China's Decade-Long Sleepovers and Why Your Hospital Database is Basically a Spy Novel Now

China's Decade-Long Sleepovers and Why Your Hospital Database is Basically a Spy Novel Now

This is your China Hack Report: Daily US Tech Defense podcast. Hey listeners, Ting here, your resident China-and-cyber nerd, and today’s China Hack Report is…busy. Let’s start with the most surgical stuff: according to ESET researchers, two new Windows variants of the SprySOCKS backdoor just dropped into the wild, tied to the China-linked FishMonger group, which is believed to work with Chinese contractor I-SOON. This malware gives long-term stealthy access, and it’s no longer just a Linux party. If your endpoints in defense, research, or telecom are still treating “Windows-only” as a comfort zone, that bubble just popped. Lock down PowerShell, tighten EDR detections around unusual socket behavior, and do not ignore weird outbound traffic from so-called “utility” servers. Zooming out, a long-running espionage operation called Operation Highland has been linked to the Chinese threat group Velvet Ant, who reportedly camped inside a large organization’s network for nearly a decade, quietly exfiltrating data. Think about that: multiple US-facing networks could be bleeding IP and defense-adjacent intel for years. This is the Zero Trust wake-up call of the week—assume compromise, continuously verify, and segment your crown jewels like you’re allergic to flat networks. In healthcare and research, analysts report that a China-linked group tracked as UNC6508 went after vulnerable REDCap servers at a North American medical research institution for more than a year, dropping custom malware and stealing sensitive research data. If you’re running REDCap or similar platforms on the US health or bio-research side, patch yesterday, restrict access to VPN or SSO, and slap a proper WAF in front. Clinical trial data and genomic research are now geopolitical assets. On the more public-facing front, US authorities just dismantled Outsider Enterprise, a Chinese phishing-as-a-service network pumping out AI-powered phishing kits and fake websites to steal credit cards and credentials, and the Department of Justice shut down 13 China-linked espionage sites posing as consulting firms to target current and former US government employees with clearances. Treat every “we love your résumé” email from a mystery consulting shop as a potential intelligence op—verify through independent channels before you click anything. CISA and partners are actively warning about exploitation of a laundry list of enterprise bugs: Fortinet devices, Cisco SD-WAN, LiteSpeed plugins, Ivanti Sentry, Oracle PeopleSoft, Splunk, Palo Alto GlobalProtect, and more. These are exactly the footholds nation-state actors, including China-linked crews, love to chain together. Prioritize emergency patching on edge devices and identity infrastructure first, then everything tied to remote access or logs. And yes, that includes the “we’ll fix it next sprint” VPN gateway in the forgotten rack. Immediate defensive homework for you: enable MFA everywhere, monitor for new service accounts and unexpected remote access tools, hunt for long-lived persistence like scheduled tasks and rogue DLLs, and rehearse your incident response so you’re not Googling “what is a tabletop exercise” while Velvet Ant is already in your backups. I’m Ting, thanking you for tuning in. Don’t forget to subscribe so you never miss your daily China Hack Report: Daily US Tech Defense. This has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta

FBI Busts Chinese Phishing Mall Selling Hacked US Logins Like Fast Fashion - Your MFA Just Got Personal

This is your China Hack Report: Daily US Tech Defense podcast. Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense. Let’s jack straight into today’s most critical China-linked cyber moves hitting US interests. According to an Ankura CTIX flash update, the big headline is the FBI takedown of a China-based phishing-as-a-service crew called Outsider Enterprise, done in coordination with Google and Lumen’s Black Lotus Labs. This outfit wasn’t some script‑kiddy side hustle; it was an industrialized platform renting out turnkey phishing kits aimed at US tech, cloud, and SaaS accounts. Think weaponized login pages for Microsoft 365, Google Workspace, and developer tools that US companies live and die on. Google’s security team and Black Lotus Labs report that Outsider Enterprise infrastructure was hosting customized phishing templates, reverse proxies to steal session tokens, and automated victim management dashboards. That means once a US engineer at, say, a Silicon Valley AI startup clicked the link, the service could capture MFA codes, cookies, and ride live sessions straight into source code repos and internal wikis. The FBI operation didn’t just yank a few domains; they moved to dismantle core servers, sinkhole traffic, and quietly notify targeted US organizations whose credentials were likely burned. Behind the scenes, that’s a race against time: every stolen token is a potential supply‑chain compromise waiting to be flipped into a ransomware event or IP exfil run by a China-linked crew. CISA and the FBI are pushing the usual guidance but with extra urgency: rotate credentials for any users that might have interacted with suspicious login pages, invalidate all active sessions, and enforce phishing‑resistant MFA like FIDO2 security keys. They’re also telling US tech and defense‑adjacent firms to enable conditional access, lock logins by geography, and watch for impossible travel logins coming from Chinese infrastructure or known bulletproof hosts. On the malware side, researchers tied to the same ecosystem have flagged loaders embedded in fake “security updates” sent via spear‑phish to US cloud admins. Once installed, these binaries tunnel command‑and‑control over encrypted HTTPS to look like normal SaaS traffic, giving operators long‑term, stealthy access to admin consoles and API keys that can pivot into customer data. For emergency hardening, CISA is urging patching of identity and SSO platforms first: your Okta, Entra ID, and any VPN or remote‑access gateways. They recommend enabling hardware tokens for privileged users, turning on detailed logging, and forwarding logs to a SIEM with rules tuned for session hijacking, token theft, and mass OAuth consent grants. So, if you’re defending US tech or critical infrastructure today, your homework from Ting: hunt for weird login patterns, reset tokens, patch your identity stack, and get serious about phishing‑resistant MFA. China-linked services like Outsider Enterprise thrive on the soft underbelly of human error plus weak authentication. Thanks for tuning in, listeners, and don’t forget to subscribe for your next daily dose of China cyber intel. This has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta

Volt Typhoon Goes Full Pre-War Mode: China's Hackers Camp Out in US Power Grids and Military Telecom

This is your China Hack Report: Daily US Tech Defense podcast. Hey listeners, Ting here, your friendly neighborhood China-cyber-obsessive, sliding straight into the latest China-linked hacking drama hitting US tech and defense in the last 24 hours. Let’s start with the big one: according to CNN and Reuters reporting over the weekend, US officials now say the Chinese state-backed group Volt Typhoon has quietly expanded its foothold in US critical infrastructure, especially power, ports, and communications tied to Pacific military bases. Microsoft’s threat intel team has been tracking Volt Typhoon for months, but new indicators show fresh implants on US telecom and energy networks, with tradecraft tuned for long-term disruption, not quick data theft. The White House and the Pentagon are treating this as pre‑positioning for potential conflict over Taiwan, not just routine espionage. CISA, the NSA, and the FBI pushed updated joint guidance on these China-nexus actors, urging US critical infrastructure operators to harden edge devices, rip out default credentials on routers and VPNs, and enable strict logging on PowerShell, WMI, and remote management tools that Volt Typhoon loves to live off the land with. They’re telling defenders to hunt for unusual command-line use on admin accounts and mysterious scheduled tasks instead of obvious malware, because this crew is allergic to noisy payloads. On the malware front, several security vendors, including CrowdStrike, Mandiant, and Palo Alto Networks’ Unit 42, reported new variants of custom backdoors associated with APT31 and APT41, both long‑linked to China’s Ministry of State Security. These variants are tuned for cloud environments—think Microsoft 365, Azure, and AWS—abusing OAuth apps and stolen tokens instead of dropping big binary payloads. The FBI has been warning that Microsoft 365 tenants are being hammered by phishing and consent-grant scams that are “not hacking software, they’re hacking trust,” targeting US government contractors, universities, and biotech firms. Hit sectors in the last day: US defense industrial base contractors, regional telecom providers that carry traffic for military installations, and at least one major US university doing dual‑use AI and quantum research. Several reports mention targeted spearphishing of senior engineers and program managers, often spoofing HR, legal, or travel vendors to deliver malicious links. Emergency patching: CISA added multiple network device and gateway vulnerabilities to its Known Exploited Vulnerabilities catalog, highlighting that China‑linked actors are actively exploiting older bugs in popular firewalls and VPNs. Organizations are being told to immediately patch or remove unsupported devices, disable unused VPN accounts, and enforce phishing‑resistant multifactor authentication for any remote access. Immediate defensive moves recommended by CISA, NSA, and FBI: implement zero trust principles on high-value networks, segment OT from IT in energy and transport, deploy endpoint detection and response with behavioral analytics, and rehearse incident response for destructive scenarios, not just data theft. They are especially stressing rapid isolation of suspicious hosts and continuous monitoring for data exfiltration to overseas VPS infrastructure. That’s your China Hack Report: Daily US Tech Defense download from Ting. Thanks for tuning in, stay patched, stay paranoid, and don’t forget to subscribe. This has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta

China Owns Half of All US Tech Hacks Plus a 1.9 Billion Dollar Phishing Ring Just Got Busted

This is your China Hack Report: Daily US Tech Defense podcast. Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense, and wow, the last 24 hours have been spicy on the wire. Let’s start with the headline problem: China‑linked crews are still hammering US critical infrastructure and tech, but the pattern is getting sharper. CrowdStrike, in a finding amplified by TechCrunch, says one country is responsible for almost half of hands‑on hacking targeting American tech companies, and that country is China. That means if you’re running cloud platforms, developer tooling, or AI infrastructure in the US, you are statistically deep in the blast radius. On the fresh‑malware front, US analysts tracking Volt Typhoon–style actors report new variants tuned for stealth in operational tech networks tied to power and water. Think living‑off‑the‑land binaries, scheduled tasks, and WMI abuse instead of noisy backdoors. Security Affairs, in coverage highlighted by Bob Bragg’s Daily Drop newsletter, notes US water utilities are again being probed with China‑linked tradecraft, blending phishing, stolen VPN creds, and old‑but‑unpatched edge devices. If your water district still has that “temporary” remote‑access box from 2020, this is your wake‑up call. Law enforcement is also playing offense. According to the Daily Drop write‑up of Operation Ghost Hook, US and partner agencies dismantled a China‑based phishing‑as‑a‑service platform tied to roughly 1.9 billion dollars in fraud targeting American users and businesses. That’s not just carders; that’s also credential harvesting for follow‑on intrusions into US enterprises, universities, and local government. Academia is still in the crosshairs. An Instagram report notes that Chinese national Xu Zewei was extradited to the US over alleged cyberattacks on US universities and COVID‑19 researchers, a reminder that higher‑ed networks remain prime hunting grounds for China’s intelligence‑aligned operators, especially where there’s biomedical IP and dual‑use AI research. On the defense side, CISA and the FBI have doubled down in the last day on three immediate actions for US networks they see China targeting. First, patch internet‑facing gear: VPNs, firewalls, and email gateways with any outstanding critical CVEs. Second, enforce phishing‑resistant MFA on all privileged accounts and remote access. Third, hunt for anomalous authentication—impossible travel logins, strange service accounts, and new admin users created at weird hours. For software shops and AI startups, CISA and NSA are again pushing secure‑by‑design guidance: stop shipping products with default credentials, turn on audit logging by default, and make it easy for customers to disable dangerous remote‑management features that China‑linked actors love to hijack. If you’re listening from a US tech, utility, or university network, your homework today: check your edge device patching, verify MFA coverage, and schedule a quick threat‑hunt for unexpected remote‑access tools and new admin accounts. That’s how you stay out of the breach reports I’ll be talking about tomorrow. Thanks for tuning in, and don’t forget to subscribe so you don’t miss the next China Hack Report. This has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta

Panda Party Crashing: How Five Chinese Hacking Crews Are Stealing Americas AI Secrets While We Sleep

This is your China Hack Report: Daily US Tech Defense podcast. This is Ting, your guide to China Hack Report: Daily US Tech Defense, and listeners, we’re diving straight into the last 24 hours of China-linked cyber mayhem aimed at US interests. The headline: according to a new CrowdStrike intelligence brief reported by the Washington Times, China-backed crews like Murky Panda, Mustang Panda, Overcast Panda, Sunrise Panda, and Warp Panda have turned the dial up on stealing advanced US artificial intelligence tech from cloud providers, chip designers, and defense-adjacent labs. CrowdStrike says Chinese operators now account for well over half of state‑sponsored targeted attacks on tech companies, with a sharp spike in intrusions that go after AI training data, model weights, and GPU cluster management consoles. On the malware front, researchers tied to this same wave of activity are flagging new loader variants tailored for US AI and SaaS environments: think stealthy PowerShell and Go-based loaders that only fully arm themselves once they confirm they’re sitting inside environments like NVIDIA GPU management nodes or Kubernetes clusters used for model training. Security teams at West Coast cloud providers reported beacons using Chinese VPS infrastructure and domain patterns consistent with the Mustang Panda and Overcast Panda playbooks. Sector-wise, the bullseye in the past day has been threefold: AI research and cloud, semiconductor and EDA tooling, and defense suppliers working on autonomy and targeting systems. According to analysis discussed around Mastercard’s Connections 2026 cyber sessions, the payments ecosystem is also under heightened scanning, with Chinese-linked reconnaissance probing API gateways and AI-driven fraud systems that sit inside major US banks’ environments. Parallel to the hacking, OpenAI’s latest threat research, amplified by Politico and Slashdot, called out China-linked operators running covert influence campaigns using ChatGPT to seed narratives about AI infrastructure costs and US technology policy. That isn’t just information war; it is recon data on which AI talking points resonate in Washington, and it dovetails neatly with the theft of underlying AI tech. In response, CISA and US sector risk management agencies have pushed emergency defensive guidance over the last day: lock down exposed admin interfaces on cloud AI clusters, enforce phishing-resistant multi-factor authentication for engineers with access to model repositories, and apply out-of-band patches to internet-facing VPNs and remote management tools that Chinese actors have historically loved to exploit. New advisories also stress tightening egress controls so these Panda crews can’t quietly exfiltrate training data to command-and-control servers parked in bulletproof hosting. Your near-term playbook, based on CISA best practice and New York’s Department of Financial Services guidance: harden identity, segment anything touching AI models or sensitive R&D, crank up logging on cloud consoles, and rehearse incident response assuming a China-linked actor already has one compromised credential in your environment. I’m Ting, thanking you for tuning in to China Hack Report: Daily US Tech Defense. Remember to subscribe so you don’t miss tomorrow’s threat rundown. This has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta