From China with love (and Malware).

US Justice Department charges employees of Chinese IT contractor i-Soon. Silk Typhoon targets the IT supply chain for initial access. Chrome extensions that change shape. Attackers target airflow misconfigurations. LibreOffice vulnerability opens the door to script-based attacks. NSO group leaders face charges in spyware case. Today, our own Dave Bittner is our guest as he appeared on the Adopting Zero Trust podcast at ThreatLocker’s Zero Trust World 2025 event with hosts Elliot Volkman and Neal Dennis and guest Dr. Chase Cunningham. And turning $1B into thin air.

Today is March 6th, 2025. I’m Maria Varmazis, subbing in for Dave Bittner on vacation. And this is your CyberWire Intel Briefing.

Thanks for joining us on this lovely Thursday. 

US Justice Department charges employees of Chinese IT contractor i-Soon.

The US Justice Department has charged twelve Chinese nationals for their alleged involvement in hacking US entities on behalf of the Chinese government. Two of the individuals are officers with the PRC's Ministry of Public Security (MPS), and eight are employees of Chinese IT security contractor i-Soon. Two additional defendants are freelancers tied to the APT27 threat actor, who assisted i-Soon in some operations.

The Justice Department says the MPS and the Ministry of State Security (MSS) hired i-Soon to carry out espionage campaigns against organizations around the globe, including the US Defense Intelligence Agency, the US Commerce Department, a major US religious organization, and news organizations based in the US and Hong Kong. i-Soon also allegedly hacked the foreign ministries of India, Indonesia, South Korea, and Taiwan. The FBI says i-Soon's activities have been publicly tracked as Aquatic Panda, Red Alpha, Red Hotel, Charcoal Typhoon, Red Scylla, Hassium, Chromium, and TAG-22.

Justice said in a press release, "From approximately 2016 through 2023, i-Soon and its personnel engaged in the numerous and widespread hacking of email accounts, cell phones, servers, and websites at the direction of, and in close coordination with, the PRC’s MSS and MPS. i-Soon generated tens of millions of dollars in revenue and at times had over 100 employees. i-Soon’s primary customers were PRC government agencies. It worked with at least 43 different MSS or MPS bureaus and charged the MSS and MPS between approximately $10,000 and $75,000 for each email inbox it successfully hacked."

i-Soon sustained a major breach in early 2024 that exposed its inner workings and ties to the Chinese government, as well as its hacking tools and services.

Silk Typhoon targets the IT supply chain for initial access.

Microsoft has published a report on the Chinese espionage actor Silk Typhoon, finding the group is "now targeting common IT solutions like remote management tools and cloud applications to gain initial access." Microsoft states, "While they haven’t been observed directly targeting Microsoft cloud services, they do exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities. After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives."

BleepingComputer notes that Silk Typhoon recently made headlines for hacking the US Treasury's Office of Foreign Assets Control (OFAC) in December 2024.

Chrome extensions that change shape.

A newly identified "polymorphic" attack enables malicious Chrome extensions to impersonate legitimate ones, such as password managers, cryptocurrency wallets, and banking applications, thereby facilitating the theft of sensitive user information. Researchers at SquareX Labs demonstrated that these extensions can detect other installed extensions using the 'chrome.management' API or by injecting resources into visited web pages. Upon identifying a target, the malicious extension downloads code to replicate the legitimate extension's interface, deceiving users into entering confidential data. 

Attackers target airflow misconfigurations.

​Misconfigurations in Apache Airflow instances have been found to expose sensitive credentials, including login details, API keys, and cloud service tokens, due to insecure coding practices and outdated deployments. These vulnerabilities affect sectors such as finance, healthcare, and e-commerce, with exposed credentials for services like AWS, Slack, PayPal, and internal databases. The primary issues include hardcoded secrets in DAG scripts, unencrypted variables and connection metadata, legacy logging vulnerabilities (CVE-2020-17511), and exposed configuration files. To mitigate these risks, organizations should upgrade to Airflow 2.0 or later, implement network segmentation, utilize dedicated secrets management tools, and conduct thorough code reviews to eliminate hardcoded credentials.

LibreOffice vulnerability opens the door to script-based attacks.

A newly discovered vulnerability in LibreOffice allows attackers to execute arbitrary scripts via maliciously crafted macro URLs, posing a significant security risk. The flaw exploits LibreOffice’s handling of macro execution, enabling remote attackers to bypass security warnings and execute malicious code without user consent. If successfully exploited, this vulnerability could allow system compromise, data theft, or further malware deployment. Security researchers recommend disabling macros, restricting untrusted document execution, and ensuring LibreOffice is updated to the latest patched version. Organizations should monitor for suspicious document activity and enforce strict macro security policies to mitigate the risk of exploitation.

Thousands of VMware ESXi instances remain vulnerable to actively exploited flaws.

In a follow up to a story from earlier this week, tens of thousands of VMware ESXi instances remain vulnerable to a chain of actively exploited vulnerabilities disclosed on Tuesday, SecurityWeek reports. The vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) can allow an attacker to perform a VM escape and gain access to the ESXi hypervisor. Security researcher Kevin Beaumont explains that attackers can "[u]se that to access every other VM, and be on the management network of the VMware cluster." Beaumont added, "[Once] you have this level of access, traditionally you'll see groups like ransomware actors steal files and wipe things."

While the vulnerabilities are being exploited by unnamed threat actors, details of the exploit aren't yet publicly available. Organizations should prioritize patching before an exploit is released.

NSO group leaders face charges in spyware case.

​A Catalan court has indicted three NSO Group executives for their alleged involvement in espionage against the lawyer representing Catalan independence leaders. This decision overturns a prior ruling that limited accountability to the company and its European subsidiaries. The court's action is part of a broader investigation into the use of NSO's Pegasus spyware against Catalan separatists, a scandal known as "CatalanGate," which reportedly targeted at least 65 individuals, including politicians, activists, and their families. The human rights organization Irídia, representing the lawyer in question, hailed the indictments as a pivotal step toward addressing unlawful surveillance. The court has also sought cooperation from Luxembourg authorities to advance the investigation.

Congress hears warning on NSA cyber job cuts.

​Rob Joyce, the former Director of Cybersecurity at the National Security Agency (NSA) and a White House advisor for the first Trump administration, testified before the House Select Committee, expressing grave concerns over the Trump administration's initiative to mass fire probationary federal employees. Joyce emphasized that such actions could severely undermine U.S. cybersecurity and national security efforts, particularly in countering Chinese cyber threats. He highlighted that probationary employees often constitute a pipeline of top technical talent essential for identifying and mitigating cyber threats. The administration's aggressive stance on reducing the federal workforce, including attempts to dismiss nearly all probationary employees, has faced legal challenges, with a federal judge temporarily blocking the order due to overreach by the Office of Personnel Management (OPM). 

Banking industry pushes back on CIRCIA implementation.

Several prominent financial organization have formally requested that the Cybersecurity and Infrastructure Security Agency (CISA) revise its proposed implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enacted in March 2022, CIRCIA mandates that critical infrastructure entities report significant cybersecurity incidents within 72 hours and ransomware payments within 24 hours. CISA's current proposal, set to take effect in October 2025, is estimated to impact approximately 316,000 entities. The financial groups argue that the proposed rules deviate from CIRCIA's original intent by imposing undue burdens on organizations, potentially diverting resources from effective incident response and recovery efforts. They advocate for a collaborative approach to develop a rule that allows victimized companies to prioritize addressing cyberattacks over fulfilling reporting obligations.

 

Coming up after the break, Dave Bittner joins hosts Elliot Volkman and Neal Dennis on the Adopting Zero Trust podcast from ThreatLocker’s Zero Trust World 2025, alongside special guest Dr. Chase Cunningham. And don’t miss how one hacker group turned 1 billion dollars into thin air.

Our very own Dave Bittner joined hosts Elliott Volkman and Neal Dennis on the Adopting Zero Trust podcast at ThreatLocker’s Zero Trust World 2025. Together, they explored the balance between delivering refined news versus raw perspective, the tipping point for AI adoption, and how the current political landscape is shaping cybersecurity. Here’s their conversation.

For the full conversation, be sure to visit our show notes for links to the Adopting Zero Trust podcast, you can also check out the video of their discussion to dive deeper into their insights on implementing Zero Trust strategies.

 

Turning $1B into thin air.

North Korea’s Lazarus group has swiped over $1 billion from crypto exchange Bybit—and they’re already busy laundering the stolen funds. Using decentralized finance (DeFi) tools to cover their tracks, they’ve pulled off a lightning-fast, highly organized operation that’s leaving investigators scratching their heads.

The FBI has confirmed Lazarus as the mastermind, and experts say the group’s infrastructure has likely expanded, with underground networks—especially in China—helping them wash the funds. They’ve already laundered around $400 million, and their sheer speed and volume are creating headaches for anyone trying to stop them.

Bybit has launched a bounty for those who can help trace the stolen crypto, but with 77% of the funds still traceable, it’s a race against time. This hack is officially the largest in crypto history, blowing past even the notorious Ronin Network and Poly Network thefts. A truly staggering breach—one that’ll have the crypto world on high alert for a while.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.