Daily Drop (1189)
11-26-25
Wednesday, Nov 26, 2025 // (IG): BB // GITHUB // SN R&D
Ukraine Considers Retaliatory Intel Restrictions Amid U.S. Pressure Over Thanksgiving “Peace Proposal”
Bottom Line Up Front (BLUF): Ukrainian officials are weighing restrictions on intelligence sharing with the U.S. after the Trump administration allegedly threatened to halt offensive intel support unless Kyiv agrees to a controversial peace deal. While defensive intel reportedly remains unaffected, Ukraine may respond by curbing U.S. access to battlefield intelligence, shifting reliance back to MI6 and NATO partners. The proposal—reportedly favorable to Russian interests—faces internal resistance from Ukraine and diplomatic backlash across Europe.
Analyst Comments: Operationally, Ukrainian HUMINT and SIGINT have been indispensable to U.S. targeting efforts since 2022, especially given Ukraine’s linguistic, geographic, and cultural access. A retaliatory intelligence pullback would harm U.S. situational awareness on the Eastern front, particularly regarding Russian troop movements, logistical nodes, and dynamics in occupied territory. For Ukraine, this is also about leverage—Washington benefits from Kyiv’s front-line insights, and cutting that off is a strategic message. The notion that the U.S. might pressure Ukraine into accepting terms “pulled from Russian documents” (including limits on NATO accession and forced demilitarization) adds fuel to accusations that the deal undermines Ukrainian sovereignty. Whether or not the intel cutoff is fully enacted, the mere public discussion of it erodes trust.
READ THE STORY: HUMINT
Cartel Drone Warfare Expands in Latin America: Criminal Groups Now Deploying FPV Strikes and Explosive Payloads
Bottom Line Up Front (BLUF): Organized crime in Mexico and Colombia is rapidly escalating its use of unmanned aerial systems (UAS) from smuggling and surveillance to direct kinetic attacks. Recent analysis from CSIS and Small Wars Journal confirms that cartels are adopting tactics traditionally seen in insurgent and terrorist groups—weaponizing FPV (first-person view) drones, conducting strike operations, and experimenting with swarming tactics. The shift demands urgent updates to counter-UAS doctrine and irregular warfare policy across the region.
Analyst Comments: The drone threat is no longer theoretical. Cartels aren’t just using drones for payload drops—they’re now flying kamikaze-style FPV units with explosive charges, adapting battlefield methods seen in Ukraine and Syria. The use of precision drone strikes by non-state actors blurs the line between transnational criminal organizations and insurgent warfare. Robert Bunker’s framing is critical: this is a character evolution of criminal actors. Their nature remains rooted in profit and violence, but the tactical use of asymmetric airpower pushes them into the territory of irregular warfare. This isn’t just a threat to border security—it’s a force transformation among cartels, and it exposes a serious capability gap for law enforcement and militaries alike. Expect this shift to continue unless states catch up fast. Key vulnerabilities: under-resourced rural areas, outdated rules of engagement, and a lack of interoperable counter-drone systems. Just as worrying is the emerging drone arms race between rival cartels, with reports of signal jammers and drone pilots being trained abroad. This opens the door to a future where criminal air superiority becomes a battlefield differentiator.
READ THE STORY: Small War Journal
Iranian Front Operation Offers Bounties to Kill Israeli Academics in U.S. and Abroad
Bottom Line Up Front (BLUF): A newly surfaced group calling itself the “Punishment for Justice Movement” launched a website offering up to $100,000 for the assassination of Israeli academics — including those living in the United States. While the site was quickly removed, it shared the home addresses, phone numbers, and email addresses of hundreds of targets. Though it lacks overt ties to Tehran, the operation fits longstanding Iranian intimidation patterns and may fall under U.S. legal jurisdiction.
Analyst Comments: The Punishment for Justice Movement’s website offered bounties for attacks, ranging from $1,000 for harassment (such as flyer posting) to $100,000 for assassinations. It published extensive doxing information on Israeli academics, some based in the U.S. While the site claimed to be a “non-governmental and international movement,” its methods and timing — during the Israel-Hamas war — mirror earlier Iranian online campaigns. For example, Iran has threatened Israeli athletes and targeted anti-regime dissidents abroad, including U.S. politicians, during the 2020 elections. The site appears to have been created in August and only recently populated with assassination bounties. It was hosted via Cloudflare, increasing its Western accessibility. The site’s contact form asked users to engage further on “secure platforms,” potentially leaving behind digital trails. Federal law enforcement is being urged to investigate those behind the campaign, as well as any individuals who filled out the form.
READ THE STORY: FDD
Axis of Cyber: China, Russia, North Korea, and Iran Sharpen Irregular Warfare Strategies
Bottom Line Up Front (BLUF): A new analysis republished by Small Wars Journal highlights deepening cyber alignment among U.S. adversaries—China, Russia, North Korea, and Iran—whose irregular cyber strategies increasingly threaten global security. These states are not only refining asymmetric capabilities independently but also sharing tools, techniques, and targets to erode Western stability through espionage, sabotage, and influence operations. Traditional deterrence models are failing to keep pace.
Analyst Comments: What Evan Morgan’s piece captures well is the doctrine-level convergence among authoritarian regimes: cyber as a tool of political warfare, not just intelligence collection. China’s Volt Typhoon, Russia’s election ops and infrastructure sabotage, North Korea’s heists, and Iran’s retaliatory DDoS campaigns all serve strategic objectives—and often complement each other in practice. The most significant evolution here is the informal alliance architecture forming in cyberspace. The sharing of exploits, malware families, and even AI-enhanced social engineering tactics among these actors indicates that cyberspace is now a key battlespace for the anti-Western coalition. There’s precedent: Chinese tools used by Russian operators, North Korean laundering operations propped up by Chinese infrastructure, and Iranian actors running joint campaigns with Russia-linked proxies.
READ THE STORY: Small War Journal
Salt Typhoon and the Telecom Threat: Nation-State APTs Exploit 5G Infrastructure Blind Spots
Bottom Line Up Front (BLUF): Nation-state actors—chiefly from China—have escalated cyberattacks against global telecom providers, exploiting protocol vulnerabilities in SS7, GTP, Diameter, and 5G O-RAN systems. High-profile campaigns like Salt Typhoon have breached core telecom infrastructure, including lawful intercept systems, exposing the industry’s systemic failure to detect or respond at scale. Legacy tools can’t handle the complexity or data volumes of modern telecom, prompting a shift toward unified AI-driven defense platforms.
Analyst Comments: Telecom networks are no longer just soft targets—they’re prime ground for cyber warfare. The Salt Typhoon breach, reportedly compromising AT&T, Verizon, T-Mobile, and Lumen, wasn’t just data theft—it was a wiretap compromise, signaling full-spectrum control. These attacks highlight a long-standing weakness: telecom protocols were never designed with security in mind, and retrofitting defenses around legacy stacks (SS7, Diameter, GTP) has proven ineffective. APT operations are leveraging backdoored firmware, living-off-the-land tactics, and unmonitored lateral movement across multi-generation infrastructure. The alarming success rates—90%+ in SMS interception and SS7 tracking—indicate most telecoms are years behind where their defense posture needs to be.
READ THE STORY: Security Boulevard
RomCom Hackers Use SocGholish in Targeted Attack on U.S. Firm Linked to Ukraine
Bottom Line Up Front (BLUF): A U.S. civil engineering company with past ties to a pro-Ukraine city was targeted in September by RomCom, a Russia-aligned threat actor. The attack used SocGholish malware—a known GRU-linked initial access tool—with payload delivery directly attributed to RomCom for the first time. Though ultimately blocked, the attack reflects Russia’s continued use of asymmetric cyber operations to disrupt Western support for Ukraine.
Analyst Comments: RomCom, previously tied to zero-day exploitation and politically motivated targeting, is now integrating widely available malware, such as SocGholish, into its campaigns. That’s a tactical pivot, and likely an attempt to obscure attribution while increasing efficiency via initial access brokers like TA569. The use of SocGholish—a fake browser update lure—isn’t new. Still, its deployment by a state-aligned APT against a politically relevant target underscores how Russian-linked actors continue to adapt commodified malware for geopolitical ends. It’s also a reminder that infrastructure-adjacent organizations—even those not directly involved in defense or government—are fair game. Past RomCom activity has targeted humanitarian medical firms assisting Ukrainian refugees, and this expansion into civil engineering suggests that Moscow’s strategic target set includes logistics, recovery, and symbolic support infrastructure. This is irregular cyber warfare aimed at undermining will and capacity, not just stealing data.
READ THE STORY: CSD
APT31 Spies on Russian IT Networks Using Cloud Services
Bottom Line Up Front (BLUF): China’s state-sponsored APT31 has reportedly been targeting Russian IT contractors servicing government agencies, using cloud-based command-and-control (C2) infrastructure to evade detection. The multi-year campaign, uncovered by Positive Technologies, reveals how Chinese operators exploited Microsoft OneDrive, Dropbox, and even Russia’s own Yandex Cloud to exfiltrate data—highlighting the blurred line between cyberespionage against foreign governments and corporate IP theft.
Analyst Comments: This is a rare look at intra-bloc cyberespionage between nominal allies. APT31’s campaign highlights a persistent reality: geopolitical “friendships” don’t stop intelligence collection. The use of commercial cloud platforms for C2 isn’t new, but APT31’s mix of custom backdoors and region-specific services, such as Yandex Cloud, demonstrates surgical adaptation to the target environment. Abuse of services like VirusTotal for C2 comms is both technically clever and deeply concerning—it turns a trusted resource against the defenders. Russia may retaliate or tighten vendor scrutiny, but expect little public attribution given the diplomatic implications. For defenders, this reinforces the need to monitor cloud traffic patterns, primarily outbound flows to sanctioned or unusual destinations.
READ THE STORY: DR
DPRK’s FlexibleFerret Malware Campaign Evolves, Targets macOS Job Seekers with Sophisticated Lures
Bottom Line Up Front (BLUF): Jamf Threat Labs reports that the North Korean-linked group behind the “Contagious Interview” campaign is escalating its credential theft operations against macOS users, especially job seekers. Their FlexibleFerret malware now includes architecture-specific payloads, fake interview portals, signed decoy apps, and enhanced persistence mechanisms to bypass Apple’s security controls. The attack chain persuades victims to execute terminal commands, enabling remote access and credential theft via a refined Go-based backdoor.
Analyst Comments: macOS users have historically been viewed as low-risk targets compared to Windows users, but DPRK-aligned actors are changing that calculus. FlexibleFerret is a textbook case of nation-state-level social engineering tailored to hit the human layer where technical protections fall short. This isn’t a vulnerability exploit—it’s a trust exploit. The campaign weaponizes recruitment fatigue, targeting job-seeking professionals with custom job assessment portals. The fact that attackers are now using signed applications and Apple-native UI prompts (like fake camera permissions) shows they’ve invested in credibility, not just code.
READ THE STORY: DR
PRC Pitches Strategic Tech Ties to Germany Amid Rare Earth Tensions and U.S. Tariff Pressure
Bottom Line Up Front (BLUF): At the G20 summit in Johannesburg, Chinese Premier Li Qiang proposed deeper industrial cooperation with Germany to stabilize trade ties strained by rare-earth export restrictions and U.S.-driven tariff pressure. Despite geopolitical friction, both nations appear to be recalibrating toward economic pragmatism, particularly in areas such as EVs, hydrogen, and advanced manufacturing.
Analyst Comments: With rare earth curbs hitting German manufacturing and U.S. tariffs squeezing both economies, China is framing tech and green energy collaboration as a mutual lifeline. Berlin’s recent $6.6B investment into China—nearly half of all EU+UK FDI—shows that despite “de-risking” rhetoric, German industry still sees China as irreplaceable. Automakers, chip buyers, and chemical giants can’t decouple overnight. Premier Li’s pitch for joint development in hydrogen energy, smart manufacturing, and autonomous driving suggests that China is trying to anchor German firms more deeply in its emerging tech ecosystem. This comes at a moment of volatility: Berlin had previously canceled diplomatic engagements amid rare-earth tensions. That both sides are now realigning speaks to economic gravity overriding political noise—for now. But China’s call for Germany to “eliminate interference and pressure” signals concern about EU alignment with U.S. strategic goals, especially in export controls and semiconductor supply chains.
READ THE STORY: Reuters
China Eyes Rule-Setting Power in Global Mineral Supply Chains
Bottom Line Up Front (BLUF): Chinese policymakers increasingly view critical minerals as not just strategic resources but instruments of geopolitical influence. Facing external “de-sinicization” efforts and internal vulnerabilities, Beijing is doubling down on embedding its supply-chain footprint across the Global South—not just to secure access, but to shape the rules and standards of the next-generation mineral economy.
Analyst Comments: China has long held dominance in the processing and refining stages of critical minerals like cobalt, lithium, and rare earths. But as the West scrambles to unwind dependencies, Chinese scholars are already talking about the next front: institutional power. Think less mining rights, more rule-writing. Beijing wants to own the mineral playbook—how it’s extracted, who gets access, how it’s traded, and what counts as “responsible sourcing.” From a cyber and industrial espionage lens, this only increases the attack surface. With China expanding joint ventures and infrastructure partnerships across Africa, Southeast Asia, and Latin America, Western adversaries now have to defend not just domestic infrastructure, but supply chains embedded in increasingly sovereign-minded partner nations. Expect to see more state-sponsored intrusion campaigns targeting mining ministries, logistics platforms, and trade databases in the Global South.
READ THE STORY: Coffee in the Desert
Chinese Electric Buses Raise Cybersecurity Red Flags Across Europe
Bottom Line Up Front (BLUF): Chinese-made electric buses deployed in European cities were found to have remote shutdown capabilities that could be exploited through over-the-air update systems, according to a Norwegian investigation. The discovery—centered on a Yutong bus—has sparked parallel reviews by UK and Danish authorities, reigniting concerns that Chinese hardware embedded in critical infrastructure poses a persistent national security threat.
Analyst Comments: It’s about Beijing’s quiet reach into the operational backbone of European public life. The fact that a Yutong electric bus can be remotely disabled via its software stack underscores how China’s export strategy increasingly pairs physical infrastructure with latent cyber access. It’s not a zero-day—it’s a design feature. The implications ripple out far beyond transportation. Critical infrastructure—including logistics, grid components, and transit systems—is increasingly software-defined. If foreign vendors with ties to the Chinese Communist Party (CCP) embed updatable systems into that hardware, they effectively gain a persistent access vector. Norway’s test in a decommissioned mine eliminated interference and still proved remote control was theoretically possible—meaning the supply chain, not just the runtime environment, is the attack surface.
READ THE STORY: FDD
Beijing Quietly Reclaims 3rd Place in Global Bitcoin Mining, Despite 2021 Ban
Bottom Line Up Front (BLUF): Despite Beijing’s 2021 ban on cryptocurrency mining, China has surged back to become the world’s third-largest bitcoin mining hub, accounting for up to 20% of global hashrate, according to CryptoQuant and Hashrate Index. Miners are exploiting cheap electricity, overbuilt data centers, and signs of a softened regulatory stance—highlighting how economic incentives and policy ambiguity are driving a shadow resurgence in a once-banned industry.
Analyst Comments: China’s return to top-tier mining status just four years after its ban illustrates the limits of enforcement when regional economic pressures, energy surpluses, and profit motives collide. The Xinjiang and Sichuan regions, with stranded energy and underutilized infrastructure, remain ideal for clandestine operations. The surge in sales from firms like Canaan—which derived over 50% of its Q2 revenue from China—confirms the resurgence isn’t just anecdotal. It’s structural. Despite the official prohibition, local governments and state-owned energy firms appear to be looking the other way, possibly as a workaround to stimulate depressed regional economies. While the central government hasn’t formally reversed its position, a de facto loosening is already influencing bitcoin’s global narrative—as a resilient, apolitical asset immune to state control.
READ THE STORY: Reuters
Nexperia Chip Crisis Snarls Auto Supply Chains, Exposes China’s Leverage Over “Low-Tech” Semiconductors
Bottom Line Up Front (BLUF): China’s halt on exports of Nexperia-manufactured chips from a plant in Dongguan disrupted global auto production, forcing cuts at Nissan, Honda, and Bosch. The crisis—triggered by the Dutch government’s brief seizure of Nexperia’s HQ over national security concerns—exposed the fragility of auto supply chains reliant on mundane components. Although the chips sell for pennies, China’s retaliatory export restrictions reveal that even low-end semiconductors can serve as strategic pressure points in geopolitical standoffs.
Analyst Comments: Everyone’s watching advanced nodes and AI chips, but what brought Nissan and Bosch to their knees was China squeezing out a few-cent part used in brake controllers and window motors. Nexperia’s Dongguan plant didn’t produce cutting-edge tech—but its disruption paralyzed critical segments of the automotive supply chain. This shows how geopolitical risk is cascading into the mid- and low-end supply chain. Western governments underestimated China’s ability to retaliate not just with high-profile rare earths or gallium, but also with everyday components—many of which are deeply embedded in OEM systems and can’t be swapped out overnight. Nexperia’s yuan-only payment pivot was a clever legal shield, too—making it harder for Western HQs to exert control.
READ THE STORY: Reuters
CISA Warns of Ongoing Spyware Attacks on Signal and WhatsApp Users
Bottom Line Up Front (BLUF): CISA has issued an alert warning that state-backed actors and commercial spyware vendors are actively targeting Signal and WhatsApp users via zero-click exploits, app impersonation, and QR code manipulation. These attacks don’t break encryption — they bypass it entirely by compromising the device or hijacking legitimate app features. Victims include high-value targets in government, civil society, and military sectors across the U.S., Europe, and the Middle East.
Analyst Comments: This is what spyware looks like in 2025: don’t crack the message, own the phone. Encryption is irrelevant when attackers either spoof Signal or abuse legitimate features like “linked devices.” These campaigns show the ecosystem of zero-click exploits, fake apps, and phishing sites is now mature, global, and increasingly precise. Signal and WhatsApp aren’t broken — but users are trusting platforms without considering endpoint security. The bar is now higher for organizations: secure messaging must also mean hardening the phone it runs on.
READ THE STORY: The Register
Radical Ideologies as Psychological Ecosystems: Why They Rise, Why They Rot, and Why They Collapse
Bottom Line Up Front (BLUF): Michael Magoon’s essay presents a psychological model for explaining how radical ideologies emerge, metastasize, and ultimately self-destruct. Grounded in personality science, psychiatry, and history, the piece argues that radical ideologies are not truth-seeking systems but emotional constructs shaped by unmet psychological needs, mental disorders, and maladaptive social dynamics. Their collapse is inevitable—not because they’re unpopular, but because they are structurally incompatible with material reality.
Analyst Comments: This is a tour-de-force framework, and the core insight applies far beyond politics: any belief system that rewards moral performance over empirical correction is on a collision course with reality. From a security lens, Magoon’s typology offers a blueprint for anticipating how radical groups evolve internally and which personalities drive each phase—from fringe cult to captured institution. The psychological archetypes he outlines—Visionary, Enforcer, Romantic, Seeker, Corrupter—read like case studies in every failed regime, ideological purge, or extremist network we’ve analyzed. His breakdown of how social identity, neuroticism, and mental instability intersect with moral absolutism is also helpful in understanding recruitment tactics used by online radicalization pipelines—from white supremacists to jihadists to political cults.
READ THE STORY: From Poverty to Progress
Okta Study: Phishing Bypasses Enterprise Security, Remains Top Threat Vector
Bottom Line Up Front (BLUF): New research from Okta, to be presented at Black Hat Europe 2025, shows that phishing attacks continue to succeed against mature enterprises despite layers of advanced security tooling. Analyzing 26 months of authentication logs, researchers found that phishing-resistant controls remain underused, and that evil proxy attacks often go undetected—underscoring the ongoing operational risk of phishing across sectors.
Analyst Comments: Okta’s data-driven analysis shows that sophisticated phishing tactics, like evil proxy phishing, routinely slip past email gateways, endpoint tools, and user awareness training. The fact that the number of organizations impacted “never went to zero” over 26 months speaks volumes. The real story isn’t just attacker sophistication—it’s defender complacency. Only 40% of users in the study used phishing-resistant authentication even once a month. That’s unacceptable in an age where MFA fatigue attacks and session hijacking are table stakes for adversaries. Security teams need to move beyond training modules and “detect and respond” pipelines. This means adopting FIDO2/WebAuthn, enforcing phishing-resistant MFA, and integrating continuous authentication models. The study also surfaced a rare positive: inter-org collaboration worked. In a space where data sharing is historically siloed, that’s worth building on.
READ THE STORY: DR
Blast Security Launches with $10M to Replace Cloud Detection with Built-In Prevention
Bottom Line Up Front (BLUF): Israeli startup Blast Security has exited stealth with $10M in seed funding and a bold promise: to eliminate reactive cloud detection models in favor of preemptive, continuous prevention. Its AI-powered Preemptive Cloud Defense Platform enforces guardrails at the infrastructure level, reducing cloud security risks by over 90% and shrinking attack surface without disrupting production environments.
Analyst Comments: Blast is making a play that cloud defenders have long dreamed of but rarely seen delivered: enforcement over alert fatigue. With most cloud security operations drowning in detection noise, Blast’s “security by design” approach flips the script. Instead of letting attackers exploit misconfigurations, it prevents them from happening in the first place. The team’s pedigree—ex-IDF cyber units and the founders of Solebit (acquired by Mimecast)—lends credibility. More notably, their firsthand experience building a national-level cloud defense project while on reserve duty suggests this isn’t theory. It’s a field-tested strategy.
READ THE STORY: Analytic Insight
Items of interest
Bipartisan Senate Bill Aims to Harden Security Around Undersea Cables
Bottom Line Up Front (BLUF): U.S. Senators Jeanne Shaheen (D-NH) and John Barrasso (R-WY) have introduced the Strategic Subsea Cables Act (S.B. 3249), targeting growing cyber and physical threats to global undersea fiber-optic infrastructure. The legislation mandates enhanced federal coordination, international diplomacy, and threat intelligence sharing to protect these vital communication arteries amid rising geopolitical tensions and increased sabotage risk.
Analyst Comments: Undersea cables carry over 95% of global internet traffic—including military comms, financial transactions, and commercial data—yet they remain one of the most underprotected segments of critical infrastructure. As the Ukraine war and Taiwan tensions have shown, both physical sabotage and cyber compromise of cable infrastructure are now credible strategic threats, not hypotheticals. The bill’s focus on creating dedicated diplomatic roles, an interagency protection strategy, and formal threat sharing mechanisms is a solid start. But the language around enforcement—especially sanctions for tampering—is just as important. The targeting of cable landing stations, the use of undersea drones, and the covert tapping of subsea cables by state actors like Russia and China have already been reported in open sources.
READ THE STORY: VitalLaw
The Mystery of the Vanishing Undersea Cable (Video)
FROM THE MEDIA: In 2021, a research cable off the coast of Norway was severed. It may have been accidentally snagged by a fishing vessel, but analysts allege it may be part of a wider pattern of Russian sabotage.
How A Million Miles Of Undersea Cables Power The Internet — And Now AI (Video)
FROM THE MEDIA: Subsea fiber-optic cables are the world’s information superhighways, with over 95% of the world’s international data traveling through them. This not only includes email, video calls, and streaming but also financial transactions and government communications.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.