Daily Drop (1173)
11-05-25
Wednesday, Nov 05, 2025 // (IG): BB // GITHUB // SN R&D
China Pushes “AI+” Security Model: Surveillance State Expands with Predictive Policing and Dialect Recognition
Bottom Line Up Front (BLUF): China is accelerating efforts to fuse artificial intelligence with domestic surveillance, as outlined at a recent Beijing security industry conference. State-linked tech firms showcased tools capable of voiceprint recognition, predictive profiling, smart home surveillance, and automated street patrols—many already in use or tied to government contracts. While pitched as public safety solutions, the systems enhance Beijing’s ability to monitor, profile, and control its population at scale.
Analyst Comments: The “AI+ Action Plan” puts AI at the core of public security, with systems pitched for detecting dissent, monitoring minorities, and even reading emotional states based on online activity and medical records. From a security perspective, the scale of data collection and cross-system integration—combined with direct police access—creates an unprecedented authoritarian tech stack. Several firms involved, including Huawei, Hikvision, and iFlytek, remain under U.S. export controls, but that hasn’t slowed internal deployment. In some cases, the capabilities may be overstated, but the intent is clear: frictionless, invisible control of 1.4 billion people. Western law enforcement agencies should expect similar capabilities to be marketed under “smart policing” banners, and civil society should track their domestic creep closely.
READ THE STORY: The New York Times
Microsoft Teams Flaws Allow Executive Impersonation, Message Tampering, and Call Spoofing
Bottom Line Up Front (BLUF): Check Point Research disclosed four critical vulnerabilities in Microsoft Teams that allowed attackers—external guests and insider threats—to impersonate users, alter message content without a trace, spoof notifications, and forge caller identities. The flaws impacted trust in a platform used by over 320 million users, with potential abuse in phishing, fraud, malware delivery, and executive impersonation. Microsoft patched all issues by October 2025; one was assigned CVE-2024-38197.
Analyst Comments: These vulnerabilities shattered core trust assumptions in Microsoft Teams by enabling low-friction identity spoofing, silent message manipulation, and social engineering via forged call alerts. For high-risk sectors—finance, government, defense—this opens the door to deeply convincing phishing and business email compromise (BEC) campaigns inside what many wrongly assume to be a trusted perimeter. The most troubling element: attackers didn’t need deep access. A malicious guest or lightly privileged insider could exploit these bugs with crafted JSON payloads, altering how messages and notifications appeared—without any alerts or audit trails. This reflects a broader industry issue: collaboration platforms are now critical infrastructure, but often lack hardened trust models or telemetry equivalent to email and endpoint tooling.
READ THE STORY: Checkpoint
Russia’s Gray-Zone Cyber Tactics Are Designed to Drain Western Economies
Bottom Line Up Front (BLUF): Russia is waging a sustained gray-zone campaign against Western critical infrastructure, targeting both digital and physical assets to impose economic costs. Recent reporting highlights systemic efforts—from DDoS and ransomware to sabotage and GPS jamming—that inflict long-term financial damage on cities, companies, and insurers without triggering conventional military retaliation.
Analyst Comments: Municipal governments like Liverpool City Council aren’t soft targets by accident—they’re low-risk, high-impact testbeds that strain resources without political blowback. The attacks are rarely catastrophic but constant, and the cumulative cost is significant. From undersea cable sabotage (EstLink2, €60M in damages) to GPS spoofing around the Baltic, arson, and drone overflights near sensitive infrastructure, this is strategic disruption at scale. And it’s pushing insurers, airports, and public agencies toward unsustainable operating environments. Western governments should treat these incidents as part of a unified campaign—not isolated events—and fund gray-zone readiness exercises across public and private sectors.
READ THE STORY: Politico
European Commission Officials Exposed by Freely Available Geolocation Data
Bottom Line Up Front (BLUF): A coalition of European journalists obtained granular geolocation data on hundreds of European Commission and Parliament employees—including senior officials—using free datasets from data brokers. Despite GDPR’s strict privacy protections, the investigation revealed how easy it remains to acquire movement profiles, device IDs, and personal addresses from mobile ad data, raising serious questions about enforcement gaps and national security implications.
Analyst Comments: A cross-European investigation revealed that brokers are selling location data derived from mobile ad networks, enabling potential tracking of hundreds of EU officials. Among the findings: 5,800 pings from 756 devices inside the European Parliament, and over 2,000 pings from devices at the Commission’s headquarters. Journalists could trace several individuals’ daily routines and even identify personal residences. While GDPR governs data use, the EU has been slow to regulate data brokers specifically. In response, the European Commission issued guidance on disabling ad tracking and alerted national CSIRTs.
READ THE STORY: The Record
Ukrainian Drone Strike Destroys Russian Special Forces Unit on Black Sea Oil Rig
Bottom Line Up Front (BLUF): Ukraine’s naval forces claim to have killed an elite Russian anti-tank crew and destroyed reconnaissance equipment in a kamikaze drone strike on the Syvash oil rig off the coast of Crimea. The platform—part of the long-occupied Boiko Towers—is one of several that Russia has militarized since seizing them in 2015. The strike underscores Ukraine’s expanding maritime strike capabilities and continued efforts to degrade Russia’s offshore surveillance infrastructure.
Analyst Comments: Ukraine’s Navy struck the Syvash self-elevating oil rig—owned by Chornomornaftogaz but occupied by Russian forces since 2015—destroying an elite Russian special forces unit and electronic reconnaissance gear. The rig, part of the so-called Boiko Towers, has been used by Russia for military operations, including radar deployments and potentially as a staging point for anti-ship or ISR missions. Ukraine released a black-and-white video showing the moment of impact, countering Russian claims that a Ukrainian naval boat was destroyed. The strike comes amid heavy fighting in eastern Ukraine, including around Pokrovsk and Kupiansk, and demonstrates Kyiv’s continued pressure on Russian logistics and sensor platforms across all domains.
READ THE STORY: Independent
Ukraine Downs New Russian Recon Drone “Knyaz Oleg” Over Lyman Front
Bottom Line Up Front (BLUF): Ukrainian forces have successfully shot down a previously undocumented Russian reconnaissance drone—“Knyaz Oleg the Prophet”—over the Lyman area. This marks the first confirmed interception of the platform since the start of Russia’s full-scale invasion. While technical specs remain unknown, footage suggests the drone conducted optical surveillance within 40–50km of Russian lines.
Analyst Comments: “Knyaz Oleg” appears to be another mid-range ISR asset Russia is fielding to supplement its degraded drone fleet, possibly produced in limited numbers or still under field testing. It’s a symbolic and operational win for Ukraine’s 63rd Mechanized Brigade, which has become increasingly adept at targeting UAVs across the Donbas. The engagement reflects improved short-range air defense (SHORAD) coordination in the Lyman sector, where Russian forces continue to test Ukrainian flanks. While not a game-changing platform, its emergence signals Russia’s push to field bespoke ISR drones amid ongoing losses of larger, more expensive systems like the Forpost.
READ THE STORY: United24
China-Netherlands Chip Dispute Disrupts Auto Sector as Beijing Retaliates Over Nexperia Seizure
Bottom Line Up Front (BLUF): A growing dispute between China and the Netherlands over control of Dutch-based, Chinese-owned chipmaker Nexperia has triggered supply chain disruptions in Europe’s auto industry. The Dutch government seized control of Nexperia in late September over national security concerns, prompting Beijing to halt chip exports. China now demands non-interference and has only recently begun accepting export exemption requests, raising alarm across the semiconductor and automotive sectors.
Analyst Comments: The Nexperia standoff mirrors broader geopolitical tensions over semiconductor sovereignty, and its fallout is already hitting EU manufacturing, especially in the automotive space. The Dutch move, citing fears of Wingtech transferring production to China, represents a direct national security intervention into the supply chain. China’s response—halting exports of even low-end chips—shows its willingness to weaponize chokepoints in packaging and back-end manufacturing. With exemptions now tied to payments in yuan and subject to Chinese approval, EU firms are forced into case-by-case negotiations. Watch for this to accelerate European efforts to nearshore chip production, diversify suppliers, and push for collective trade defense mechanisms.
READ THE STORY: Aljazeera
Pentagon Nominee Outlines Strategy to Deter China, Defend Taiwan in Contested Indo-Pacific
Bottom Line Up Front (BLUF): Austin Dahmer, President Trump’s nominee for Assistant Secretary of War for Strategy, Plans, and Forces, told lawmakers he supports a multi-layered approach to deterring or defeating a potential Chinese assault on Taiwan. His strategy emphasizes force posture in the First Island Chain, long-range fires, undersea warfare, special operations, and greater burden-sharing with allies — all under the Trump administration’s renewed “peace through strength” doctrine.
Analyst Comments: Dahmer’s focus on denial-based strategy, long-range precision fires, and unconventional forces reflects DOD’s evolving Taiwan contingency planning. His push for greater ally integration — especially with the Philippines — is a strategic nod to geography. The renaming of the position under the “Department of War” framing isn’t just symbolic; it underlines the administration’s more assertive, militarized posture. Notably absent from the hearing was a clear position on whether the U.S. would directly intervene militarily in the event of a Chinese invasion — a calculated ambiguity Trump later reinforced in a CBS interview. Expect further doctrinal clarity only after a crisis or formal red line is crossed.
READ THE STORY: DS
U.S. Sanctions North Korean Entities Laundering Cybercrime Profits to Fund Weapons Program
Bottom Line Up Front (BLUF): The U.S. Treasury Department has sanctioned eight individuals and two companies linked to a North Korean scheme laundering billions in stolen cryptocurrency and illicit earnings from IT workers posing as remote employees in Western firms. This activity directly funds Pyongyang’s nuclear weapons and ballistic missile development.
Analyst Comments: North Korea’s offensive cyber strategy remains one of the planet’s most effective nation-state revenue streams. These sanctions highlight how Pyongyang blends cybercrime, fraud, and traditional financial laundering through networks in China and Russia to bypass international restrictions. The operations are mature, persistent, and systemic. Until major geopolitical players crack down on North Korea’s financial facilitators in their jurisdictions, sanctions alone are unlikely to disrupt the revenue pipeline entirely. Defenders should assume that North Korean actors continue to target crypto exchanges, blockchain developers, and remote-work platforms for infiltration or exploitation.
READ THE STORY: CS
Cybercrime Merger: Scattered Spider, LAPSUS$, and ShinyHunters Form Extortion Supergroup
Bottom Line Up Front (BLUF): Three prolific cybercrime crews—Scattered Spider, LAPSUS$, and ShinyHunters—have merged under a new collective dubbed Scattered LAPSUS$ Hunters (SLH). The group operates a public-facing extortion-as-a-service model via Telegram, signaling an evolution in cybercriminal branding, coordination, and threat posture. Their activities suggest an increasing overlap between hacktivist theatrics and structured ransomware operations.
Analyst Comments: According to Trustwave, the newly formed SLH group has launched and relaunched at least 16 Telegram channels since August, using them to coordinate attacks, post stolen data, and invite followers to help pressure victims. They market themselves like a startup—with branding, public statements, and recruitment bounties. Affiliates can run campaigns under the SLH banner in exchange for payment, creating an extortion-as-a-service model. The group accuses state actors of stealing their exploits and routinely targets Salesforce users. Notably, they’ve hinted at building a proprietary ransomware strain (Sh1nySp1d3r) and have ties to other threat clusters like UNC5537, UNC3944, and UNC6040. A parallel disclosure from Acronis links DragonForce’s malware ecosystem to these groups, showing shared tools, infrastructure, and a growing ransomware cartel that includes Qilin and LockBit.
READ THE STORY: THN
Russian APT Hides Malware in Hyper-V VMs to Evade Detection
Bottom Line Up Front (BLUF): Bitdefender and Georgia’s CERT have uncovered a novel malware delivery technique used by the Russian-linked threat group Curly COMrades. The group abuses Microsoft Hyper-V to spin up lightweight Alpine Linux VMs inside compromised Windows hosts. These stealth VMs run custom implants—CurlyShell and CurlCat—that enable persistent access and covert C2 communications while evading endpoint detection and response (EDR) tools.
Analyst Comments: This is a significant escalation in anti-EDR tactics. By nesting malware inside a VM and masking traffic via Hyper-V’s default switch, Curly COMrades bypass most host-based security telemetry. This technique mirrors APT-level tradecraft and suggests broader adoption of VM-based evasion is coming. Defenders should expect virtualization-layer abuse to increase, especially in hybrid environments where native tooling like Hyper-V is already used. Host-level detection won’t see inside guest VMs unless hypervisor telemetry is actively monitored—something few orgs do well. Using legitimate infrastructure like Group Policy and PowerShell for lateral movement only reinforces how hard this group is leaning on “living off the land.”
READ THE STORY: The Register
WSUS Exploit Under Active Recon: CVE-2025-59287 Enables Unauthenticated Code Execution
Bottom Line Up Front (BLUF): Threat actors are actively scanning for exposed TCP ports 8530 and 8531 linked to CVE-2025-59287, a critical vulnerability (CVSS 9.8) in Windows Server Update Services (WSUS). The flaw allows unauthenticated remote code execution. Any WSUS server exposed to the internet should be treated as potentially compromised.
Analyst Comments: The vulnerability requires no authentication and impacts widely deployed patch infrastructure. Once connected via HTTP (8530) or HTTPS (8531), attackers can execute arbitrary scripts—turning an update server into a launchpad for lateral movement or malware staging. The recon surge reported by Shadowserver and others confirms interest across both opportunistic and potentially state-aligned actors. This is low-hanging fruit given how slowly WSUS deployments tend to be patched or segmented. If you’ve got internet-exposed WSUS, isolate it immediately. Then check for signs of compromise—look for suspicious outbound traffic, script execution under WSUS processes, or unexpected admin actions.
READ THE STORY: CSN
Insider Sold $35M Worth of Zero-Days to Russian Broker ‘Operation Zero’
Bottom Line Up Front (BLUF): Peter Williams, former CEO of U.S. defense contractor Trenchant, has pleaded guilty to stealing and selling eight classified zero-day exploits to Operation Zero, a Russian-linked vulnerability marketplace. Initially developed for U.S. government use, the tools were sold over three years via encrypted channels for $1.3 million in cryptocurrency, despite being valued at $35 million.
Analyst Comments: The stolen exploits, designed for use by U.S. and allied intelligence services, likely provided Russia (and potentially others) with capabilities to compromise iOS, Android, and modern operating systems. Operation Zero’s involvement—a platform known to offer up to $20M for unique mobile vulnerabilities—strongly suggests nation-state-level end-users. Williams’s access as a “superuser” within L3Harris subsidiary Trenchant meant no oversight. He exploited trust, bypassed internal controls, and used an air-gapped device to exfiltrate source code and exploits—then framed another employee to cover his tracks. Internal access control failed at every level.
READ THE STORY: RHC
Items of interest
U.S. Military Drone Strike Kills Two Suspected Narco-Terrorists in Eastern Pacific
Bottom Line Up Front (BLUF): In its 16th military drone strike under the Trump administration’s expanded anti-cartel operations, the U.S. killed two suspected narco-terrorists aboard a vessel operated by a designated terrorist organization (DTO) in international waters. The strike is part of an increasingly militarized approach to counter narcotics trafficking, now coordinated by a new joint task force operating under U.S. Southern Command.
Analyst Comments: War Secretary Pete Hegseth, the U.S. military conducted a “lethal kinetic strike” against a suspected narco-trafficking vessel in the eastern Pacific Ocean. The strike, ordered by President Trump, resulted in the deaths of two individuals believed to be transporting narcotics for a DTO. Intelligence confirmed the boat was operating along a known drug corridor. This operation is the 16th of its kind since the current administration ramped up military efforts against cartels, with 66 suspected narco-terrorists reportedly killed. A new Joint Task Force under U.S. Southern Command has coordinated these actions across air, maritime, and special operations platforms throughout the Caribbean and eastern Pacific.
READ THE STORY: NYPOST
2 killed in latest strike on alleged narcoterrorists in the Eastern Pacific (Video)
FROM THE MEDIA: Two more narco-terrorists were killed in the Trump administration’s latest kinetic strike, according to U.S. Department of War Secretary Pete Hegseth.
U.S. kills 14 people during strikes against more vessels allegedly trafficking drugs in the Pacific (Video)
FROM THE MEDIA: The U.S. military carried out strikes against four vessels allegedly carrying drugs in the Pacific, Defense Secretary Pete Hegseth announced Tuesday, adding that at least 14 people were killed. CBS News’ Charlie D’Agata has more details.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.