Daily Drop (1183)
11-18-25
Tuesday, Nov 18, 2025 // (IG): BB // GITHUB // SN R&D
CISA Plans Major Hiring Surge to Rebuild Cyber Capabilities Amid Rising China Threat
Bottom Line Up Front (BLUF): CISA is preparing for a large-scale hiring initiative in 2026 to recover from a 40% vacancy rate across mission-critical areas and rebuild operational capacity after workforce cuts during the Trump administration. The move comes as the agency anticipates increased cyber threats from China and a potential national security crisis by 2027. The new workforce strategy includes faster hiring pipelines, expanded use of DHS’s Cyber Talent Management System, academic partnerships, and greater flexibility for technical staff.
Analyst Comments: A 40% vacancy rate in one of the nation’s key cyber defense agencies is indefensible, especially as Chinese state-backed actors ramp up infrastructure-targeted campaigns. The damage from previous political infighting and budget attrition is showing—burnout, brain drain, and stalled programs like Scholarship for Service. This rebuild attempt is as much about credibility as it is about capability. Success will depend on how fast CISA can operationalize hiring reforms, retain technical talent in a competitive market, and reestablish trust with critical infrastructure partners. Flexible telework policies and student pipelines are tactical wins—but they won’t fix the leadership vacuum or mission fragmentation overnight.
READ THE STORY: CyberSecDrive
Navy SEALs Launch Tactical Drone School to Sharpen Battlefield Edge
Bottom Line Up Front (BLUF): Naval Special Warfare Command (NSWC) is standing up a new 10-day tactical drone warfare course focused on building, maintaining, and operating first-person-view (FPV) drones. The course—expected to begin in January 2026—includes 80 hours of training, with a heavy emphasis on live flight, drone construction, and a final field exercise. The program reflects a broader shift in special operations doctrine to adapt to drone-centric combat rapidly.
Analyst Comments: The class will run twice a year and will be hosted by a civilian contractor. Notably, NSWC requires certified live-fire ranges and classroom facilities with internet, restrooms, and climate control—indicating the course is as much about field readiness as it is technical mastery. No specific training site was named, but the Navy’s recent drone experiments—including with Shield AI’s Nova drone in Alaska—show a clear pattern: prioritize autonomous ISR, expand tactical drone roles, and remove reliance on slow procurement cycles. The Pentagon has broadly accelerated drone integration efforts, from drone swarms to medevac systems. Now, the special operations community is pushing tactical training down to the operator level—giving SEALs, Rangers, and others the tools to maintain air superiority at squad scale.
READ THE STORY: Task and Purpose
Iranian SpearSpecter Group Conducts Personalized Espionage Ops Targeting Government, Defense Officials
Bottom Line Up Front (BLUF): Iranian APT42—also known as SpearSpecter—is conducting a new wave of highly targeted spearphishing attacks targeting senior government and defense personnel. The group is leveraging social engineering through WhatsApp and other platforms, luring targets to credential-harvesting sites, and deploying a fileless PowerShell-based backdoor dubbed TAMECAT for long-term espionage and data theft.
Analyst Comments: SpearSpecter operates patiently, investing weeks in social credibility before triggering a technical move. The malware’s memory-resident execution and modular architecture reflect top-tier OPSEC. The use of legitimate tools like PsSuspend to access browser data further complicates detection. This is a tailored threat, not a commodity one—SOC teams need to tune detections for behavior, not just IOCs. High-value individuals—especially in policy or defense—must be trained to recognize these highly customized social approaches.
READ THE STORY: Cyber Press
APT28’s “NotDoor” Backdoor Abuses Outlook Macros for Persistent Access and Covert C2
Bottom Line Up Front (BLUF): Researchers from S2 Grupo and Splunk have uncovered NotDoor, a backdoor attributed to APT28 (Fancy Bear) that abuses Microsoft Outlook macros for stealthy persistence and command execution. The malware hides in VbaProject.otm and uses encoded PowerShell, DLL sideloading, and registry changes to evade detection. It transforms Outlook into a covert command-and-control client—flying under most enterprise radar.
Analyst Comments: Most orgs monitor Word or Excel macros—not Outlook, which flies under many blue teams’ radar. NotDoor hijacks trusted OneDrive binaries, abuses Outlook’s startup macro logic, and configures the registry to suppress security prompts. Once embedded, it’s a living C2 channel that doesn’t need external beacons—commands ride in on emails. Defenders should focus on macro abuse detection beyond Office docs, and watch for non-Outlook processes tampering with VbaProject.otm. Registry auditing and encoded PowerShell analytics are essential here.
READ THE STORY: Cyber Press
EchoGram Attack Bypasses LLM Guardrails Using Flip Tokens in GPT-5.1, Claude, and Gemini
Bottom Line Up Front (BLUF): Researchers at HiddenLayer have disclosed a novel vulnerability dubbed EchoGram that enables attackers to bypass the automated safety mechanisms of major large language models (LLMs), including GPT-5.1, Claude, and Gemini. By embedding specially chosen tokens—called flip tokens—into prompts, attackers can evade filters designed to detect malicious intent, or even cause false positives on benign requests. The flaw impacts both classification-based and LLM-as-a-judge guardrail systems. Researchers estimate defenders have a narrow 90-day window to adapt before widespread exploitation becomes feasible.
Analyst Comments: EchoGram is a sophisticated alignment bypass that attacks not the LLM itself, but the infrastructure meant to keep it safe. What makes it dangerous isn’t technical complexity—it’s how trivial exploitation can be: appending nonsensical strings =coffee can flip a classifier’s decision. That’s a nightmare scenario for AI safety, especially in high-risk sectors such as healthcare, finance, and legal advisory. The dual impact—bypassing malicious prompts and flagging benign ones—is a serious operational risk. If adversaries can reliably generate false positives, it will lead to alert fatigue and the degradation of trust in AI moderation systems. From a security operations perspective, this is similar to adversarial examples in computer vision, but now weaponized against text-based threat models.
READ THE STORY: Hack Read
Japan Scrambles Jets After Chinese Drone Sighting Near Taiwan Amid Rising Regional Tensions
Bottom Line Up Front (BLUF): Japan scrambled fighter aircraft after detecting a Chinese drone near Yonaguni Island—its southernmost point, just 60 miles from Taiwan—on November 16. The incident, alongside incursions by Chinese coast guard vessels near the disputed Senkaku Islands, comes amid rising tensions following hawkish comments from Japan’s new Prime Minister, Sanae Takaichi, who suggested military intervention if Taiwan were attacked. China responded sharply, warning its citizens against travel to Japan and escalating diplomatic pressure.
Analyst Comments: Takaichi’s comments mark a shift from Japan’s traditional ambiguity on Taiwan defense—a move that could reset Beijing’s threat calculus in the East China Sea. Beijing’s use of gray-zone tactics (coast guard ships, drones, and cyber ops) to harass and probe Japanese responses is a well-documented strategy, now intensified by rhetoric on both sides. The economic backlash—plunging Japanese tourism stocks—shows China isn’t just flexing militarily. It’s targeting soft power and financial pressure points too.
READ THE STORY: CBS NEWS
Critical RCE Vulnerability in LLaMA-Factory Exposes AI Training Pipelines to Code Injection (CVE-2025-53002)
Bottom Line Up Front (BLUF): Japan scrambled fighter aircraft after detecting a Chinese drone near Yonaguni Island—its southernmost point, just 60 miles from Taiwan—on November 16. The incident, alongside incursions by Chinese coast guard vessels near the disputed Senkaku Islands, comes amid rising tensions following hawkish comments from Japan’s new Prime Minister, Sanae Takaichi, who suggested military intervention if Taiwan were attacked. China responded sharply, warning its citizens against travel to Japan and escalating diplomatic pressure.
Analyst Comments: By omitting a single parameter, LLaMA-Factory left a high-risk deserialization route wide open—inviting RCE via Pickle abuse, a problem the community should’ve buried a decade ago. The real kicker? PyTorch still defaults to insecure deserialization in versions before 2.6. Expect exploitation in real-world AI/ML pipelines, especially in shared environments like JupyterHub, lab clusters, or model hosting services that trust third-party checkpoint files. This isn’t just about data theft—attackers can create users, drop SSH backdoors, or exfiltrate models. Long-term, Safetensors should be the default across the board. Until then, defenders need layered protection: runtime monitoring, static analysis, tight input validation, and explicit loading flags.
READ THE STORY: Freebuf
Items of interest
FCC Moves to Roll Back Telecom Cyber Rules Sparked by Salt Typhoon Espionage Campaign
Bottom Line Up Front (BLUF): The FCC is expected to vote this week on repealing cybersecurity regulations for telecom providers enacted after the China-linked Salt Typhoon espionage campaign. The rules, introduced in early 2025 under the Biden administration, required baseline cyber protections under CALEA Section 105. Chairman Brendan Carr argues the rules exceeded legal authority and undermined private-sector cooperation. The rollback is drawing sharp criticism from lawmakers who see Salt Typhoon as a wake-up call for telecom security.
Analyst Comments: U.S. intelligence attributed the activity to China’s state-backed actors, citing long-term router-level persistence tactics. In response, the FCC issued a January 2025 rule requiring telecommunications providers to meet CALEA cybersecurity standards. These included securing edge devices, segmenting critical infrastructure, and implementing protections for admin credentials. Now, FCC Chair Carr is pushing to rescind that rule, claiming it lacked legal footing and bypassed public input. A factsheet supporting the rollback emphasizes federal-private collaboration over prescriptive mandates and notes that carriers have voluntarily adopted security enhancements since Salt Typhoon.
READ THE STORY: FNN
Australia’s former cyber spy chief on threat of infamous Chinese hackers ‘Salt Typhoon’ (Video)
FROM THE MEDIA: Australia’s former cyber intelligence boss discusses digital threats and the roles they’ve played in the big news stories of recent weeks. From Iranian links to firebombings, Neo Nazis and China-backed cyber intruders, Rachel Noble analyses the dangers and argues there’s still room for optimism.
Understanding Hacker Group Salt Typhoon (Video)
FROM THE MEDIA: In this episode of Cyber Insiders, we take a deep dive into Salt Typhoon, a Chinese state-sponsored threat actor responsible for targeting global telecommunications providers. Cian Heasley, Threat Lead at Adarma, breaks down their tactics, motivations, and the key vulnerabilities they exploit to gain access to critical networks.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.
The timing of the FCC rollback is particlarly troubling given how sophisticated Salt Typhoon was. Rolling back requirments right after a major breach sends a mixed message about priorties. The tension between flexibilty and mandatory standards is real, but telecom infrastructure is too critical to leave entirely to voluntary adoption. Would be intresting to see if this emboldens other state actors.