InfiniteEyes News (2025)

22/11/2025

A newly analyzed campaign attributed to a cluster known as UNC1549, also tracked under aliases such as Nimbus Manticore, GalaxyGato (are we in Star Wars?), AND Subtle Snail by separate security vendors, marks a significant escalation in both technical complexity and strategic intent. Active since at least late 2023 and continuing through 2025, this threat actor has deployed a suite of custom malware, including the DEEPROOT Linux implant and TWOSTROKE Windows backdoor, exploiting trusted third parties, virtual desktop infrastructure (VDI), and deceptive recruitment lures to compromise aerospace and defense organizations across the Middle East and to the US. Tunnelling tools, credential and privilege escalation tools, the backdoors mentioned, and patience, enable long-term, multi-stage espionage.

The growth of Iranian APTs is not incidental. Isolation has forced Iran to innovate internally, forming dedicated cyber units within the IRGC, Ministry of Intelligence, and affiliated contractors. Threat clusters such as APT33, APT34, OilRig, and MuddyWater have already demonstrated long-term operational discipline and an interest in critical infrastructure, maritime logistics, and petrochemical research. If current patterns continue, Iran may soon possess an espionage program as technically advanced as North Korea’s Lazarus Group or Russia’s APT29, with different priorities and regional focus.
UNC1549 also uses highly credible recruitment-themed phishing: fake job offers, cloned LinkedIn pages, and deceptive HR portals. Aerospace professionals, engineers, avionics specialists, cybersecurity managers are ideal targets due to their access to highly protected intellectual property.
Known targets include a Boeing phishing attempt. Known breaches across Israel recently include Elbit Systems. The UAE Cybersecurity Council remains tight-lipped, although reporting suggests potential targeting in UAE, Turkey, India, and Albania.

Attack chain, operational digital architecture, tactics, and toolkits available on the Substack.

———
infiniteeyesnews.substack.com (it’s free and will remain so.)

07/11/2025

Hacking Team first entered the public eye not as a headline-grabbing threat actor but as a supplier of what it describes as lawful-intercept tools. These are remote-access systems, zero-day exploits marketed to police and intelligence services for “targeted” hacking. The company’s business model does not differ from other spyware mercenaries: provide capabilities to catch criminals and terrorists using what international export controls describe as “intrusion software”. However, when distributed to authoritarian regimes, software of this nature is ripe for abuse. In 2015, suspicions of potential abuse metastasized into proof when an enormous cache of internal emails, invoices and source code of roughly 400 gigabytes was made public through Wikileaks. The documents suggested that Hacking Team’s tools and zero-day exploits had been sold or trialed to governments with poor human-rights records, raising questions about complicity in surveillance of journalists, dissidents and minority communities.

In response to human rights concerns, the Italian government revoked Hacking Team’s global export license in April 2016, restricting sales outside the European Union to individual export licenses per customer. As of 2025, after a one-euro merger-acquisition with InTheCyber Group, it has rebranded as Memento Labs under CEO Paolo Lezzi. Now, it has been making headlines thanks to another state-actor misusing their technology, this time for the purposes of cyber-warfare above surveillance.

1/2

———
Full article at infiniteeyesnews.substack.com

09/10/2025

The new wave of digital insurgents: Scattered Spider, LAPSUS$, ShinyHunters, now scattered lapsus$ hunters, operate less like organized syndicates and more like philosophical experiments in entropy. Methods of extortion, social engineering, SIM Swaps, and data leaks are flexing power in an age defined by surveillance and spectacle.

Arrests across the U.S., U.K., and Baltics have exposed a network responsible for over $100M in corporate intrusions, yet their true significance lies beyond financial damage. These actors merge cybercrime with accelerationist thought, adopting a posture of anti-ideological revolt, where chaos itself becomes a medium, and maximum damage, with maximum noise, and maximum profit becoming guiding motives.

Now joining forces with newly identified Crimson Collective, both group’s Telegram broadcasts echo Marinetti’s Futurist exaltation of aggression and velocity—but transposed into the digital domain, most recently against open-source software/ cloud infrastructure provider RedHat. Breaches and criminal acts have since become performance art. What links them is not loyalty or formal organization but a shared nihilist accelerationist impulse: to intensify collapse, to weaponize spectacle, to turn every system against itself, in the corporate domain, and sometimes IRL.

Beyond the showmanship, the Scattered Lapsus$ Hunters are also sharing tools and techniques. They have advertised a range of exploits for sale or use, claiming to possess zero-day exploits for enterprise software. They also claim to be building supercharged ransomware-as-a-service targeting VMware instances at the kernel level, with potential for lease to affiliates. This may just be talking big, but the intent has been noted.

scattered lapsus$ hunters have regardless targeted critical infrastructure alongside airlines, retail giants, and transport networks like Transport for London using low-tech but deeply human tactics: voice phishing, impersonation, and psychological manipulation. In this way, they are decentralized, adaptive, and recursive, mirroring the systems they infiltrate. One thing is certain, these are not the hackers of ten or twenty years ago.

05/09/2025

High-level overview of OFFZONE Security Conference. Review the sessions at offzone. moscow, or see selected key addresses and analysis on the Substack.

Moscow’s OFFZONE 2025 wasn’t just another hacker conference, it was a stage where Russia’s cyber strategy came into a new view. Hosted by BI.ZONE (a Sberbank subsidiary tied to WEF’s Cyber Polygon), the event highlighted how AI, hardware exploitation, and state-run cryptography are shaping an ecosystem where private industry, academia, and intelligence converge.

Behind the technical talks lie a system where the FSB and FSTEC control cryptographic standards, licensing, and surveillance, ensuring every company aligns with state interests, BI.ZONE and Kaspersky included. This model powers both digital defense and offense, fortifying Russian networks and supply chains at home while probing weaknesses abroad.

The bigger story: OFFZONE reflects a global trend toward digital sovereignty and surveillance consolidation, from Russia’s “Sovereign Internet” to Western digital ID and Big Tech-government partnerships. Different language, same direction. Same digitization of ledgers and human processes.

The question is: are we watching innovation, or rehearsals for control under the guise of collaboration?

05/09/2025

High-level overview of OFFZONE Security Conference. Review the sessions at offzone. moscow, or see selected key addresses and analysis on the Substack.

Moscow’s OFFZONE 2025 wasn’t just another hacker conference, it was a stage where Russia’s cyber strategy came into a new view. Hosted by BI.ZONE (a Sberbank subsidiary tied to WEF’s Cyber Polygon), the event highlighted how AI, hardware exploitation, and state-run cryptography are shaping an ecosystem where private industry, academia, and intelligence converge.

Behind the technical talks lie a system where the FSB and FSTEC control cryptographic standards, licensing, and surveillance, ensuring every company aligns with state interests, BI.ZONE and Kaspersky included. This model powers both digital defense and offense, fortifying Russian networks and supply chains at home while probing weaknesses abroad.

The bigger story: OFFZONE reflects a global trend toward digital sovereignty and surveillance consolidation, from Russia’s “Sovereign Internet” to Western digital ID and Big Tech-government partnerships. Different language, same direction. Same digitization of ledgers and human processes.

The question is: are we watching innovation, or rehearsals for control under the guise of collaboration?

25/08/2025

Full article and sources: infiniteeyesnews.substack.com.
//
In early July, Senator Tom Cotton, chair of chamber’s intelligence committee, also serving on its Armed Services Committee, sent a letter to Defense Secretary Pete Hegseth about Microsoft’s reported practices with the Chinese Communist Party, per Reuters.

“The U.S. government recognizes that China’s cyber capabilities pose one of the most aggressive and dangerous threats to the United States, as evidenced by infiltration of our critical infrastructure, telecommunications networks, and supply chains,” Cotton wrote in the letter. The U.S. military “must guard against all potential threats within its supply chain, including those from subcontractors”.

In a matter of weeks, Microsoft’s on-premises SharePoint servers suffered, and continue to suffer widespread, active attack due to a cluster of critical security flaws collectively dubbed “ToolShell”. These include critical vulnerability exploits CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, with attacks attributed to CCP’s APT27 & APT31. These vulnerabilities affect Microsoft SharePoint Enterprise Server 2016, 2019, and, specifically for CVE-2025-49706 and CVE-2025-53770, the SharePoint Server Subscription Edition. The only patch offered from Microsoft so far is for 2016 Enterprise Servers and older, causing continued attacks as recently as last Monday.
Dutch cybersecurity firm Eye Security first detected ToolShell exploitation in July, followed by CheckPoint Research’s further analysis.
A threat actor using the alias ‘cnkjasdfgd’ and claiming to be a member of the WarLock ransomware gang claimed an attack and offered to sell for $200,000 a batch of one million documents allegedly stolen from C**t, a UK Telecommunications firm.
Several data samples have also been published to prove the validity of the files, with attacks dating back to March in Croatia, Turkey, and Portugal. According to the individual, some stolen files include financial, employee, customer, and executive data, internal emails, and software development information.

Warlock claimed 16 victims across government, finance, and manufacturing in its first month.

08/08/2025

The Syrian Telecommunications Company announced on Saturday that “a major disruption affected several communication circuits, causing partial outages in internet and landline services in Damascus and Aleppo”, coincidentally the same night violence surfaced between Druze militias, the New Syrian Government, and Christian and Sunni bedouin tribes in the Suwayda governate.

Despite these claims that the disruptions were due to “technical and logistical challenges,” including a fuel shortage, multiple accounts from residents and activists indicate that the blackout was deliberate and occurred in parallel with military activity. “The internet shutdown was part of the attack,” people told SMEX.

21/07/2025

DefenseNews: A jamming attack in March was triangulated to the harbor town of Baltiysk, which is also home to the Russian Baltic Fleet and its electronic-warfare complex, a military facility packed with antennas and mobile EW units, although the triangulation appeared to resolve to a point southwest of the city, closer to the harbor.
GPS jammers and spoofers can be very small, even those with a large range, and might be easily overlooked in satellite imagery. Ziebold, a German researcher, said his team had purchased jammers the size of a shoe box that had a range of many kilometers.
This also means that they can be mobile. The jammer that has been plaguing Estonia, for example, appears to have moved from southwest of Saint Petersburg to northwest of the city.
This emerges from data shared by open-source intelligence researcher auonsson, who is part of a network of social media activists examining the jamming saga on a technical level. The person behind the social media handle spoke Defense News on the condition of remaining anonymous.
Auonsson used aircraft-transmitted data to create a heatmap of possible jammer locations around Russia’s imperial city. The flight information transmitted by planes and used for live airplane tracker maps also contains information about the quality of GPS data; when an aircraft’s GPS quality suddenly drops, this suggests that a jammer has come up over the plane’s horizon. By plotting the horizons of thousands of flights when they first encountered jamming, a heat map can be created, allowing for an approximate idea of where the offending transmitter might be located. The source code for this experiment is available on GitHub, (github.com/jpajala/GpsJammerLocator) and the data (airplanes.live) on which the investigation is based is publicly available.
“I don’t consider the exact source very relevant for the public discussion,” the person behind the auonsson handle said. “The country is, though,” they added, referring to Russia.
——
See infiniteeyesnews.substack.com for full sources and analysis including the scope of GNSS disruptions, how R-Mode is becoming critical to navigational security, and Russia’s Baltic EW capabilities.

05/07/2025

Full article and sources: infiniteeyesnews.substack.com

——/1
Last Sunday, the last pro-democracy party in Hong Kong, the League of Social Democrats, disbanded, along with other crucial civil society organizations amongst a wave of new disappearances under the city’s new National Security law. Under the law, police have arrested around 330 individuals, prosecuted 189, and secured convictions against 165 under opaque justification.
Privacy and civil liberties are taking a massive hit as well as China’s policing surveillance dragnet expands to the shores of Europe, Iran, and Hong Kong. iFlyTek is funding research from York and Queen’s universities in Canada, while Hikvision, ZTE, Huawei, Tiandy provide CCTV backbones. iFlyTek voice pattern recognition, national biometrics databases, AI pattern detection models can retroactively track movement on a persistent basis.
The Chinese government has been investing heavily in AI-driven biometric data capturing over the past decade. Facial recognition, thermal cameras, AI object and movement detection, and surveillance technologies such as “smart cities,” integrate into the CCP’s Sharp Eyes program, which can monitor all aspects of an individual’s public life are all on the docket, according to Wenhao Ma of VOA’s China Division. Hong Kong authorities used evidence from AI surveillance cameras installed last year to prosecute six people for monkey feeding, while using thermal cameras and AI data aggregation to target rat populations.
——/1

17/06/2025

Full sources and commentary: infiniteeyesnews.substack.com.
——/
The simmering geopolitical tensions between Iran and Israel have metastasized into a persistent and escalating cyber conflict that is destabilizing critical infrastructure, economic stability, and regional digital sovereignty. Recent attacks, attribution intelligence, and strategic assessments paint a clear picture: cyberspace is no longer a supporting front—the hybrid is becoming a primary domain of modern warfare, targeting families, using infrastructure used by civilians every day, creating an atmosphere where no one is safe.
Both states have intensified their cyber operations, with Iran’s OilRig and MuddyWater groups targeting Israeli entities, hacktivists affecting satellite and military communications, and suspected Israeli actors deploying tailored cyberweapons to degrade Iranian infrastructure, surveillance networks, implementing agit prop tools, while anti-regime Iranian actors Lab Dookhtegan disrupts communications of 116 Iranian commercial vessels. Reformists are largely sidelined, hardliners fractured. The field is open for a post-Khamenei government. Who will be the next Al-Jolani?

Today, all databases of Sepah Bank, one of the largest central banks in Iran, were erased in a major cyber attack. All its ATMs are non-functional and customers can’t withdraw cash. IDF has proposed a strong media blackout during attacks, specifically surrounding impact sites. Gaza has internet connectivity blackouts due to disrupted telecommunication lines from June 12-15, and is again disrupted on June 17. Iran’s own internet shutdowns, designed to limit dissent and shield state activity, are backfiring economically and tactically. Iran’s reliance on domestic infrastructure like the National Information Network (NIN) and “halal internet” has created a brittle system, costing them $1m a day in lost business, per a new report from Internet Society. Kurdistan seeing daily scheduled internet shutdowns for public school exams until June 29. Minor hacktivist spillover defacement attacks from both pro-Israel and pro-Iran clusters. There are currently 83 groups active, with 3 Russian groups supporting Iran.
——/1

16/05/2025

Full article and sources: infiniteeyesnews.substack.com

——/1 Picture this: you’re wearing headphones that whisper secrets of self-mastery and productivity into your skull, a soft signal gently coaxes you into meditative bliss, your dreams then become advertising space and somewhere in a galaxy far, far away, or maybe just a floor above some server farm—your brainwaves are being commodified like pork futures. Welcome to “neurocapitalism”, what could go wrong? The human mind—the final black box—is being opened with gold-plated crowbars. At the Zhongguancun Forum, at ad agencies in Manhattan, at VR arcades in Seoul, the same future is unfolding: our thoughts as data points. Our emotions as metrics. Our free will as an illusion optimized for ad delivery.
The age of privacy is over. The age of thought-mining has begun.
As consumer neurotechnology moves from science fiction to everyday reality, a comprehensive April 2024 and a recent symposium by the Neurorights Foundation has raised urgent red flags about the unchecked collection and misuse of neural data. Synchron and Apple are making new partnerships, while China’s innovation sector gets more and more public about its goals. Neurorights Foundation’s report, titled “Safeguarding Brain Data: Assessing the Privacy Practices of Consumer Neurotechnology Companies,” evaluates the data privacy policies of 30 global neurotech firms and finds a disturbing lack of transparency, user control, and consent mechanisms surrounding the use of brain data.
29 out of 30 companies (96.67%) have access to consumers’ neural data without meaningful limitations.
Only 22 companies (73.33%) have privacy policies related to their neurotechnology products available on their websites. The remaining 8 companies (26.67%) lack publicly accessible policies specific to their neurotechnology offerings.
While all companies provide a contact method, only 11 (36.67%) responded to inquiries. Just 4 companies (13.33%) meet all standards for transparency, including providing relevant policy documents, responsive communication channels, and notifications of policy changes.

/1

InfiniteEyes News

22/11/2025

07/11/2025

09/10/2025

05/09/2025

05/09/2025

25/08/2025

08/08/2025

21/07/2025

05/07/2025

17/06/2025

16/05/2025

Address

Website

Alerts

Contact The Business

Shortcuts

Share