Thursday, Feb 20, 2025 // (IG): BB // GITHUB // SN R&D
Russian Hackers Exploit Signal’s Linked Device Feature to Spy on Ukraine
Bottom Line Up Front (BLUF): Russian state-backed hackers, including Sandworm and UNC4221, actively exploit Signal Messenger’s “linked devices” feature to compromise Ukrainian military and government accounts. By crafting malicious QR codes, attackers link victim accounts to their devices, allowing real-time message interception. Russian and Belarusian cyber actors also steal Signal database files from compromised Android and Windows devices. Google’s security team warns of increasing global threats against secure messaging platforms.
Analyst Comments: These attacks highlight the increasing focus of Russian cyber-espionage efforts on secure messaging applications, particularly in wartime intelligence gathering. Signal's reputation as a safe platform makes it a prime target, and the tactics used—such as phishing via QR codes and malware deployment—are likely to evolve and spread beyond Ukraine. Given the precedent Russian state-backed cyber actors set, other governments and high-risk individuals worldwide should anticipate similar threats. Organizations must prioritize secure device management and user awareness to counteract these growing risks.
FROM THE MEDIA: Google’s Threat Intelligence team reported that Russian hackers, including the Sandworm group and UNC4221, exploit Signal Messenger by tricking users into linking their accounts to attacker-controlled devices. Malicious QR codes, phishing websites, and fake security alerts are the primary tools used in these campaigns. Attackers also exfiltrate Signal database files using malware such as Wavesign and Infamous Chisel. In some cases, Russian forces have physically captured devices and linked Signal accounts to their infrastructure for real-time surveillance. Signal has introduced security enhancements to mitigate these risks, but researchers warn that similar attacks will likely persist and expand in scope.
READ THE STORY: Google // The Record // THN
Chinese Warships Sail Unprecedentedly Close to Sydney, Raising Security Concerns
Bottom Line Up Front (BLUF): The Australian navy is tracking a Chinese naval task group that sailed within 150 nautical miles of Sydney, the furthest south China’s navy has ventured along Australia’s east coast. The task force, consisting of two warships and a supply vessel, was first spotted off Australia’s northeast coast last week. This maneuver signals China’s expanding military reach in the Pacific, raising concerns about its strategic ambitions and regional power projection.
Analyst Comments: China’s naval movement so close to Australia’s coastline marks a significant escalation in its maritime assertiveness. While technically in international waters, the operation highlights Beijing’s increasing willingness to operate far beyond the first and second island chains, challenging traditional Western military presence in the Indo-Pacific. The move comes amid heightened regional tensions, including recent unsafe interactions between Chinese forces and Australian aircraft in the South China Sea. With growing competition for influence in the Pacific, Australia and its allies—particularly the U.S.—may need to reassess their naval deterrence strategies to counter China’s expanding maritime footprint.
FROM THE MEDIA: The Australian Defence Force confirmed that two of its naval ships are closely monitoring the Chinese warships, which include the frigate Hengyang and the cruiser Zunyi. This unannounced maneuver is considered “unprecedented,” contrasting with a coordinated Chinese naval visit to Sydney in 2019. The incident coincided with a visit to Australia by Admiral Samuel Paparo, head of U.S. Indo-Pacific Command, who met with Australian defense leaders. Experts suggest China’s move aims to normalize its naval presence in the Pacific, where it competes with Australia and the U.S. for regional influence. Tensions between the two nations remain high, with recent Chinese military provocations in the South China Sea prompting Australian forces to increase surveillance efforts.
READ THE STORY: FT
Pegasus Spyware Infections Discovered on Private Sector Devices
Bottom Line Up Front (BLUF): New research from mobile security firm iVerify reveals that Pegasus spyware infections extend beyond civil society and into the private sector. The company found Pegasus on 11 of 18,000 devices tested in December 2024, including those of real estate, logistics, and finance business executives. This raises concerns about corporate espionage and the growing reach of commercial spyware.
Analyst Comments: The detection of Pegasus among private-sector professionals signals an alarming shift in the use of advanced spyware. Historically associated with targeting journalists, activists, and government officials, its deployment against executives suggests an expanded interest in economic intelligence. This could indicate state-sponsored espionage or competitive intelligence gathering by private entities. The findings also highlight the limitations of existing security measures—only half of the infected users had received Apple threat notifications. As spyware attacks grow more prevalent, organizations must implement advanced mobile security measures and threat intelligence strategies to mitigate risks.
FROM THE MEDIA: iVerify’s latest report confirms that Pegasus spyware, developed by Israel’s NSO Group, has been found on private-sector devices in Switzerland, Poland, Bahrain, Spain, the Czech Republic, and Armenia. While NSO Group claims it only sells Pegasus to governments for counterterrorism purposes, past investigations have shown its misuse against dissidents and journalists. The recent findings suggest that business leaders with access to sensitive corporate data are also targeted. Some victims were monitored for years, and many were infected with multiple Pegasus variants from 2021-2023. iVerify, which uses machine learning to detect spyware traces, continues to analyze additional cases that may indicate broader infections.
READ THE STORY: The Record
FBI Warns of 'Indiscriminate' Chinese Cyberespionage in Salt Typhoon Telecom Breach
Bottom Line Up Front (BLUF): The FBI has confirmed that the Chinese state-backed hacking group Salt Typhoon compromised significant telecommunications networks, indiscriminately collecting vast amounts of data, including call records and sensitive law enforcement information. The breach, which impacted American citizens—including children—highlights China’s aggressive cyberespionage tactics. The U.S. has sanctioned a Chinese cybersecurity company and a national involved in the operation.
Analyst Comments: The Salt Typhoon breach represents one of the most far-reaching cyberespionage campaigns attributed to China, with the indiscriminate data collection suggesting a long-term intelligence-gathering effort. The theft of information about minors is particularly concerning, as it could enable future coercion or influence operations. This incident adds to mounting calls within the U.S. government for a more aggressive cyber posture, including offensive operations against adversaries. With Salt Typhoon still actively infiltrating networks worldwide, governments and telecom companies must urgently strengthen cybersecurity defenses, including implementing Zero Trust architectures and more robust detection mechanisms.
FROM THE MEDIA: Speaking at the 2025 Zero Trust Summit, Cynthia Kaiser, deputy assistant director of the FBI’s cyber division, warned that Salt Typhoon had collected an unprecedented amount of personal and law enforcement data from American telecom networks. The breach was described as “insidious” and “reckless,” with data collection extending to minors. U.S. officials have responded by sanctioning a Sichuan-based Chinese cybersecurity company and a Chinese national linked to the attack. Despite public attribution, Salt Typhoon remains active, compromising additional networks worldwide. The attack has intensified bipartisan calls in Washington for stronger cyber countermeasures, with some officials advocating for retaliatory cyber operations.
READ THE STORY: Cyberscoop
EU Imposes New Russia Sanctions Amid US Push for Ukraine Peace Deal
Bottom Line Up Front (BLUF): The European Union has agreed on its 16th package of sanctions against Russia, targeting aluminum imports, oil exports, and entities supporting the war effort. The sanctions include a phased-in ban on Russian aluminum products, restrictions on shadow fleet tankers used to evade oil price caps, and measures against 13 Russian banks. Under President Donald Trump, this move comes as the US pushes for a peace deal with Russia, raising concerns in Europe about a potential divergence in Western policy toward the conflict.
Analyst Comments: The widening transatlantic divide could complicate diplomatic efforts significantly if Washington retracted its sanctions. European leaders fear prematurely lifting sanctions could weaken Ukraine's bargaining power in negotiations with Moscow. The EU may need to enhance enforcement mechanisms and coordinate with other allies to ensure continued economic leverage over Russia.
FROM THE MEDIA: EU member states finalized a new round of sanctions to restrict Russia’s economic capabilities. The measures include a ban on Russian aluminum imports, tighter controls on crude oil exports, and blacklisting of additional entities aiding the Russian war effort. The sanctions also target 73 shadow fleet tankers used by Russia to bypass Western restrictions. The move follows US-Russia peace talks in Saudi Arabia, where Secretary of State Marco Rubio suggested that Western sanctions could be a key factor in negotiations. European diplomats remain wary of potential US policy shifts and insist on maintaining pressure on Moscow despite Trump’s push for a diplomatic settlement.
READ THE STORY: FT
ASIO Chief Warns of Foreign Assassination Plots in Australia
Bottom Line Up Front (BLUF): The Australian Security Intelligence Organisation (ASIO) has uncovered assassination plots by at least three foreign intelligence agencies targeting dissidents in Australia. ASIO successfully thwarted a scheme in which a human rights activist was nearly lured to a third country for elimination. Director-General Mike Burgess also warned of heightened espionage threats and foreign interference ahead of Australia's federal elections.
Analyst Comments: The revelation that multiple foreign states are attempting to silence critics in Australia highlights the growing trend of transnational repression. Similar cases have been linked to Iran and China, both of which have been accused of targeting dissidents abroad. The timing of these warnings—just months before Australia’s federal elections—suggests that ASIO is preparing for potential interference, including cyber operations. Additionally, the discovery of surveillance devices hidden in gifts to Australian defense personnel raises concerns about foreign intelligence gathering related to AUKUS, the trilateral military pact between Australia, the U.S., and the U.K. These threats underscore the need for stronger cybersecurity and counterintelligence measures to protect both individuals and national security interests.
FROM THE MEDIA: In his Annual Threat Assessment, ASIO Director-General Mike Burgess disclosed that at least three foreign governments had attempted to harm individuals residing in Australia. In one case, intelligence services sought to lure a human rights activist to another country under pretenses to orchestrate an "accident." ASIO successfully intervened, preventing the attack. Another plot involved an unidentified foreign intelligence agency planning to eliminate critics of its government within Australia. The agency has also reported increased espionage efforts, particularly against AUKUS-related personnel, including instances where foreign actors gifted Australian defense officials items embedded with surveillance devices. With Australia’s federal election set for May 2025, ASIO has formed specialist teams to monitor foreign interference, disinformation campaigns, and attempts to pressure diaspora communities.
READ THE STORY: The Record
Chinese Hackers Exploit MAVInject.exe to Evade Detection in Cyber Attacks
Bottom Line Up Front (BLUF): The Chinese state-backed hacking group Mustang Panda (also known as Earth Preta) has been observed using MAVInject.exe, a legitimate Microsoft Windows utility, to execute malware while bypassing ESET antivirus detection. The attack involves DLL sideloading, process injection, and a decoy PDF to lure victims—primarily targeting users in Thailand. The malware connects to a remote command-and-control (C2) server for data exfiltration and remote command execution.
Analyst Comments: Mustang Panda’s latest tactics demonstrate the continued evolution of state-sponsored attack techniques designed to evade endpoint detection. By leveraging MAVInject.exe and other built-in Windows tools, the group reduces its reliance on traditional malware execution methods, making detection more difficult. The targeting of Thailand suggests a broader geopolitical agenda, potentially tied to regional intelligence gathering. While ESET disputes claims that the attack bypassed its protections, the incident underscores the need for organizations to implement behavioral-based threat detection and proactive threat-hunting strategies to counter advanced persistent threats (APTs).
FROM THE MEDIA: Trend Micro researchers uncovered that Mustang Panda used MAVInject.exe to inject a TONESHELL backdoor into compromised systems, evading detection by ESET antivirus. The attack sequence starts with a malicious executable (IRSetup.exe), which drops multiple files, including a decoy PDF to distract victims. A legitimate Electronic Arts (EA) executable (OriginLegacyCLI.exe) is abused to sideload a rogue DLL (EACore.dll), which then checks for ESET processes before executing MAVInject.exe to inject the malware. The backdoor connects to www.militarytc[.]com:443, allowing remote attackers to execute commands and exfiltrate data. Following the report, ESET refuted claims that the attack successfully bypassed its protections, stating that it had already implemented detections for this malware variant in January 2025.
READ THE STORY: THN
Chinese Money Brokers Fuel Fentanyl Trade, US Officials Warn
Bottom Line Up Front (BLUF): According to U.S. law enforcement officials, Chinese money laundering networks are critical in processing illicit drug profits from the U.S. fentanyl trade. These underground banking operations enable Mexican cartels to clean their drug money through Chinese brokers, who sell U.S. dollars to Chinese citizens seeking to move money overseas. This evolving financial system has become a cheaper and faster alternative to traditional money laundering methods, further complicating efforts to combat fentanyl trafficking.
Analyst Comments: The intersection of Chinese underground banking and Mexican drug cartels highlights the global complexity of the fentanyl crisis. Unlike traditional money laundering, this system benefits from China’s capital controls, which drive demand for U.S. dollars among Chinese nationals. Chinese money laundering operations' low-cost, high-speed nature gives them a competitive edge over older cartel-backed schemes. As the U.S. government intensifies its crackdown, cooperation with Chinese authorities will be essential—but Beijing’s lukewarm response suggests significant geopolitical hurdles ahead. The challenge will be shutting down these networks without escalating tensions between Washington and Beijing.
FROM THE MEDIA: Through operations like “Fortune Runner,” U.S. law enforcement has uncovered complex laundering schemes where cash collected from drug sales in the U.S. is transferred through underground Chinese banking networks. The money is sold to Chinese nationals who want U.S. dollars, while cartels receive clean funds in China, often used to buy more fentanyl precursors. The DEA estimates that Chinese networks are laundering a significant portion of the global drug trade’s $500 billion annual revenue. U.S. authorities have indicted multiple individuals in response and called for more decisive action from China, though Beijing has largely deflected responsibility.
READ THE STORY: WSJ
New OpenSSH Flaws Enable Man-in-the-Middle and DoS Attacks — Patch Now
Bottom Line Up Front (BLUF): Two newly discovered vulnerabilities in OpenSSH could allow attackers to execute a Man-in-the-Middle (MitM) attack (CVE-2025-26465) and cause Denial-of-Service (DoS) (CVE-2025-26466) under specific conditions. These flaws impact OpenSSH versions 6.8p1 to 9.9p1 for MitM and 9.5p1 to 9.9p1 for DoS. The Qualys Threat Research Unit (TRU) urges organizations to patch immediately by upgrading to OpenSSH 9.9p2, which was released today.
Analyst Comments: These vulnerabilities reinforce the need for continuous monitoring and timely patching of critical infrastructure. The MitM flaw poses a significant risk, allowing attackers to impersonate legitimate SSH servers, compromising authentication and data integrity. While the VerifyHostKeyDNS option is disabled by default, FreeBSD systems (from 2013 to 2023) may have enabled it, making them particularly vulnerable. The DoS vulnerability could lead to severe service disruptions, impacting remote management and server availability. Organizations should immediately apply the OpenSSH update, disable VerifyHostKeyDNS, and implement SSH key fingerprint validation to prevent exploitation.
FROM THE MEDIA: The Man-in-the-Middle (MitM) vulnerability (CVE-2025-26465, CVSS 6.8) affects OpenSSH clients from 6.8p1 to 9.9p1 and allows an attacker to impersonate SSH servers when VerifyHostKeyDNS is enabled, potentially compromising secure connections. The Denial-of-Service (DoS) vulnerability (CVE-2025-26466, CVSS 5.9) impacts OpenSSH 9.5p1 to 9.9p1, allowing repeated pre-authentication exploitation to cause high CPU and memory usage, leading to service disruptions. The FreeBSD operating system was particularly at risk due to VerifyHostKeyDNS being enabled by default from 2013 to 2023, potentially exposing many systems to MitM attacks. OpenSSH 9.9p2 has been released to address both flaws and security experts urge administrators to apply the patch immediately to prevent exploitation. This follows CVE-2024-6387 ("regreSSHion"), another OpenSSH flaw disclosed last year that allowed remote code execution with root privileges on glibc-based Linux systems.
READ THE STORY: THN
Google Unveils AI ‘Co-Scientist’ to Accelerate Research
Bottom Line Up Front (BLUF): Google has developed an AI-powered laboratory assistant, dubbed the “co-scientist,” to help researchers generate scientific hypotheses and speed up discoveries. Early trials at Stanford University, Imperial College London, and Houston Methodist Hospital have shown promising results, with the AI tool independently identifying breakthroughs in gene transfer mechanisms and drug repurposing for liver fibrosis. This innovation comes amid a broader push by tech companies to integrate AI into scientific research.
Analyst Comments: Google’s AI co-scientist represents a significant leap in applying artificial intelligence to research, particularly in biomedical and pharmaceutical fields. The tool’s ability to propose hypotheses within days—compared to years of human-led research—could revolutionize the pace of discovery. However, the reliance on AI-generated insights raises questions about scientific integrity, reproducibility, and ethical considerations. The broader trend suggests that AI-powered research assistants could soon become standard across industries, enhancing efficiency and disrupting traditional scientific workflows.
FROM THE MEDIA: One agent generates ideas, another reviews them, and a third refines hypotheses. The system retrieves data from freely available scientific literature, databases, and AI models like DeepMind’s AlphaFold. In one trial, Google’s AI reached the same conclusions about a novel gene transfer mechanism as Imperial College London researchers—before their findings were published. Another test at Stanford University found that the AI assistant successfully suggested two existing drug types that could be repurposed for liver fibrosis treatment. Google’s announcement aligns with the broader trend of AI-powered tools transforming fields such as healthcare, energy, and materials science.
READ THE STORY: FT
New Snake Keylogger Variant Evades Detection Using AutoIt Scripting
Bottom Line Up Front (BLUF): A newly evolved Snake Keylogger variant actively targets Windows users in China, Turkey, Indonesia, Taiwan, and Spain. Fortinet FortiGuard Labs reports that the malware was behind 280 million blocked infection attempts in 2025. Notably, this variant leverages the AutoIt scripting language to evade detection, making it harder for traditional security tools to identify and block. Snake Keylogger is designed to steal sensitive data by logging keystrokes, capturing credentials, and monitoring the clipboard.
Analyst Comments: Adopting AutoIt scripting is a strategic move by cybercriminals to bypass static analysis and security mechanisms. This highlights a growing trend of leveraging automation and scripting languages to enhance malware persistence and evasion tactics. Given its ability to inject itself into legitimate Windows processes and maintain persistence through Visual Basic Scripts (VBS) in the Startup folder, Snake Keylogger poses a severe risk to financial institutions, enterprises, and individual users. Organizations should strengthen their endpoint detection and response (EDR) solutions and adopt behavior-based detection mechanisms rather than relying solely on signature-based defenses.
FROM THE MEDIA: The latest Snake Keylogger campaign spreads through phishing emails containing malicious attachments or links. The malware executes by embedding itself in an AutoIt-compiled binary, disguising its payload within what appears to be legitimate automation software. Once launched, it drops a copy of itself as "ageless.exe" in the "%Local_AppData%\supergroup" folder and ensures persistence by creating a VBS script in the Windows Startup directory.
READ THE STORY: THN
China’s Expanding Cyber Influence: Risks for Global Digital Security
Bottom Line Up Front (BLUF): China’s growing dominance in ecommerce and digital technology is raising cybersecurity and economic concerns in the West. With platforms like Alibaba, Temu, and TikTok leveraging advanced data analytics, China is shaping global online commerce while maintaining strict data control. Concerns include unfair competition, data privacy risks, and the Chinese Communist Party’s (CCP) ability to access vast consumer data. Experts warn that China’s long-term strategy, outlined in the Digital China initiative, could reshape global internet governance in ways that threaten cybersecurity, privacy, and digital freedoms.
Analyst Comments: By integrating e-commerce with social media, AI-driven analytics, and restrictive data policies, China is creating an ecosystem that not only dominates online commerce but also limits Western companies’ ability to compete fairly. The cybersecurity risks are particularly concerning, as Chinese data laws require companies to cooperate with state surveillance efforts. With platforms like Temu and TikTok collecting vast user data, there is a growing risk that sensitive personal information could be exploited for economic or political influence. As China pushes its internet governance standards, Western nations must strengthen data security policies and promote transparency in digital markets to counteract these risks.
FROM THE MEDIA: China has overtaken the U.S. in global e-commerce revenue, generating $1.255 trillion in 2023. This growth is driven by platforms like Alibaba, JD.com, and TikTok’s e-commerce integration, which leverages AI to optimize sales and personalize user experiences. However, concerns are rising over China’s restrictive data policies, which prevent Western companies from collecting competitive intelligence while Chinese firms continue aggressive data harvesting. The Digital China initiative aims to establish Chinese standards for global internet governance, raising fears of increased surveillance, censorship, and unfair market practices. Platforms like Temu have also been scrutinized for excessive data collection, including access to microphones, cameras, and contact lists. Western governments are responding with efforts to regulate Chinese tech influence, such as potential TikTok bans and increased scrutiny of Chinese e-commerce firms operating abroad.
READ THE STORY: RTP
Items of interest
Debunking the AI Hype: Inside Real Hacker Tactics
Bottom Line Up Front (BLUF): Despite growing concerns about AI-driven cyber threats, new Picus Labs’ Red Report 2025 research finds that traditional malware tactics and credential theft techniques still dominate the threat landscape. While AI is being used for efficiency improvements, such as crafting more convincing phishing emails, it has not fundamentally changed how cyberattacks are conducted. Instead, attackers continue to rely on well-established MITRE ATT&CK techniques, with credential theft incidents tripling in the past year.
Analyst Comments: While AI will eventually become a significant factor in cybercrime, most successful attacks still exploit weak credentials, unpatched vulnerabilities, and standard attack techniques. Organizations should prioritize proactive threat detection, robust credential management, and continuous security validation rather than overestimating AI-driven risks. Defensive strategies should remain grounded in fundamentals, including behavioral analysis and zero-trust security models, which have proven effective against modern threats.
FROM THE MEDIA: The Picus Red Report 2025 analyzed over one million malware samples and found no significant increase in AI-driven attacks in 2024. Instead, credential theft incidents spiked from 8% to 25%, driven by attackers targeting password managers, browser-stored credentials, and cached logins to escalate privileges and move laterally. Additionally, 93% of malware samples relied on one or more of the Top 10 MITRE ATT&CK techniques, including T1055 (Process Injection), T1059 (Command Execution), and T1071 (Covert Application Layer Protocols)—all designed to evade detection and exfiltrate data stealthily. The report emphasizes that modern malware chains multiple attack stages, making behavior-based detection essential. Instead of chasing AI threats that are not widespread, security teams should double down on cybersecurity fundamentals, such as credential protection, advanced threat detection, and continuous security validation, to defend against the threats actively used today.
READ THE STORY: THN
Using AI to Become a Hacker (Video)
FROM THE MEDIA: Unlock the power of AI to supercharge your hacking studies! In this video, NetworkChuck reveals 7 game-changing ways to use artificial intelligence to master cybersecurity skills, including the CPTS certification. Learn how to create personalized study plans, generate flashcards, and even have an AI quiz for you on complex topics. Discover how tools like Notion AI and ChatGPT can transform your learning process, making you a more efficient and effective hacker. Whether you're a beginner or an experienced professional, these AI-powered study techniques will revolutionize your approach to cybersecurity education.
The Truth is AI | Inside the Tools & Tactics of Hackers (Video)
FROM THE MEDIA: Step into the hidden world of hackers and uncover the tools, tactics, and ethical dilemmas shaping our digital age. From phishing and ransomware to cutting-edge AI-powered attacks, this video explores the complex landscape of cybersecurity. Learn about the methods used by white-hat, black-hat, and gray-hat hackers, the evolving threats of cyber warfare, and the pivotal role of technology in both protecting and compromising our digital lives. Whether you're a tech enthusiast or simply curious about the unseen battles in cyberspace, this deep dive will leave you informed and inspired.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.