China's Cyber Godzillas Rampage: Uncle Sam Shouts Patch or Perish!

This is your China Hack Report: Daily US Tech Defense podcast.

Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense for August 27, 2025—let’s get those firewalls up and the popcorn ready because the state-sponsored show is rolling at full blast.

Right out of the gate, CISA, the NSA, and FBI have issued a joint cybersecurity advisory this morning, warning about a major ongoing campaign from People’s Republic of China state-sponsored APT actors. These groups, with memorable names like Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, have been methodically targeting critical US infrastructure—think telecom, transportation, lodging, and defense. The tactic du jour is exploitation of backbone routers, especially the edge devices that telcos and big networked operations rely on. These attackers are getting persistent access by quietly exploiting vulnerabilities, sometimes even modifying router firmware and configurations to stick around undetected. It isn’t just the US on their dance card, either—this is global, and the advisory includes updated intel from fresh investigations through July.

CISA’s Acting Director Madhu Gottumukkala and FBI Cyber Division’s Brett Leatherman both called out the need for sunlight on PRC tactics and immediately actionable guidance. Instantly patch known exploited vulnerabilities—especially those in your edge infrastructure like routers and VPN gateways. Centralize your logging, lock down admin access, and review router firmware for unsigned or suspicious changes. They’re also recommending robust threat hunting initiatives; not just patch and pray.

Just this week, Google and its Threat Intelligence Group landed a whopper of a real-time alert, spotting the China-linked UNC6384 group—potentially Silk Typhoon—using captive portal hijacks. Imagine logging onto public Wi-Fi at your favorite airport and getting redirected to a fake Adobe update. That innocent “update” is actually a malware launcher: first, a malicious MSI package, then stage-two tools like CANONSTAGER and SOGU.SEC backdoors, giving attackers remote god-mode access. Google first caught this campaign back in March, but it’s ramped up lately, with diplomats in Southeast Asia hit particularly hard. If you see a strange software prompt after connecting to public Wi-Fi, run—don’t click.

Meanwhile, Cyware Daily Threat Intelligence flagged PlugX malware being delivered by the same UNC6384 group. PlugX is nasty: it can siphon off sensitive data, open remote shells, and drop more payloads. They’re primarily targeting government, technology, and manufacturing, but retail and healthcare are also getting caught in the net.

The new vulnerabilities keep coming—CISA just added two hot flaws in Citrix Session Recording (CVE-2024-8068, CVE-2024-8069) and a brand-new Git bug (CVE-2025-48384) to its Known Exploited Vulnerabilities catalog. These enable privilege escalation, remote code execution, and arbitrary code execution. Federal agencies and critical infrastructure have until Monday to patch Microsoft Exchange against exploits being used in the wild. CISA’s message: drop everything and patch, patch, patch.

Don’t sleep on ShadowSilk, either—Group-IB and CERT-KG are reporting a hybrid Russian-Chinese threat cluster tearing through government networks in Central Asia, using Telegram bots for command-and-control and phishing for initial access. These attackers are using familiar names but deploying custom malware and advanced toolkits for long-term espionage and data theft.

To wrap: patch every edge device, update Citrix and Exchange, ignore pop-up updates on public Wi-Fi, and double-check those admin panels like your job depends on it—because it probably does.

That’s the hacks for today, folks. Thanks for tuning in to China Hack Report: Daily US Tech Defense. Be sure to subscribe and don’t miss tomorrow’s breach bonanza....