APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

Are critical infrastructure operators prepared for USB-mediated C2 relays?

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Engage below.

Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.

#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

Norway’s PST has confirmed Salt Typhoon activity affecting Norwegian organizations, citing exploitation of vulnerable network devices within critical infrastructure environments.

The 2026 assessment frames cyber operations as China’s primary intelligence vector, while noting that Russia remains the most significant overall threat due to sustained espionage, infrastructure mapping, and hybrid operations. The report reinforces the convergence of cyber tradecraft with influence and HUMINT activity.

For defenders, the findings highlight the importance of network device visibility, cross-sector intelligence sharing, and long-term monitoring.

💬 What defensive gaps does this assessment expose?

🔔 Follow TechNadu for ongoing threat intelligence reporting

#ThreatIntelligence #SaltTyphoon #NationStateThreats #CriticalInfrastructure #CyberDefense #InfoSec #TechNadu

Palo Alto Networks’ Unit 42 has detailed a prolonged cyber espionage campaign affecting government agencies and critical infrastructure across 37 countries.

The activity demonstrates advanced tradecraft, including phishing-delivered loaders, exploitation of enterprise platforms, multi-layered infrastructure, and stealthy persistence mechanisms. While intelligence collection appears to be the primary objective, researchers warn that the scale and duration of the campaign present long-term risks to public services.

For defenders, this highlights the need for deeper visibility across networks, identities, and supply chains.

💬 What detection gaps does this research expose?
Source: https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/

🔔 Follow TechNadu for in-depth threat intelligence coverage

#ThreatIntelligence #AdvancedPersistentThreats #CriticalInfrastructure #NationStateThreats #InfoSec #CyberDefense #TechNadu

China-linked hackers have been abusing trusted tools and infrastructure to stay stealthy and persistent — blending in is now the attack strategy. Detection must look for behavior, not signatures. 🐉🕵️‍♂️ #NationStateThreats #ThreatEvasion

https://thehackernews.com/2026/01/china-linked-hackers-have-used.html

Chinese state-backed hackers are using rootkits to hide ToneShell malware — deep stealth designed to evade detection for months. Persistence is the real weapon. 🕳️👻 #NationStateThreats #StealthMalware

https://www.bleepingcomputer.com/news/security/chinese-state-hackers-use-rootkit-to-hide-toneshell-malware-activity/

Iran’s cyber objectives are expanding — blending espionage, disruption, and influence ops across global sectors. Geopolitics is now encoded in malware. 🌍💻 #NationStateThreats #CyberStrategy

https://www.darkreading.com/cybersecurity-operations/iran-cyber-objectives

Iranian hackers breached 100+ government orgs using the Phoenix backdoor — stealthy persistence with geopolitical intent. 🔥🏛️ #NationStateThreats #CyberEspionage

https://www.bleepingcomputer.com/news/security/iranian-hackers-targeted-over-100-govt-orgs-with-phoenix-backdoor/

Chinese hackers exploit ArcGIS Server flaws to breach government networks — turning mapping tools into infiltration routes. 🗺️🐉 #GeospatialSecurity #NationStateThreats

https://thehackernews.com/2025/10/chinese-hackers-exploit-arcgis-server.html

Phantom Taurus, a China-linked APT, targets ministries, embassies & military ops across Africa, Asia & the Middle East—using stealthy .NET malware to infiltrate IIS servers. Espionage at scale. 🕵️‍♂️🌐 #APT #NationStateThreats

https://thehackernews.com/2025/09/phantom-taurus-new-china-linked-hacker.html

New Zealand sanctions Russia’s Unit 29155 (GRU hackers) over cyberattacks on Ukraine.

This group, also known as Cadet Blizzard / Ember Bear, was tied to WhisperGate & espionage across Europe. Sanctions: travel bans, asset freezes, and restrictions on funding.

💬 Are sanctions an effective tool in deterring state cyber units — or mainly diplomatic gestures? Share your take + follow @technadu for updates.

#CyberSecurity #CyberWarfare #Russia #Ukraine #Unit29155 #Sanctions #WhisperGate #InfoSec #ThreatIntel #NationStateThreats