Daily Drop (1190)
11-27-25
Thursday, Nov 27, 2025 // (IG): BB // GITHUB // SN R&D
Eroding Global Stability: Adversarial Cyber Strategies from China, Russia, North Korea, and Iran
Bottom Line Up Front (BLUF): China, Russia, North Korea, and Iran are deepening their cyber cooperation and developing asymmetric capabilities to undermine global stability and counter Western power projection. While their tactics vary, these states increasingly coordinate through malware sharing, disinformation campaigns, and the exploitation of emerging technologies such as AI. Their combined cyber strategies represent a significant irregular threat to the rules-based international order.
Analyst Comments: China emphasizes military-civil fusion and stealthy persistence techniques like “living off the land,” notably seen in its Volt Typhoon campaign targeting U.S. critical infrastructure. Russia integrates cyber into broader political warfare, combining disinformation, cybercrime, and military ops. North Korea continues using cyber to fund its regime through theft and ransomware, while Iran weaponizes cyber tools for retaliatory strikes, exemplified by attacks like Shamoon and Operation Ababil. Notably, the article highlights instances of indirect collaboration—such as Russia allegedly deploying Chinese-origin malware in Ukraine—pointing to a convergence in tactics and targets.
READ THE STORY: Small Wars Journal
Europe Weighs Offensive Cyber Response as Russian Hybrid Attacks Escalate
Bottom Line Up Front (BLUF): Amid a surge in Russian hybrid operations — including drone incursions, sabotage, GPS jamming, and disinformation — EU and NATO members are actively exploring offensive cyber operations and surprise military drills to counter escalating threats. While Moscow continues to probe for weak points, European leaders are signaling a shift from passive defense to proactive deterrence. The challenge: retaliate without sparking full-scale war with a nuclear-armed adversary.
Analyst Comments: For years, Russia has tested the seams of NATO’s rules-based architecture, relying on plausible deniability and asymmetric tactics. The response has been largely reactive and constrained by legal and ethical considerations. But with 110+ sabotage incidents in just six months — many tied to Russian operatives — the political calculus is changing. Expect expanded cyber authority, more “gray zone” operations, and deeper integration between intelligence, cyber, and kinetic capabilities. Europe’s internal debate now isn’t whether to strike back — it’s how to do so without crossing Moscow’s red lines or NATO’s legal boundaries.
READ THE STORY: Politico
Congress Calls Anthropic CEO to Testify on First AI-Orchestrated Cyberattack Linked to China
Bottom Line Up Front (BLUF): The House Homeland Security Committee has summoned Anthropic CEO Dario Amodei to testify on December 17 regarding a Chinese cyber-espionage campaign that allegedly used Claude Code, marking the first known AI-driven cyberattack conducted by a foreign adversary. Lawmakers are investigating how commercial AI tools can be abused by nation-states — and how government and industry can respond to machine-speed cyber operations.
Analyst Comments: This is a landmark moment. It’s not just that an AI system was used in an attack — it’s that it was used end-to-end, minimizing human input. That changes everything. We’re entering an era where threat actors can scale, automate, and optimize intrusion campaigns using off-the-shelf AI tools. Anthropic’s appearance before Congress signals how seriously Washington is taking the implications. This hearing won’t just be about what happened — it’ll be about defining liability, policy gaps, and the future of AI regulation in national security contexts.
READ THE STORY: Axios
Amazon Warns of Cyber-Enabled Kinetic Targeting: Nation-State Groups Blend Digital Intrusion with Physical Strikes
Bottom Line Up Front (BLUF): Amazon’s threat intelligence team has identified a growing trend of nation-state adversaries integrating cyber operations directly into the planning and execution of physical military attacks. Termed cyber-enabled kinetic targeting, these campaigns use digital intrusions—particularly into CCTV, maritime, and sensor systems—to gather real-time intelligence that informs and enhances missile strikes or other kinetic actions. Case studies implicate Iranian-linked groups Imperial Kitten and MuddyWater in such operations.
Analyst Comments: The implications for critical infrastructure operators, especially those in logistics, energy, maritime, and urban surveillance, are severe. Access to CCTV or AIS (Automatic Identification System) data isn’t just a privacy risk anymore; it’s battlefield intel. These case studies highlight a disturbing evolution: cyber intrusions no longer precede kinetic attacks—they enable them in real time. Iran-linked actors leveraging compromised CCTV streams to adjust missile targeting is a clear warning. Traditional segmentation of cyber and physical threat models is now obsolete.
READ THE STORY: Industrial
FCC Confirms Radio Hijackings: Hackers Broadcast Fake Emergency Alerts Using Vulnerable Devices
Bottom Line Up Front (BLUF): The FCC has issued a public alert following a series of cyber intrusions in which attackers hijacked U.S. radio equipment to transmit fake Emergency Alert System (EAS) messages and obscenities. The attacks exploited unsecured Barix network audio devices, allowing threat actors to override live broadcasts with attacker-controlled audio, including simulated alerts and offensive content.
Analyst Comments: Devices responsible for relaying emergency alerts were left exposed, often with default credentials or outdated firmware—an open door for anyone with a scanner and intent. While not destructive in the traditional sense, these hijacks erode public trust in emergency systems and set a dangerous precedent: that an attacker could inject panic-inducing alerts during a real crisis, disrupting response coordination. The FCC’s advisory should be a wake-up call not just for broadcasters, but for any operator managing ICS-like systems in civilian infrastructure. Default credentials, exposed interfaces, and ignored firmware updates remain low-effort yet high-impact targets. If a nation-state were to weaponize this further, we’d be dealing with psychological operations in addition to signal disruption.
READ THE STORY: Reuters
ToddyCat APT Targets Microsoft 365: Advanced Email Espionage Tactics Bypass Traditional Defenses
Bottom Line Up Front (BLUF): The ToddyCat APT group has evolved its tradecraft to exploit Microsoft 365 environments, targeting government and critical infrastructure in Europe and Asia. By abusing Exchange Web Services (EWS) APIs and manipulating DNS configurations, the group gains persistent, stealthy access to emails—bypassing standard authentication and alerting mechanisms.
Analyst Comments: ToddyCat’s ability to access mailboxes without triggering MFA or credential theft alerts should concern any security team relying on Microsoft 365 defaults. Their use of EWS MessageItem APIs allows silent data exfiltration at scale. The DNS manipulation and abuse of Autodiscover for credential interception shows deep architectural knowledge—this isn’t smash-and-grab, it’s a slow burn with strategic intent. Targeting isn’t financially motivated; it’s about long-term surveillance, decision intelligence, and compromise of sensitive diplomatic and operational communications.
READ THE STORY: RHC
Kimchi Premium vs. State Hacking: North Korea Exploits South Korean Crypto for Cyberwar and Nuclear Funding
Bottom Line Up Front (BLUF): South Korea’s largest cryptocurrency exchange, Upbit, suffered another major breach—this time losing ₩54 billion (US$36.8 million) in Solana-based assets. The incident marks the latest chapter in a nearly decade-long pattern of sustained attacks on South Korean crypto infrastructure, primarily attributed to North Korea’s Lazarus Group. Investigations link stolen crypto directly to Pyongyang’s nuclear weapons and missile programs, highlighting the geopolitical dimensions of what might otherwise seem like ordinary financial cybercrime.
Analyst Comments: The Upbit breach underscores South Korea’s long-standing paradox: it hosts one of the most lucrative, high-liquidity crypto markets in the world (thanks in part to the “kimchi premium”), yet its exchanges remain persistently vulnerable to sophisticated state-backed attacks. North Korea’s Lazarus Group has mastered this terrain. Its combination of social engineering, malware, and flawless Korean language skills gives it a domestic advantage that’s hard to counter with conventional security measures. But the genuine concern is what happens next: UN and U.S. intelligence have consistently linked crypto thefts to weapons development. According to the White House, as much as 50% of North Korea’s missile program funding now comes from stolen cryptocurrency.
READ THE STORY: 0 daily
U.S. Power Grid Faces Stress Test as $2.5 Trillion AI Data Center Boom Accelerates
Bottom Line Up Front (BLUF): AI hyperscalers like OpenAI, Microsoft, and Amazon plan to more than double their energy consumption by 2030, driving demand for 500 TWh annually — over 10% of U.S. electricity usage. While industry leaders claim the grid can scale to meet this growth, failures in places like Oregon and California reveal critical vulnerabilities. If optimistic projections about infrastructure upgrades and energy availability falter, data centers may outpace the grid — resulting in stranded assets and national security risks.
Analyst Comments: U.S. power generation may scale eventually, but not always where or when data centers need it. Grid interconnection delays, 4-year turbine backlogs, and regional bottlenecks make rapid AI expansion risky. Behind-the-meter power and private generation may temporarily cover gaps, but long-term grid dependency is inescapable. Overconfidence in market speed could leave billion-dollar AI campuses cold and dark. If datacenter power delays mirror chip supply chain failures, the cost won’t just be financial — it’ll be strategic.
READ THE STORY: Forbes
OpenAI Warns Developers After Mixpanel Breach Exposes API User Data
Bottom Line Up Front (BLUF): OpenAI confirmed a third-party breach at Mixpanel, its analytics provider, that exposed developer profile data, including names, emails, and approximate locations. While ChatGPT users and core systems remain unaffected, the data could be weaponized in phishing attacks against OpenAI API developers. The breach was linked to a smishing attack on November 8.
Analyst Comments: No passwords or payment data were stolen, but attackers now hold a verified list of OpenAI developer accounts—prime targets for phishing and impersonation. Think API key resets, OAuth token scams, or poisoned SDKs sent to dev teams. This is a classic supply chain soft spot: analytics and telemetry platforms often sit outside core security controls but handle user-linked metadata. Mixpanel’s compromise reinforces the need for zero-trust assumptions even for non-auth systems. API users should rotate keys, audit access logs, and double-check any inbound communication—especially from support or “security teams.”
READ THE STORY: Business Insider
Ransomware Attack Shuts Down CodeRED Emergency Alert System, User Data Leaked
Bottom Line Up Front (BLUF): A ransomware attack attributed to the INC group has permanently disabled the legacy OnSolve CodeRED emergency alert system, operated by Crisis24. The breach compromised personally identifiable information (PII) of users across dozens of U.S. jurisdictions and rendered the system inoperable for two weeks. Impacted agencies have since terminated contracts, and Crisis24 is rushing to migrate customers to a new platform.
Analyst Comments: While the Emergency Alert System remained untouched, CodeRED’s shutdown highlights the growing risk to third-party emergency technologies that fall outside federal redundancy protocols. Attackers targeting critical civilian systems — even indirectly — should be treated as engaging in infrastructure disruption, not just data theft. Local governments relying on opt-in systems must now revisit vendor trust models and revalidate continuity plans for public communication during crisis events.
READ THE STORY: Cyberscoop
FlexibleFerret Malware Campaign Targets macOS Users Through Fake Job Portals
Bottom Line Up Front (BLUF): North Korean threat actors are delivering FlexibleFerret, a new macOS malware strain, through fake job recruitment websites. Victims are socially engineered into executing terminal commands that deploy multi-stage payloads capable of credential theft, surveillance, and persistent access. The malware has been linked to the ongoing “Contagious Interview” campaign and leverages realistic job assessment sites to lure targets.
Analyst Comments: The macOS ecosystem, often seen as less targeted than Windows, is now facing sophisticated, multi-architecture malware that abuses trust in UI prompts and Terminal instructions. The use of fake job portals mimicking hiring processes from real firms (e.g., “Blockchain Capital”) suggests a strategic phishing campaign, likely targeting tech professionals and developers. The malware’s reliance on Dropbox for C2 traffic and Chrome-themed credential phishing further shows operational maturity. This campaign underlines that no platform is safe when users are the entry point. Enterprises should treat unsolicited job-related interactions as potential threat vectors—especially when they involve Terminal commands. Apple’s ecosystem needs tighter controls on LaunchAgents and better detection of shell script abuse in user directories.
READ THE STORY: CSN
Thales Opens Canberra-Based Cybersecurity Operations Centre to Protect National Infrastructure
Bottom Line Up Front (BLUF): Thales Australia has launched a new cyber Security Operations Centre (SOC) in Canberra, offering defence-grade detection and response services for government and critical infrastructure. The SOC leverages a partnership with Google Cloud to integrate AI-driven threat detection, ensuring 24/7 surveillance and sovereign data handling in line with Australian security standards.
Analyst Comments: While tech giants like Google provide global-scale AI and threat telemetry, the critical differentiator here is Thales’ clearance-backed staff and local infrastructure, ensuring compliance with Protected-level security classifications. In a region where critical infrastructure has become a prime target for state-sponsored actors, the timing makes sense. This facility could also become a key node in countering hybrid threats targeting Australia’s utilities, transport networks, and government platforms. Whether this sets a new benchmark for public-private cyber partnerships in the region remains to be seen, but it’s clearly a step beyond checkbox compliance.
READ THE STORY: ADM
NVIDIA DGX Spark Vulnerabilities Open Path to RCE, Data Theft, and DoS Attacks
Bottom Line Up Front (BLUF): NVIDIA has released urgent patches for fourteen vulnerabilities affecting its DGX Spark AI infrastructure platform. The flaws—particularly CVE-2025-33187 (CVSS 9.3)—allow attackers to execute remote code, escalate privileges, exfiltrate data, and cause denial-of-service (DoS) disruptions. All unpatched DGX OS versions before the OTA0 update are vulnerable.
Analyst Comments: DGX systems are embedded in sensitive AI pipelines, often handling proprietary models, classified data, or high-performance compute workloads. A successful exploit here isn’t just a technical win—it’s a central intelligence and operational breach. CVE-2025-33187 enables full RCE via the SROOT component and could be used for both destructive and covert objectives. Out-of-bounds writes, arbitrary memory reads, and privilege escalation bugs (CVE-2025-33188 to CVE-33192) suggest attackers could chain vulnerabilities into a full-stack compromise. While no exploitation has been seen in the wild, these flaws will rapidly become valuable in offensive toolkits. Treat this as Tier 0 infrastructure—patch immediately and restrict privileged access tightly.
READ THE STORY: Cyber Press
Items of interest
Army War College Warns: Fragmented U.S. Cyber Response Weakens National Resilience
Bottom Line Up Front (BLUF): A new U.S. Army War College analysis argues that the nation’s cyber incident response is dangerously fragmented, lacking a designated lead agency and consistent coordination across major breaches. Case studies of SolarWinds, Colonial Pipeline, and Change Healthcare show that governance—not just technical gaps—is undermining U.S. resilience against escalating cyber threats. Without structural reform, the U.S. remains ill-prepared to manage complex, cross-sector cyberattacks on critical infrastructure.
Analyst Comments: While cyber defenders often focus on zero-days and ransomware payloads, this report points out the real Achilles’ heel: bureaucratic inertia and overlapping mandates. PPD-41 and the NCIRP were supposed to clarify roles, but real-world incidents like SolarWinds and Colonial Pipeline exposed coordination failures in plain sight. The fact that the Office of the National Cyber Director (ONCD) was unstaffed during SolarWinds, and DOE was suddenly tapped to lead Colonial Pipeline response (without explanation), reflects the lack of a standing playbook and chain of command. Private sector autonomy adds another layer of complexity. Colonial Pipeline lawfully declined CISA’s help and chose Mandiant, revealing just how little federal agencies can compel cooperation under current authorities—even in critical infrastructure sectors. As the report points out, cybersecurity standards across sectors remain advisory in practice rather than enforced.
READ THE STORY: INK STICK
U.S. Cyber Officials Order Emergency Response After Federal Breach (Video)
FROM THE MEDIA: U.S. cyber officials have issued an “emergency directive” after discovering that an advanced hacking group breached at least one federal agency by exploiting vulnerabilities in Cisco firewall devices. All civilian agencies must scan, patch, and isolate affected gear by the end of Friday.
Sources: Reuters, Washington Post, Axios
Rare Interview Where US Cyber Command Reveals Their Ops🎙Darknet Diaries Ep. 50: Op Glowing Symphony (Video)
FROM THE MEDIA: In a rare interview, an officer from U.S. Cyber Command explains how the government found a way to attack the global ISIS network without putting a single boot on the ground.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.