Daily Drop (1221)
01-09-26
Friday, Jan 09, 2025 // (IG): BB // GITHUB // SN R&D
U.S. Military Bombarded Venezuela With Drones During Alleged Maduro Raid, Report Claims
Bottom Line Up Front (BLUF): U.S. military forces allegedly deployed drones in Venezuelan airspace during a high-risk operation aimed at surveilling—or potentially targeting—President Nicolás Maduro’s regime. While details remain unconfirmed by official channels, the report suggests a covert operation involving UAV overflights and electronic warfare assets, potentially linked to broader U.S. intelligence and influence efforts in the region.
Analyst Comments: Drone deployments in contested or hostile sovereign airspace—especially without acknowledgment—are high-risk operations often associated with either counterterrorism missions or regime change strategies. This move, whether intended as intimidation or preparation for direct action, could inflame tensions across Latin America and draw scrutiny from regional powers aligned with Caracas, including Russia and Iran. From a cyber-defense perspective, drone operations often pair with electronic surveillance or offensive EW payloads—raising questions about what signals were collected, and who was watching.
READ THE STORY: The National Interest // CSN
Khan Sir’s Viral Cyberattack Claim on Venezuela Raises Eyebrows, Sparks Speculation
Bottom Line Up Front (BLUF): In a widely circulated video, Indian educator Khan Sir alleges that the United States conducted a full-spectrum cyberattack on Venezuela, disabling its power grid, GPS systems, and radar through malware disguised as software updates. While the claims are unverified and heavily dramatized, they echo persistent accusations by the Venezuelan regime that U.S. cyber operations have contributed to infrastructure failures—particularly during periods of political unrest and blackouts.
Analyst Comments: The core claim—that U.S. cyber forces “switched off” Venezuela via prepositioned malware in critical systems—hasn’t been substantiated by credible forensic evidence. However, the scenario described (malware-laced firmware updates, command disruptions, GPS jamming) mirrors established doctrine in U.S. offensive cyber playbooks. It’s also a familiar Russian and Chinese narrative: software, not soldiers, is the new tool of regime change. Khan Sir’s framing plays to popular cyberwar tropes—blackouts, drone raids, radars going dark—and underscores how quickly cyber myths can take root in public consciousness, especially when overlaid with real geopolitical tensions.
READ THE STORY: AsiaNet News
Ruggedized IoT Devices Pose New Cybersecurity Challenges in Critical Sectors
Bottom Line Up Front (BLUF): Ruggedized IoT devices deployed in defense, utilities, and public safety sectors present unique cybersecurity vulnerabilities that traditional security frameworks fail to address. Operating in harsh environments with intermittent connectivity and limited physical access, these devices extend attack surfaces in mission-critical infrastructure. Gartner data indicates IoT-related incidents in critical infrastructure surged 400% in 2023, with average breach costs exceeding $3 million.
Analyst Comments: The core challenge is an architectural mismatch: standard cybersecurity models assume stable connectivity, controlled environments, and frequent patching—none of which apply to ruggedized edge deployments. Devices operating unattended for years in remote locations create persistent exposure windows that adversaries can exploit through supply chain compromise, firmware manipulation, or physical tampering. Frameworks like ISA/IEC 62443 and NIST SP 800-82 offer guidance but were designed for predictable network infrastructure, leaving gaps in physical security and offline operational scenarios. Organizations must adopt layered defenses including secure boot, zero-trust architecture, offline update workflows, and tamper-evident physical controls. The convergence of nation-state cyber capabilities and expanding critical infrastructure IoT footprints makes this a strategic—not merely technical—priority for CIOs and security leaders.
READ THE STORY: Freebluf
Congress to Examine U.S. Offensive Cyber Strategy Amid Escalating Nation-State Threats
Bottom Line Up Front (BLUF): The U.S. House Subcommittee on Cybersecurity and Infrastructure Protection will hold a hearing on January 13 titled “Defense through Offense,” aimed at evaluating how the U.S. can strengthen offensive cyber capabilities to deter and disrupt foreign threats. The session comes amid escalating campaigns by China, Russia, and Iran targeting U.S. critical infrastructure and will address the legal, operational, and policy frameworks governing offensive cyber ops across government and industry.
Analyst Comments: While most federal cyber doctrine has historically focused on defense and resilience, lawmakers are now openly calling for “strategic and technological tools” to be used offensively—framing cyberspace as an active battlefield. Expect discussion around clarifying agency roles (NSA, CYBERCOM, DHS), enabling preemptive disruption of adversary campaigns, and expanding public-private offensive partnerships. Also notable is the direct mention of AI-assisted espionage allegedly carried out using Anthropic’s models—an indication that autonomous threat actors are no longer theoretical. The subtext here: deterrence in cyberspace now depends as much on demonstration of capability as it does on resilience.
READ THE STORY: Industrial
Iran Cuts Internet Amid Mass Protests
Bottom Line Up Front (BLUF): Iran has initiated a nationwide internet blackout, reducing connectivity to near-zero levels as of January 8, 2026. The shutdown coincides with large-scale anti-government protests and appears aimed at limiting citizen communication and obstructing the flow of protest footage. NetBlocks and Cloudflare both attribute the outage to deliberate government action.
Analyst Comments: Iran's repeated use of full-scale internet shutdowns—2019, 2025, now 2026—signals that network disruption is embedded in its internal security doctrine. Beyond limiting domestic coordination, these blackouts prevent external media scrutiny, making it harder to verify reports of violence or repression. While expected from Iran, it’s another reminder for defenders working in high-risk regions: communications infrastructure remains a frontline target. Organizations operating in or near these zones should review business continuity plans that assume total loss of internet access.
READ THE STORY: The Register
Russia's $12B Internet Shutdown: Kremlin Censorship Escalates Amid Internal Instability
Bottom Line Up Front (BLUF): Russia has effectively blacked out large portions of its domestic internet, leveraging years of infrastructure investment to isolate the country from global platforms. Dubbed the "$12 Billion Blackout," the move follows a Kremlin directive aimed at suppressing unrest and controlling digital narratives. Western platforms are blocked, VPNs are throttled, and internal routing relies on a nationalized DNS and traffic filtering system.
Analyst Comments: Russia’s government has effectively enacted a national internet blackout, intensifying its long-running digital isolation campaign. The move follows expanded censorship laws and growing civil unrest. Billions were poured into domestic infrastructure—local DNS, routing controls, and deep packet inspection—to allow the country to operate an autonomous internet. Western tech platforms including Instagram, WhatsApp, and Signal are now inaccessible to most Russian users. VPN usage is being systematically blocked via protocol fingerprinting and throttling. Internal platforms, messaging apps, and search engines—tied to state-linked entities—remain online and under close monitoring.
READ THE STORY: Forbes
Stealc v2 Malware Campaign Abuses Creative Platforms for Delivery and Evasion
Bottom Line Up Front (BLUF): Morphisec researchers have uncovered a new Stealc v2 campaign leveraging trusted creative platforms like Creavite and Imgur to deliver malware via trojanized videos and JavaScript payloads. The info-stealer, linked to Russian-speaking cybercriminals, uses file hosting and video rendering services to blend into legitimate traffic and avoid detection. Targets include individuals and small businesses, with a focus on credential theft and session hijacking.
Analyst Comments: Victims are tricked into downloading “video templates” or other media that silently deliver the malware. In some cases, payloads are staged via Imgur—a common tactic to avoid domain-based blocking. Stealc v2 has evolved its grabber capabilities and adds configurable modules to target over 22 web browsers, password managers, and crypto wallets. Once installed, it exfiltrates data to command-and-control servers hosted behind fast-flux or bulletproof hosting providers. The campaign appears opportunistic but technically polished, likely distributed via Discord, Telegram, or cracked software sites.
READ THE STORY: Morphisec
Bejing’s Strategic Push to Weaponize Data Raises Alarms Among U.S. Defense Analysts
Bottom Line Up Front (BLUF): The PLA’s “intelligentized warfare” doctrine depends on data abundance and the ability to process it faster than adversaries. China is treating data as a warfighting domain, blending state surveillance, cyber operations, and AI development into one coherent strategy. Western enterprises feeding this system—whether through joint ventures, unvetted supply chains, or lax data governance—are creating long-term national security liabilities. The article underscores a growing consensus in the U.S. defense and intelligence community: countering China's data strategy requires more than firewalls—it demands rethinking the flow of information, the trustworthiness of platforms, and the geopolitical cost of digital interdependence.
Analyst Comments: China’s Personal Information Protection Law (PIPL) and Data Security Law are less about protecting citizens and more about asserting state control over all domestic and foreign data touching Chinese systems. By harnessing commercial data from global tech partnerships and platforms like TikTok and Huawei, the regime blurs the line between private and state-controlled assets. The article also highlights concerns from U.S. national security officials that China's data centralization efforts will feed advanced military AI systems, biometric surveillance, and predictive cyber operations. Meanwhile, the West lacks a unified strategy to push back.
READ THE STORY: RealClear Defense
PLA’s Microwave Weapons Program: PLA Develops Anti-Personnel and Drone Disruption Capabilities
Bottom Line Up Front (BLUF): China’s development of high-powered microwave (HPM) weapons isn’t new, but the level of operational readiness suggested in this report is noteworthy. These systems offer Beijing a scalable, deniable option for both battlefield disruption and domestic control. HPM can disable unshielded electronics, jam sensors, and cause neurological or physiological effects on personnel—all without visible destruction or conventional munitions. In a Taiwan or South China Sea scenario, expect these weapons to be used for soft-kill counter-drone operations, perimeter denial, or disabling adversary communications. This also fits China’s broader “systems confrontation” doctrine, where information dominance and system disruption are prioritized over kinetic superiority.
Analyst Comments: Chinese researchers and military officials have unveiled new information on the PLA’s microwave weapons systems, including compact mobile platforms and fixed installations. The report cites Chinese defense publications and recent military expos that showcase anti-drone applications, such as disrupting GPS and onboard sensors, as well as crowd control usage that induces pain or discomfort via high-frequency directed energy. Some systems appear to be derivatives of earlier Russian and U.S. concepts but with improved mobility and power management. There are also indications that some units are already deployed with PLA ground forces and maritime assets for field testing.
READ THE STORY: TheDefensePost
UAT-7290 Targets South Asian Telecoms in Persistent Espionage Campaign
Bottom Line Up Front (BLUF): Cisco Talos has attributed a multi-year cyber-espionage campaign targeting telecommunications providers in South Asia to a Chinese state-linked threat actor designated UAT-7290. Active since at least 2022, the group compromises edge devices using publicly available exploits and maintains long-term access through a Linux-based malware suite. UAT-7290 also appears to operate as an initial access broker for other China-nexus APTs, repurposing compromised infrastructure for broader offensive use.
Analyst Comments: UAT-7290 exemplifies China’s strategic focus on telecom infrastructure as both a surveillance target and a foothold in regional critical systems. Their approach is calculated and scalable: exploit edge devices using one-days or PoCs, deploy modular implants, and quietly entrench. The use of Operational Relay Box (ORB) infrastructure highlights a trend where compromised systems are recycled into proxy nodes for follow-on access by other actors, effectively forming a covert ecosystem. Defenders should note the lack of zero-days—this is a threat group succeeding by out-operating, not out-innovating. The targeting expansion into Southeastern Europe is also telling: UAT-7290 may be testing the waters for broader global access operations.
READ THE STORY: InfoSecMag
Cisco ISE XML Parsing Flaw (CVE-2026-20029): Public PoC Released, Admin File Read Vulnerability
Bottom Line Up Front (BLUF): Cisco has patched a medium-severity vulnerability (CVE-2026-20029, CVSS 4.9) in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that allows authenticated administrators to read arbitrary files via malicious XML uploads. A public proof-of-concept (PoC) exploit is available, though no active exploitation has been reported.
Analyst Comments: This isn't a full RCE, but it’s still risky—particularly in segmented or regulated environments where administrators shouldn’t have access to the underlying OS. Arbitrary file read via a web-based management interface is often a stepping stone toward privilege escalation or lateral movement, especially if config files or credentials are exposed. The fact that Cisco admits admins can access data they “shouldn’t” be able to is telling. Public PoC ensures this will show up in post-auth exploit chains, red team toolkits, and compliance audit findings.
READ THE STORY: THN
SmarterMail Pre-Auth RCE (CVE-2025-52691): Zero-Click Exploit Drops System Shell
Bottom Line Up Front (BLUF): Researchers at WatchTowr Labs reverse-engineered the SmarterMail update released quietly on Jan 3, 2026, after suspecting it contained a silent fix. They confirmed a critical RCE stemming from how SmarterMail parses authentication requests—specifically abusing the __VIEWSTATEGENERATOR parameter to sneak malicious data past request validation. Despite Microsoft’s hardened IIS config and SmarterMail’s own security features, the exploit chain enables an attacker to drop a web shell as NT AUTHORITY\SYSTEM with a single unauthenticated request.
Analyst Comments: A single GET request can yield SYSTEM shell access, pre-auth, and no user interaction needed—about as bad as it gets. The vulnerability bypasses all expected defenses, including default SmarterMail config, ASP.NET request validation, and even Microsoft's hardened IIS security profiles. WatchTowr's approach is a textbook example of deep product understanding, chaining obscure .NET behavior with lenient request parsing to achieve full compromise. If your SmarterMail instance was internet-facing before the Jan 3 patch, assume breach.
READ THE STORY: Watchtowr
HPE OneView Zero-Day Exploited in the Wild (CVE-2025-37164): Pre-Auth RCE Targeting Infrastructure Management
Bottom Line Up Front (BLUF): CVE-2025-37164 affects multiple versions of HPE OneView and allows pre-authentication remote code execution via a flaw in the web interface. The vulnerability was patched in December 2025, but active exploitation was confirmed as of early January 2026. HPE has urged customers to upgrade to fixed versions and provided hardening guidance, including firewall rules to restrict access. The company has not released full technical details, likely due to the ongoing threat activity.
Analyst Comments: OneView is used to manage HPE servers, storage, and networking gear, meaning successful exploitation grants privileged access to physical and virtual systems. While specifics of the exploit remain undisclosed, attackers are clearly aware of and leveraging this bug in the wild. These types of systems often live behind perimeter firewalls, but if exposed—intentionally or accidentally—they present a high-value target. Expect continued exploitation, especially by state-aligned actors and ransomware groups looking for deeper access points.
READ THE STORY: HelpNetSecurity
ESXi “Maestro” Exploit: VM Isolation Proved Breakable
Bottom Line Up Front (BLUF): Researchers detailed how ESXi Maestro exploits vulnerabilities in the VMware ESXi virtualization stack to escape from a guest VM to the host. The exploit chain abuses memory corruption bugs and timing vulnerabilities to achieve code execution on the hypervisor. From there, attackers can access other VMs on the same host and compromise sensitive operations without triggering alerts from traditional EDR tools running inside the guests. The report notes that this breaks the security model relied upon by most virtualized environments and calls for a reassessment of VM boundary trust.
Analyst Comments: VM escape attacks are rare but catastrophic, and ESXi Maestro confirms that hypervisor-layer trust is no longer absolute. Based on reverse engineering and multiple chained vulnerabilities, the attack bypasses normal isolation boundaries and enables stealthy lateral movement between VMs. Hosting providers, MSSPs, and any org running ESXi clusters—especially multi-tenant setups—should treat this as a high priority. While no in-the-wild exploitation has been confirmed (yet), this class of attack is a dream tool for state-backed actors, red teams, or ransomware operators targeting hypervisor-level persistence. Patch fast, monitor low-level hypervisor logs, and reassess trust assumptions in shared VM environments.
READ THE STORY: Security Online // GBhackers // RHC
CISA Issues Emergency Directive on Microsoft Email Breach
Bottom Line Up Front (BLUF): CISA has issued Emergency Directive (ED) 24-02 in response to a nation-state compromise of Microsoft’s corporate email systems, believed to be tied to China-affiliated threat actor Storm-0558. The directive orders U.S. federal agencies to identify and mitigate risks stemming from the breach, which may have exposed authentication secrets, sensitive communications, and access tokens. Agencies must take immediate inventory of Microsoft-provided indicators of compromise and rotate affected credentials by April 30, 2024.
Analyst Comments: While the Storm-0558 intrusion became public in mid-2023, CISA’s directive confirms that the exposure extended beyond what was initially acknowledged—specifically pointing to the compromise of authentication secrets from Microsoft’s own corporate environment. This isn’t just an Exchange Online issue; it's a trust collapse in Microsoft’s identity infrastructure. Agencies relying on Microsoft-managed keys, tokens, or auth pipelines should assume compromise and plan full credential rotation. The directive’s tone is clear: Microsoft’s cloud services are a high-value target and a single point of failure. Expect ripple effects across the private sector, particularly in defense, healthcare, and finance.
Items of interest
MDA Space Joins U.S. Missile Defense SHIELD Program as ‘Golden Dome’ Contractor
Bottom Line Up Front (BLUF): MDA Space has been selected as a contractor for the U.S. Missile Defense Agency’s SHIELD program, a central component of the multi-domain Golden Dome missile defense initiative. The IDIQ contract allows MDA to compete for a share of the program’s $151 billion budget over the next decade, signaling deeper Canadian involvement in U.S. space-based defense infrastructure.
Analyst Comments: SHIELD isn’t just about interceptors; it’s about full-spectrum threat detection, cyber resilience, and integrating AI/ML into battle networks. MDA’s inclusion suggests its tech portfolio—particularly in digital engineering and space-based sensing—aligns with U.S. defense priorities. From an operational standpoint, the scale of SHIELD indicates future opportunities for advanced prototyping, cyber defense tools, and AI-driven modeling. Defenders should note the continued blending of cyber and kinetic domains in U.S. strategy and the potential for spillover innovation—or risk exposure—for allied networks.
READ THE STORY: SpaceQ
Golden Dome US Space Force | Explained (Video)
FROM THE MEDIA: The Golden Dome: America’s Future Shield is designed as a multi-layered system, operating across four distinct stages.
Inside the Golden Dome: Can the U.S. Stop Missiles in Space (Video)
FROM THE MEDIA: In this episode of GNSI’s At the Boundary podcast, Dr. Tad Schnaufer sits down with Dr. Namrata Goswami, professor of space security at Johns Hopkins University, to unpack one of the most ambitious U.S. defense projects in decades: the Golden Dome missile defense system.
The selected stories cover a broad range of cyber threats and are intended to help readers frame key publicly discussed threats and improve overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, don't hesitate to get in touch with InfoDom Securities at dominanceinformation@gmail.com.