Friday Edition – Threat Actor Activity – 13/06/25

At a Glance

Volt Typhoon (China APT) – Ongoing espionage targeting U.S. critical infrastructure via “living‑off‑the‑land” techniques, gathering pre-positioning access in telecom systems.
Lumma Infostealer (Russia-linked cybercriminal) – International takedown disrupted C2 infrastructure used in widespread phishing operations; roughly 394K Windows hosts infected between March–May.
Hybrid State-Criminal Campaigns (Russia) – Sophisticated sabotage and cyberattacks in EU linked to Russian GRU proxies, including hospital disruptions and arson campaigns.
AI‑Empowered Crime (EU-wide) – Europol warns AI is dramatically amplifying organized crime capabilities—fraud, deepfake extortion, and cyber-attacks merging state/aligned motives.

Volt Typhoon (Chinese APT): Actively infiltrating U.S. telecom and critical infrastructure to establish long-term espionage and potential sabotage capabilities, using stealthy living‑off‑the‑land methods.
Russia-suggested hybrid sabotage: Europol reports Russian military intelligence leveraging criminal networks (“woodpecker” sabotage) in coordinated proposals, including cyber-attacks to hospitals and arson.

Lumma Infostealer (Russian origin): A global law‑enforcement-led takedown seized ~2,300 domains, but earlier campaign saw 394K+ Windows infections through phishing. Toolbox widely used among eCrime groups like Scattered Spider.
AI-accelerated organized crime: Europol’s 2025 Serious and Organized Crime report flags AI’s role in enabling realistic voice-deepfakes, fraud, disinformation, and laundering schemes aligned with state-sponsored destabilization.

Infrastructure & Healthcare (US/EU): U.S. telecom networks and EU hospitals impacted by espionage and sabotage. Hospital outages reported, including halted operations.
Global Users: Nearly 400,000 Windows systems globally compromised by Lumma; school systems and financial accounts affected by stolen credentials.
Public institutions in EU: Coordinated cyber and physical sabotage linked to Russian hybrid tactics targeting democratic resilience.

Living‑off‑the‑land (Volt Typhoon): Use of legitimate admin tools, minimal custom malware.
Phishing delivery: Credential-stealing infostealer (Lumma) spread via targeted phishing campaigns.
Hybrid sabotage: Low-level sabotage (arson, physical disruption) combined with cyber operations.
AI‑assisted fraud: Deepfake, voice-cloning, and AI-generated phishing/media used for high‑precision attacks.

Lumma C2 domains: ~2,300 seized infrastructure (specific domain list available from law enforcement).
Living‑off‑the‑land scripts: Unusual PowerShell or wmic executions in telecom sector environments.
Deepfake-based DDoS/phishing domains: Monitor newly registered domains mimicking trusted entities with AI-generated content.

Patch & update
- Harden telecom and infrastructure endpoints against living‑off‑the‑land tactics; apply least-privilege and script-block restrictions.
- Ensure email gateways detect deepfake/AI-generated attachments and links.
Improve defenses
- Enforce multi-factor authentication across all user access points.
- Implement strong network segmentation in critical infrastructure environments.
Detection & monitoring
- Audit for PowerShell/wmic usage in sensitive telecom systems.
- Monitor for traffic to newly registered suspicious domains (especially phishing/infostealer infrastructure).
User awareness
- Train staff to recognize AI-generated deepfake attempts and phishing lures.
- Simulate phishing to test resilience, emphasizing domain impersonation and social engineering.