication reflection technique tied to “Ghost SPNs”—service principal names linked to non-resolving hostnames. It affects all supported Windows versions unless SMB signing is enforced. Microsoft patched the vulnerability in the October 2025 Patch Tuesday release.
Analyst Comments: Discovered by Semperis researcher Andrea Pierini, CVE-2025-58726 enables a remote privilege escalation via Kerberos authentication reflection, even after CVE-2025-33073 was supposedly fixed. The exploit hinges on “Ghost SPNs”—service principal names pointing to decommissioned or typo-ridden hosts that still exist in Active Directory. Attackers can register DNS records for these ghost entries, linking them to attacker-controlled IPs. Then, using a tool like KrbRelayEx, the attacker intercepts Kerberos TGS requests and reflects them to the target system’s SMB service via PrinterBug or PetitPotam. Because SMB signing is disabled in many environments, the system accepts the relayed authentication, granting SYSTEM-level access. The vulnerability lies in how Kerberos handles authentication requests to self-referencing SPNs, and the patch was delivered through updates to the SRV2.SYS SMB server driver.
READ THE STORY: freebuf
Kimsuky Deploys ‘HttpTroy’ Backdoor in VPN Invoice Phishing to Spy on South Korea
Bottom Line Up Front (BLUF): North Korean APT Kimsuky is using a new backdoor malware named HttpTroy, disguised as a VPN invoice attachment, to target South Korean organizations with espionage motives. Delivered via phishing emails, the malware enables file theft, keystroke logging, and remote control, all while blending into regular HTTP web traffic to evade detection.
Analyst Comments: WebProNews reports that Kimsuky, a North Korean APT group known for targeting South Korean political and defense organizations, is now deploying a stealthy backdoor dubbed HttpTroy. The malware is delivered via phishing emails that spoof VPN invoice notifications, with a malicious ZIP attachment that contains an executable disguised as a PDF. Once executed, HttpTroy injects itself into system processes, establishes persistence through scheduled tasks and registry keys, and communicates with its command server using normal-looking HTTP traffic. Analysts describe the malware as modular and capable of file exfiltration, keystroke logging, and remote command execution. Its HTTP-based communication avoids detection by IDS/IPS systems that typically flag DNS tunneling or Tor traffic.
READ THE STORY: WPN
Chinese APT Deploys ‘Airstalk’ Malware via MDM Abuse in Supply Chain Attacks
Bottom Line Up Front (BLUF): A Chinese state-aligned threat actor, tracked as CL-STA-1009, is leveraging a novel malware family dubbed Airstalk to target business process outsourcing (BPO) firms in software supply chain attacks. The malware abuses the AirWatch MDM API to establish covert C2 channels, with variants written in PowerShell and .NET. The attackers likely used stolen certificates and advanced obfuscation to evade detection in the enterprise.
Analyst Comments: According to research by Palo Alto Networks, APT group CL-STA-1009 has been observed using a custom malware strain dubbed Airstalk in targeted attacks against BPO providers. The campaign involves two versions of the malware—one in PowerShell and the other in .NET—both abusing the AirWatch mobile device management (MDM) API to establish a command-and-control channel. The PowerShell variant supports screenshot capture, directory listing, and Chrome browser data harvesting. The .NET version also expands on this, targeting Edge and Island browsers. Both strains use stolen or revoked certificates for code signing and obfuscate timestamps to blend into enterprise environments. The attackers employ a multithreaded protocol for resilient C2 communication and show a high level of operational investment, suggesting a well-resourced actor aiming for persistent access.
READ THE STORY: SecWeek
Espionage Campaign Mimicking Sandworm Hits Russian and Belarusian Military with Tor-Backdoored LNK Payloads
Bottom Line Up Front (BLUF): Cyble and Seqrite have uncovered a sophisticated spear-phishing campaign targeting Russian Airborne Forces and Belarusian UAV units. The operation deploys weaponized Windows LNK files disguised as PDF military documents, establishing covert backdoors using SSH over localhost and Tor hidden services. While the tooling closely mirrors Sandworm tactics, attribution remains unclear.
Analyst Comments: According to Cyble and Seqrite, the phishing campaign uses ZIP archives with malicious .lnk files camouflaged as PDF documents tied to military processes (e.g., retraining orders or appointment letters). Upon execution, the LNK triggers PowerShell scripts that check for sandbox environments and, if clear, establish persistence via scheduled tasks. The backdoor installs a legitimate OpenSSH server on 127.0.0.1:20321, accessible only via RSA keys, and sets up a Tor hidden service to tunnel RDP, SMB, and SFTP traffic—granting attackers covert, full-system access. The campaign heavily borrows from Sandworm’s techniques but may involve pro-Ukraine APTs like Angry Likho or Awaken Likho. Attribution remains open, but researchers highlight this as one of the more advanced use cases of Tor + SSH tunneling seen recently in military cyber espionage.
READ THE STORY: Help Net Security
Items of interest
DNS4CN Leak Reveals China’s Plan for Locked-Down, Centralized DNS Infrastructure
Bottom Line Up Front (BLUF): Leaked documents linked to Fang Binxing, architect of the Great Firewall, reveal China’s intent to deploy DNS4CN, a fully nationalized DNS resolution system designed to isolate Chinese DNS traffic from the global Internet. The system aims to eliminate reliance on foreign root servers, detect and block encrypted DNS protocols (DoH, DoT, DNSCrypt), and enforce centralized oversight via the broader Shield-Cube cybersecurity architecture.
Analyst Comments: According to leaked presentation materials known as the Geedge leaks, Fang Binxing proposes DNS4CN as a national DNS architecture designed to replace China’s reliance on global root servers. Chinese ISPs handle DNS routing with varying methods, including routing table manipulation and mid-flight DNS injection. DNS4CN would consolidate DNS control under a few domestic root servers, preventing queries from leaving China and allowing censorship to be enforced more effectively and quietly. The proposal includes detection mechanisms for encrypted DNS protocols such as DNSCrypt, DoH, DoT, and DoQ, with plans to allow encrypted queries only through government-approved endpoints. Detection will be handled via a national “Shield-Cube” system—China’s unified four-layer cybersecurity framework that integrates endpoint, gateway, network, and data-layer controls. Documents describe metadata tagging, telemetry collection, and rapid blacklist propagation, painting DNS4CN as both a censorship tool and a “cyber sovereignty” enabler.
READ THE STORY: Netaskari
How China is creating a new kind of internet (Video)
FROM THE MEDIA: Over the last 40 years, the Chinese Communist Party has been constructing the world’s first and most sophisticated digital border, called the Great Firewall of China.
The Locknet: How China Controls its Internet (Video)
FROM THE MEDIA: CSIS Senior Fellow Henrietta Levin is joined by Jessica Batke, Senior Editor for Investigations at ChinaFile, and Laura Edelson, Assistant Professor of Computer Science at Northeastern University.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.