Thursday, Feb 27, 2025 // (IG): BB // GITHUB // SN R&D
Wallbleed: Memory-Leaking Flaw in China's Great Firewall Exposed
Bottom Line Up Front (BLUF): Security researchers have uncovered a memory-dumping vulnerability in China's Great Firewall (GFW), dubbed Wallbleed. The vulnerability leaks up to 125 bytes of memory at a time. The firewall’s DNS injection subsystem discovered the flaw, allowing researchers to extract sensitive data and analyze Beijing’s censorship infrastructure. Despite two patch attempts in 2023 and 2024, the vulnerability remained exploitable until March 2024.
Analyst Comments: Wallbleed represents a rare and significant insight into the inner workings of China's censorship system, reinforcing concerns that censorship tools can inadvertently create security risks. The ability to extract plain-text network traffic data and infer the CPU architecture of the GFW middleboxes highlights potential weaknesses in China’s broader internet control mechanisms. While the flaw has now been patched, similar vulnerabilities may exist, and further research could uncover additional weaknesses in censorship infrastructure worldwide. Additionally, the discovery underscores how state-operated internet control mechanisms can inadvertently expose their systems to external analysis and potential exploitation.
FROM THE MEDIA: A team of eight security researchers and academics uncovered Wallbleed, a memory-leaking vulnerability in the DNS injection system of the Great Firewall of China. This flaw, which has been present since at least October 2021, was used by researchers to study China’s censorship infrastructure. By crafting specific DNS queries, they could extract 125 bytes of memory from GFW middleboxes, revealing network traffic data and system details. The Great Firewall Report project team continuously monitored the flaw from October 2021 to March 2024, observing two unsuccessful patch attempts in late 2023 before the final fix in March 2024. Their research confirmed that GFW's middleboxes handle traffic from hundreds of millions of IP addresses across China, demonstrating the firewall's extensive reach and control.
READ THE STORY: The Register
Cellebrite Cuts Off Serbia Over Alleged Phone-Cracking Abuse Against Civil Societ
Bottom Line Up Front (BLUF): Israeli digital forensics company Cellebrite has revoked Serbia’s access to its phone-unlocking software following allegations that Serbian authorities used the technology to hack into civilians' phones and install spyware. Amnesty International reported that journalists and activists were among the targets, prompting Cellebrite to reassess its partnership with Serbia. The move comes amid growing concerns over authoritarian surveillance practices in the country.
Analyst Comments: Cellebrite’s decision to cut off Serbia highlights the growing scrutiny of digital forensics tools and their potential misuse by authoritarian regimes. While the company claims to prioritize ethical use, the incident underscores the challenges of enforcing oversight once such tools are sold to governments. The broader implications extend beyond Serbia, as other governments and law enforcement agencies worldwide rely on similar technologies. This case may increase calls for stricter regulations on selling forensic software to nations with poor human rights records.
FROM THE MEDIA: Cellebrite announced it would no longer license its software to Serbia after an Amnesty International report accused Serbian authorities of using the technology to access phones and deploy spyware illegally. The report detailed how an environmental activist and an investigative journalist had their phones compromised, with evidence pointing to Cellebrite’s forensic tools and a new Serbian-made spyware. Amnesty has urged Cellebrite to implement stricter due diligence processes to prevent further human rights violations. Meanwhile, Serbia has faced increased criticism for its authoritarian crackdown on dissent, with raids on civil society organizations occurring just one day before Cellebrite’s announcement.
READ THE STORY: The Record
U.S. Must Strengthen Cyber and Strategic Defenses Against China’s Expanding Influence
Bottom Line Up Front (BLUF): China’s growing global influence poses a direct threat to U.S. national security, economy, and critical infrastructure, according to a recent U.S. House Committee on Homeland Security report. Beijing’s tactics include espionage, cyber warfare, control over strategic infrastructure, and influence operations in the U.S. and abroad. The Panama Canal, cyber intrusions targeting energy grids and water systems, and covert intelligence gathering through technology and academic institutions are key areas of concern. Experts warn that proactive measures are needed to counter China’s increasing geopolitical reach.
Analyst Comments: China’s multi-pronged approach to global influence includes hacking critical U.S. infrastructure, leveraging economic espionage, and securing control over vital trade routes like the Panama Canal. These activities demonstrate a long-term strategy to undermine U.S. dominance in trade, technology, and military readiness. The expansion of Chinese surveillance through technology, including internet-connected security cameras, raises concerns over data privacy and national security risks. The U.S. must strengthen cybersecurity, enforce stricter foreign investment regulations, enhance supply chain security, and reinforce its naval presence in strategic regions to mitigate these threats.
FROM THE MEDIA: The FBI warns that China is responsible for over 80% of U.S. economic espionage cases, often using initiatives like the "Thousand Talents Plan" to acquire sensitive intellectual property. Chinese hacking groups have targeted U.S. water systems, energy grids, and hospitals. Beijing’s investments in Latin American ports and the Panama Canal raise concerns over China's ability to disrupt global trade. Additionally, reports indicate that China has covertly operated intelligence-gathering facilities in U.S. cities, pressuring dissidents and influencing local politics. Experts emphasize the urgent need for the U.S. to counter these threats with decisive cybersecurity, economic, and military strategies.
READ THE STORY: Arab News
Taiwan Detains Chinese-Crewed Ship After Undersea Cable Cut
Bottom Line Up Front (BLUF): Taiwanese authorities have detained a Chinese-crewed cargo ship, the Hongtai, after an undersea telecom cable connecting Penghu and Taiwan was severed. While the cause remains under investigation, officials suspect a potential Chinese "gray zone" intrusion, referring to operations that fall short of direct military conflict. Taiwan has faced multiple undersea cable disruptions in recent years, some attributed to Chinese vessels.
Analyst Comments: Beijing has long been suspected of targeting Taiwan’s undersea cable infrastructure, crucial for maintaining connectivity during a potential conflict. The detention of the Hongtai, which sails under a flag of convenience but is Chinese-funded, raises suspicions that China is testing Taiwan’s response mechanisms. If confirmed as intentional sabotage, this could signal a broader strategy to disrupt Taiwan’s communication networks ahead of a potential blockade or military action. Taiwan must enhance maritime monitoring and cybersecurity measures to mitigate future disruptions.
FROM THE MEDIA: Taiwan’s Chunghwa Telecom reported a break in an undersea cable connecting Penghu to Taiwan. The Taiwanese Coast Guard intercepted the Togolese-registered Hongtai, crewed by eight Chinese nationals, near the disruption site and escorted it back for investigation. While the Ministry of Digital Affairs has rerouted communications, officials stress that further inquiry is needed to determine if the damage was accidental or intentional sabotage. Taiwan has 14 international and 10 domestic undersea cables, making them a strategic vulnerability amid rising tensions with China.
READ THE STORY: SPACEWAR
U.S. Officials Alarmed Over UK’s Demand for Apple Encryption Backdoor
Bottom Line Up Front (BLUF): U.S. Director of National Intelligence (DNI) Tulsi Gabbard has launched a legal review of the UK government’s secret directive ordering Apple to provide a backdoor into encrypted data. Gabbard stated she was not briefed on the order, which may violate U.S. citizens' privacy rights and breach international agreements. Apple refused to comply, pulling its top encryption tools from the UK market on February 21, 2025. Lawmakers have warned the move could threaten U.S.-UK intelligence sharing if Britain does not rescind its demand.
Analyst Comments: This controversy highlights the ongoing global battle over encryption and government access to private data. While the UK frames its demand as a national security measure, the U.S. sees it as a direct threat to privacy and a potential cybersecurity vulnerability. A backdoor for one government could be exploited by adversaries, making encrypted data less secure. If the UK proceeds, it could strain U.S.-UK intelligence relations, especially given the Cloud Act Agreement, which prohibits foreign governments from unilaterally accessing U.S. citizens' data. Expect continued political and legal challenges as this issue unfolds.
FROM THE MEDIA: Gabbard informed Senator Ron Wyden (D-OR) and Representative Andy Biggs (R-AZ) that the UK never disclosed its demand for an Apple encryption backdoor, which was first reported earlier this month by The Washington Post. Apple responded by removing its advanced encryption tools from the British market instead of complying. U.S. lawmakers have called for re-evaluating intelligence-sharing agreements if the UK does not withdraw the request. Gabbard has ordered U.S. intelligence and law enforcement agencies to assess the situation before engaging with the British government.
READ THE STORY: The Record
Chinese Hackers Breach Belgian State Security Emails in Major Espionage Operation
Bottom Line Up Front (BLUF): A Chinese state-backed hacking group infiltrated Belgium’s State Security Service (VSSE) email system between 2021 and 2023, marking the most significant breach in the agency’s history, according to a report by Le Soir. The attackers exploited a known vulnerability in Barracuda email security software, previously disclosed in 2023. While no classified information was compromised, the breach exposed correspondence with law enforcement, government officials, and intelligence personnel data.
Analyst Comments: China-linked hackers gained access to sensitive communications by exploiting commercial software vulnerabilities, potentially impacting Belgium’s intelligence operations and diplomatic efforts. The incident also highlights the delayed patching of known vulnerabilities as a significant security risk. Given China’s track record of targeting critical infrastructure and state agencies, this breach raises concerns about broader European espionage efforts. Governments must tighten supply chain security, enforce rapid patch management, and enhance monitoring of third-party software dependencies.
FROM THE MEDIA: Belgian newspaper Le Soir reported on February 26, 2025, that a Chinese cyber-espionage group accessed Belgium’s State Security Service (VSSE) email system for nearly two years by exploiting a Barracuda email security software vulnerability. The attack also affected the Belgian Pipeline Organisation, which monitors pipelines in the North Sea. Google’s Mandiant researchers previously linked the hacking group to Chinese state intelligence operations. While classified documents were stored on an internal server and remained secure, the breach exposed correspondence with police, prosecutors, ministerial offices, and intelligence personnel data. Belgian authorities have yet to comment on the full scope of the breach.
READ THE STORY: Politico
Hackers-for-Hire Target, Ukrainian Notaries to Manipulate State Registries
Bottom Line Up Front (BLUF): Ukraine’s cyber response team (CERT-UA) has identified UAC-0173, a hack-for-hire group targeting notaries' computers to gain remote access and manipulate government registries. The attackers, who have been active since mid-January, distribute phishing emails impersonating Ukraine’s Ministry of Justice. They use DarkCrystal, a cheap Russian backdoor, to steal credentials and deploy further attacks. While the extent of their success is unclear, authorities have intercepted some attacks before registry modifications were completed.
Analyst Comments: This attack highlights the increasing use of cyber mercenaries in state-sponsored operations. While UAC-0173’s financial backing remains unknown, its target selection suggests ties to Russian interests, particularly given prior attacks on Ukraine’s justice system. DarkCrystal, an inexpensive and widely available malware, indicates that even low-cost tools can be effective for high-impact cyber operations. Additionally, the parallel attack by UAC-0212 on industrial suppliers suggests a broader strategy to disrupt Ukraine’s legal and economic infrastructure. As cyber warfare escalates, Ukraine’s government and businesses must harden defenses against phishing, improve endpoint detection, and secure critical infrastructure access.
FROM THE MEDIA: CERT-UA reports that UAC-0173 has been phishing Ukrainian notaries since mid-January, using fraudulent emails disguised as official Ministry of Justice correspondence. Once victims open these emails, DarkCrystal malware is installed, enabling attackers to spy on activities, steal authentication data, and attempt unauthorized modifications to state registries. The same group deployed AsyncRAT in August 2024 to target Ukraine’s legal sector. Meanwhile, a separate hacker group, UAC-0212, linked to Russia’s Sandworm, has been targeting industrial suppliers in Ukraine, Serbia, and Czechia since July 2024. CERT-UA is actively monitoring both campaigns and has prevented several attempted breaches.
READ THE STORY: The Record
Google Warns Cybercrime is a Growing National Security Threat
Bottom Line Up Front (BLUF): Google’s Threat Intelligence Group warns that financially motivated cybercrime poses as much risk to national security as state-sponsored attacks. The report highlights how ransomware, data theft, and cybercriminal exploits can disrupt critical services like nation-state attacks. Cybercrime is also being weaponized by state actors, with groups like Russia’s Sandworm, Iranian APTs, and North Korean hackers leveraging cybercriminal tools for espionage and sabotage. Google calls for international cooperation to combat cyber threats that transcend borders.
Analyst Comments: Google’s team exposes the blurring lines between cybercrime and cyber warfare. Traditionally, security experts have focused on state-backed APTs while treating financially motivated cybercrime as a separate issue. However, with ransomware crippling hospitals, infrastructure, and businesses, the real-world impact of cybercrime is indistinguishable from nation-state attacks. Additionally, nation-states are increasingly outsourcing operations to cyber criminals, making attribution harder and enforcement more complex. Addressing this challenge will require greater international collaboration, improved cyber resilience for critical sectors, and more substantial law enforcement efforts against cybercrime syndicates.
FROM THE MEDIA: A February 12, 2025 analysis from Google emphasizes how cybercrime has evolved into a national security issue, with ransomware and data breaches causing severe disruptions. The report cites Russian, Iranian, Chinese, and North Korean cyber operations that rely on hacker-for-hire groups or commercially available malware to enhance their capabilities. It warns that healthcare data leaks have doubled in three years, emphasizing the threat to critical services. Google also notes that state actors exploit stolen data from cybercrime operations just as they would in traditional espionage campaigns. The tech giant urges international law enforcement collaboration to track and dismantle these cybercriminal networks.
READ THE STORY: Forbes
CrowdStrike: China’s Cyber Capabilities Reach ‘Inflection Point’ with Specialized Attacks
Bottom Line Up Front (BLUF): CrowdStrike research reveals a 150% increase in China-backed cyber intrusions in 2024, shifting toward sector-specific attacks targeting financial services, media, manufacturing, and critical infrastructure. The report highlights how Chinese hacking groups, including Salt Typhoon (Operator Panda) and Volt Typhoon (Vanguard Panda), are refining their offensive capabilities. These groups increasingly use relay botnets and persistence techniques to evade detection and maintain access to telecom, logistics, and military-related networks, raising concerns about China’s potential cyber warfare readiness in a Taiwan conflict.
Analyst Comments: China’s cyber strategy is evolving beyond broad espionage into highly specialized, long-term intrusions that blend intelligence gathering with critical infrastructure pre-positioning. The emergence of sector-focused APTs like Liminal Panda and Locksmith Panda suggests a deliberate effort to compromise key industries that could be leveraged in future geopolitical conflicts. Using operational relay box (ORB) networks to hide attack origins also signals a more sophisticated approach to stealth and persistence. If tensions over Taiwan escalate, China’s pre-established access to logistics and communication networks could significantly hinder U.S. military response efforts. Governments and industries must prioritize detecting stealthy cyber operations and supply chain security to counteract these evolving threats.
FROM THE MEDIA: CrowdStrike’s annual threat report, released on February 27, 2025, details a significant increase in China-linked cyberattacks, with intrusions tripling or quadrupling in financial services, industrials, and engineering sectors. Salt Typhoon (Operator Panda), active since 2022, continues to infiltrate global telecom networks, while Volt Typhoon (Vanguard Panda) focuses on maritime, air, and logistics networks. China-backed groups use relay botnets (ORB networks) to mask their activities, moving away from “smash-and-grab” tactics toward persistent, covert access. The report warns that these pre-positioning efforts could limit U.S. military response capabilities in a Taiwan conflict. China seeks to disrupt logistics and supply chains critical to U.S. military deployments.
READ THE STORY: Cyberscoop // TechTarget
Items of interest
GitVenom Malware Hijacks Bitcoin Wallets Using Fake GitHub Projects
Bottom Line Up Front (BLUF): A sophisticated malware campaign dubbed GitVenom has been found infecting GitHub repositories to steal cryptocurrency and sensitive user data. Researchers at Kaspersky report that the campaign has been active for at least two years, using fake open-source projects to trick developers, gamers, and crypto investors. The malware has stolen approximately $456,600 (5 BTC), primarily targeting users in Russia, Brazil, and Turkey.
Analyst Comments: GitVenom highlights a growing trend where code-sharing platforms like GitHub are exploited to distribute malware, leveraging the trust developers place in open-source software. Clipper malware—which replaces copied wallet addresses to redirect funds—demonstrates a direct monetization strategy. Additionally, including remote administration tools (RATs) like AsyncRAT and QuasarRAT suggests an interest in long-term access to infected systems. Given GitHub’s vast ecosystem, similar threats will likely persist, necessitating strict code vetting before execution.
FROM THE MEDIA: Kaspersky uncovered over 200 malicious GitHub repositories masquerading as legitimate open-source projects, including Instagram automation tools, Telegram Bitcoin wallet managers, and Valorant game cheats. These repositories, designed to appear credible with thousands of commits and detailed README files, contain embedded malware that, when executed, downloads additional payloads from attacker-controlled GitHub repositories. The malware includes a Node.js-based information stealer that collects passwords, bank details, cryptocurrency wallets, and browsing history before exfiltrating the data via Telegram. Additionally, a clipper malware hijacks copied wallet addresses to redirect cryptocurrency transactions, while remote access trojans (RATs) like AsyncRAT and QuasarRAT enable attackers to maintain persistent control over infected systems. Security experts emphasize the need for rigorous code review before executing third-party software, as GitHub remains a prime target for cybercriminals.
READ THE STORY: THN // The Register
Hackers Use Github For Malware (Video)
FROM THE MEDIA: Cybercriminals abuse GitHub to distribute malware through fake open-source projects, targeting developers, gamers, and cryptocurrency investors. Security researchers at Kaspersky uncovered over 200 malicious repositories which have been active for at least two years. The campaign, dubbed GitVenom, has facilitated the theft of approximately $456,600 in Bitcoin (5 BTC) by hijacking clipboard wallet addresses and stealing sensitive user data.
Github is Dangerous (Video)
FROM THE MEDIA: Imagine diving into GitHub, looking for cool projects to level up your coding skills—only to discover that hackers hide malware inside fake repositories. In this video, I’m exposing a sneaky cyber campaign where attackers weaponize GitHub’s trust to spread tools like AsyncRAT, clipper malware, and info stealers—right under everyone’s noses. Stay tuned to learn how they do it and how you can protect yourself from these hidden threats!
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.