ShadowPad 20 Strikes US Defense Contractors as Chinese Hackers Go After F-35 Secrets and Power Grids

FBI Busts Chinese Phishing Mall Selling Hacked US Logins Like Fast Fashion - Your MFA Just Got Personal

This is your China Hack Report: Daily US Tech Defense podcast. Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense. Let’s jack straight into today’s most critical China-linked cyber moves hitting US interests. According to an Ankura CTIX flash update, the big headline is the FBI takedown of a China-based phishing-as-a-service crew called Outsider Enterprise, done in coordination with Google and Lumen’s Black Lotus Labs. This outfit wasn’t some script‑kiddy side hustle; it was an industrialized platform renting out turnkey phishing kits aimed at US tech, cloud, and SaaS accounts. Think weaponized login pages for Microsoft 365, Google Workspace, and developer tools that US companies live and die on. Google’s security team and Black Lotus Labs report that Outsider Enterprise infrastructure was hosting customized phishing templates, reverse proxies to steal session tokens, and automated victim management dashboards. That means once a US engineer at, say, a Silicon Valley AI startup clicked the link, the service could capture MFA codes, cookies, and ride live sessions straight into source code repos and internal wikis. The FBI operation didn’t just yank a few domains; they moved to dismantle core servers, sinkhole traffic, and quietly notify targeted US organizations whose credentials were likely burned. Behind the scenes, that’s a race against time: every stolen token is a potential supply‑chain compromise waiting to be flipped into a ransomware event or IP exfil run by a China-linked crew. CISA and the FBI are pushing the usual guidance but with extra urgency: rotate credentials for any users that might have interacted with suspicious login pages, invalidate all active sessions, and enforce phishing‑resistant MFA like FIDO2 security keys. They’re also telling US tech and defense‑adjacent firms to enable conditional access, lock logins by geography, and watch for impossible travel logins coming from Chinese infrastructure or known bulletproof hosts. On the malware side, researchers tied to the same ecosystem have flagged loaders embedded in fake “security updates” sent via spear‑phish to US cloud admins. Once installed, these binaries tunnel command‑and‑control over encrypted HTTPS to look like normal SaaS traffic, giving operators long‑term, stealthy access to admin consoles and API keys that can pivot into customer data. For emergency hardening, CISA is urging patching of identity and SSO platforms first: your Okta, Entra ID, and any VPN or remote‑access gateways. They recommend enabling hardware tokens for privileged users, turning on detailed logging, and forwarding logs to a SIEM with rules tuned for session hijacking, token theft, and mass OAuth consent grants. So, if you’re defending US tech or critical infrastructure today, your homework from Ting: hunt for weird login patterns, reset tokens, patch your identity stack, and get serious about phishing‑resistant MFA. China-linked services like Outsider Enterprise thrive on the soft underbelly of human error plus weak authentication. Thanks for tuning in, listeners, and don’t forget to subscribe for your next daily dose of China cyber intel. This has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta

Volt Typhoon Goes Full Pre-War Mode: China's Hackers Camp Out in US Power Grids and Military Telecom

This is your China Hack Report: Daily US Tech Defense podcast. Hey listeners, Ting here, your friendly neighborhood China-cyber-obsessive, sliding straight into the latest China-linked hacking drama hitting US tech and defense in the last 24 hours. Let’s start with the big one: according to CNN and Reuters reporting over the weekend, US officials now say the Chinese state-backed group Volt Typhoon has quietly expanded its foothold in US critical infrastructure, especially power, ports, and communications tied to Pacific military bases. Microsoft’s threat intel team has been tracking Volt Typhoon for months, but new indicators show fresh implants on US telecom and energy networks, with tradecraft tuned for long-term disruption, not quick data theft. The White House and the Pentagon are treating this as pre‑positioning for potential conflict over Taiwan, not just routine espionage. CISA, the NSA, and the FBI pushed updated joint guidance on these China-nexus actors, urging US critical infrastructure operators to harden edge devices, rip out default credentials on routers and VPNs, and enable strict logging on PowerShell, WMI, and remote management tools that Volt Typhoon loves to live off the land with. They’re telling defenders to hunt for unusual command-line use on admin accounts and mysterious scheduled tasks instead of obvious malware, because this crew is allergic to noisy payloads. On the malware front, several security vendors, including CrowdStrike, Mandiant, and Palo Alto Networks’ Unit 42, reported new variants of custom backdoors associated with APT31 and APT41, both long‑linked to China’s Ministry of State Security. These variants are tuned for cloud environments—think Microsoft 365, Azure, and AWS—abusing OAuth apps and stolen tokens instead of dropping big binary payloads. The FBI has been warning that Microsoft 365 tenants are being hammered by phishing and consent-grant scams that are “not hacking software, they’re hacking trust,” targeting US government contractors, universities, and biotech firms. Hit sectors in the last day: US defense industrial base contractors, regional telecom providers that carry traffic for military installations, and at least one major US university doing dual‑use AI and quantum research. Several reports mention targeted spearphishing of senior engineers and program managers, often spoofing HR, legal, or travel vendors to deliver malicious links. Emergency patching: CISA added multiple network device and gateway vulnerabilities to its Known Exploited Vulnerabilities catalog, highlighting that China‑linked actors are actively exploiting older bugs in popular firewalls and VPNs. Organizations are being told to immediately patch or remove unsupported devices, disable unused VPN accounts, and enforce phishing‑resistant multifactor authentication for any remote access. Immediate defensive moves recommended by CISA, NSA, and FBI: implement zero trust principles on high-value networks, segment OT from IT in energy and transport, deploy endpoint detection and response with behavioral analytics, and rehearse incident response for destructive scenarios, not just data theft. They are especially stressing rapid isolation of suspicious hosts and continuous monitoring for data exfiltration to overseas VPS infrastructure. That’s your China Hack Report: Daily US Tech Defense download from Ting. Thanks for tuning in, stay patched, stay paranoid, and don’t forget to subscribe. This has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta

China Owns Half of All US Tech Hacks Plus a 1.9 Billion Dollar Phishing Ring Just Got Busted

This is your China Hack Report: Daily US Tech Defense podcast. Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense, and wow, the last 24 hours have been spicy on the wire. Let’s start with the headline problem: China‑linked crews are still hammering US critical infrastructure and tech, but the pattern is getting sharper. CrowdStrike, in a finding amplified by TechCrunch, says one country is responsible for almost half of hands‑on hacking targeting American tech companies, and that country is China. That means if you’re running cloud platforms, developer tooling, or AI infrastructure in the US, you are statistically deep in the blast radius. On the fresh‑malware front, US analysts tracking Volt Typhoon–style actors report new variants tuned for stealth in operational tech networks tied to power and water. Think living‑off‑the‑land binaries, scheduled tasks, and WMI abuse instead of noisy backdoors. Security Affairs, in coverage highlighted by Bob Bragg’s Daily Drop newsletter, notes US water utilities are again being probed with China‑linked tradecraft, blending phishing, stolen VPN creds, and old‑but‑unpatched edge devices. If your water district still has that “temporary” remote‑access box from 2020, this is your wake‑up call. Law enforcement is also playing offense. According to the Daily Drop write‑up of Operation Ghost Hook, US and partner agencies dismantled a China‑based phishing‑as‑a‑service platform tied to roughly 1.9 billion dollars in fraud targeting American users and businesses. That’s not just carders; that’s also credential harvesting for follow‑on intrusions into US enterprises, universities, and local government. Academia is still in the crosshairs. An Instagram report notes that Chinese national Xu Zewei was extradited to the US over alleged cyberattacks on US universities and COVID‑19 researchers, a reminder that higher‑ed networks remain prime hunting grounds for China’s intelligence‑aligned operators, especially where there’s biomedical IP and dual‑use AI research. On the defense side, CISA and the FBI have doubled down in the last day on three immediate actions for US networks they see China targeting. First, patch internet‑facing gear: VPNs, firewalls, and email gateways with any outstanding critical CVEs. Second, enforce phishing‑resistant MFA on all privileged accounts and remote access. Third, hunt for anomalous authentication—impossible travel logins, strange service accounts, and new admin users created at weird hours. For software shops and AI startups, CISA and NSA are again pushing secure‑by‑design guidance: stop shipping products with default credentials, turn on audit logging by default, and make it easy for customers to disable dangerous remote‑management features that China‑linked actors love to hijack. If you’re listening from a US tech, utility, or university network, your homework today: check your edge device patching, verify MFA coverage, and schedule a quick threat‑hunt for unexpected remote‑access tools and new admin accounts. That’s how you stay out of the breach reports I’ll be talking about tomorrow. Thanks for tuning in, and don’t forget to subscribe so you don’t miss the next China Hack Report. This has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta

Panda Party Crashing: How Five Chinese Hacking Crews Are Stealing Americas AI Secrets While We Sleep

This is your China Hack Report: Daily US Tech Defense podcast. This is Ting, your guide to China Hack Report: Daily US Tech Defense, and listeners, we’re diving straight into the last 24 hours of China-linked cyber mayhem aimed at US interests. The headline: according to a new CrowdStrike intelligence brief reported by the Washington Times, China-backed crews like Murky Panda, Mustang Panda, Overcast Panda, Sunrise Panda, and Warp Panda have turned the dial up on stealing advanced US artificial intelligence tech from cloud providers, chip designers, and defense-adjacent labs. CrowdStrike says Chinese operators now account for well over half of state‑sponsored targeted attacks on tech companies, with a sharp spike in intrusions that go after AI training data, model weights, and GPU cluster management consoles. On the malware front, researchers tied to this same wave of activity are flagging new loader variants tailored for US AI and SaaS environments: think stealthy PowerShell and Go-based loaders that only fully arm themselves once they confirm they’re sitting inside environments like NVIDIA GPU management nodes or Kubernetes clusters used for model training. Security teams at West Coast cloud providers reported beacons using Chinese VPS infrastructure and domain patterns consistent with the Mustang Panda and Overcast Panda playbooks. Sector-wise, the bullseye in the past day has been threefold: AI research and cloud, semiconductor and EDA tooling, and defense suppliers working on autonomy and targeting systems. According to analysis discussed around Mastercard’s Connections 2026 cyber sessions, the payments ecosystem is also under heightened scanning, with Chinese-linked reconnaissance probing API gateways and AI-driven fraud systems that sit inside major US banks’ environments. Parallel to the hacking, OpenAI’s latest threat research, amplified by Politico and Slashdot, called out China-linked operators running covert influence campaigns using ChatGPT to seed narratives about AI infrastructure costs and US technology policy. That isn’t just information war; it is recon data on which AI talking points resonate in Washington, and it dovetails neatly with the theft of underlying AI tech. In response, CISA and US sector risk management agencies have pushed emergency defensive guidance over the last day: lock down exposed admin interfaces on cloud AI clusters, enforce phishing-resistant multi-factor authentication for engineers with access to model repositories, and apply out-of-band patches to internet-facing VPNs and remote management tools that Chinese actors have historically loved to exploit. New advisories also stress tightening egress controls so these Panda crews can’t quietly exfiltrate training data to command-and-control servers parked in bulletproof hosting. Your near-term playbook, based on CISA best practice and New York’s Department of Financial Services guidance: harden identity, segment anything touching AI models or sensitive R&D, crank up logging on cloud consoles, and rehearse incident response assuming a China-linked actor already has one compromised credential in your environment. I’m Ting, thanking you for tuning in to China Hack Report: Daily US Tech Defense. Remember to subscribe so you don’t miss tomorrow’s threat rundown. This has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta

China's AI Shopping Spree: How Beijing is Stealing Tomorrow's Tech While You're Still Patching Yesterday's Bugs

This is your China Hack Report: Daily US Tech Defense podcast. Ting here, and the last 24 hours of China-linked cyber activity are classic espionage with a modern AI twist: according to CrowdStrike as reported by IT Brief UK, technology firms remain the world’s most targeted sector, and China-linked adversaries accounted for more than 58% of state-sponsored targeted intrusions against that industry, with the big prize being AI research, software, and intellectual property[1]. That means the pressure point is not just data theft; it is the theft of the ingredients for tomorrow’s models, tools, and products[1]. What matters most for U.S. interests is the target mix. Tech is still the headline sector, but the ripple effect reaches defense contractors, cloud providers, and any company sitting on AI-adjacent secrets or sensitive source code[1]. In practical terms, that means listeners should think beyond the lab and look at the whole supply chain: identities, endpoints, code repositories, collaboration tools, and vendor access paths. Huntress’s summit takeaways line up with that reality, stressing identity resilience and endpoint integrity as the two pillars that keep incidents from becoming business-level disruption[2]. On the malware and intrusion side, the publicly available material in the last day is thinner than I’d like, so I want to be precise: the strongest recent signal is not a named new malware family in the results, but a sustained wave of targeted intrusions aimed at stealing AI secrets and exploiting weak identity and endpoint controls[1][2]. That aligns with the broader pattern of attackers using phishing, social engineering, and other human-focused tradecraft to get a foothold before they move laterally[5]. In other words, the malware may be the second act; the first act is often a stolen credential, a hijacked session, or a rushed click. For emergency patching and immediate defense, the most urgent guidance in the available results is blunt and familiar: patch immediately when exposed services are vulnerable, and do not assume “deployed” means “effective.” A recent warning tied to SolarWinds Serv-U described attackers exploiting a flaw to crash the file transfer service without authentication, with the clear instruction to patch immediately[13]. Even though that report is not China-specific, it is exactly the kind of edge-service weakness that state-linked operators love to chain into larger operations[13]. CISA’s practical playbook, reflected in the current summit guidance, is to harden identity posture, reduce overprivileged or unmanaged identities, validate endpoint controls, and improve detection and response so one compromise does not become a full-blown outage[2]. The defensive move list is short and sharp: prioritize exploitable exposure, review admin access, hunt for suspicious cloud and SaaS logins, isolate suspicious endpoints, and verify recovery steps before you need them in anger[2]. Think of it as closing the door, checking the locks, and then making sure the alarm actually works. Thanks for tuning in, subscribe for more, and this has been a quiet please production, for more check out quiet please dot ai. For more http://www.quietplease.ai Get the best deals https://amzn.to/3ODvOta