Chinese Typhoons Rage On: Murky Pandas Pwn Cloud Castles and Stealth VPNs Snoop on Teens

This is your China Hack Report: Daily US Tech Defense podcast.

Hey listeners, Ting here, China Hack Report, and you know the drill — straight to the essentials because I know your threat feeds are already overflowing. Today is Friday, August 22, 2025, and in the last 24 hours, we’ve seen a full court press from Chinese state-linked actors, no sign of them hitting pause.

Jim Cattler, Director of the DCSA, just described the global landscape as a “perfect storm”, and I’d say even he’s being generous — think cat 5 cyber hurricane. Our top kinetic threats keep coming from the China playbook: Volt Typhoon, Salt Typhoon, and the ever-inventive Silk Typhoon, which you probably know better as Murky Panda. This group is in North America’s backyard, taking down government, defense, tech, and academic networks with cloud-native moves that make yesterday’s SOC look like dial-up.

CrowdStrike warned that Murky Panda recently weaponized the zero-day bug CVE-2025-3928 in Commvault, plus old but gold exploits like CVE-2023-3519 against Citrix NetScaler. This isn’t just about breaking into cloud SaaS providers — they’re abusing trust relationships and identity infra like Entra ID, turning delegated access into the skeleton key of their cyber ambitions. Oh, and if you thought SOHO routers were too boring for nation-state ops, think again — they’re using those for stealthy exit nodes, prolonging their presence and complicating detection. Adam Meyers at CrowdStrike calls this group “downstream disasters waiting to happen,” with one SaaS provider’s breach cascading through customer environments undetected for days.

And while my colleagues are patching edge devices, another stealth threat is moving at app speed: Arizona State University and Citizen Lab flagged three Android VPN families, racking up 70 million downloads, all secretly tied to Qihoo 360, which the US Commerce Department already lists as a Chinese military company. The kicker? Hard-coded Shadowsocks passwords and weak cryptography mean that not only is user data getting hoovered up, but we’re seeing nation-state level backend infrastructure married to mass-market apps. These VPNs are collecting way more location and device data than disclosed, violating privacy and opening Americans—yes, teens too, thanks to targeted ads—to espionage and traffic interception.

CISA and partners are in full alert, urging urgent patching for Commvault, Citrix, and really any device with a KEV, especially if it’s been left to rot at the end of its lifecycle. They want you reviewing your patch management, swapping out unsupported hardware, and triple-checking privilege grants — especially for cloud identity. If your hospital network or critical infra still relies on legacy Cisco Smart Install, take a hint from the FBI’s latest advisory: patch or replace, or risk Russian infection thanks to the simultaneous attack surface. Yes, it’s whack-a-mole, but whack even harder for anything with a China or Russia fingerprint.

Final word: Defense now means verifying identities and trust chains all the way down. Don’t let remote cloud admin rights become the weak link. If you’re a policymaker, Open RAN is the hill to die on — interoperability is your only buffer against supply chain lock-in and national security leaks courtesy of Huawei and ZTE. Remember, the new rules: patch quick, check twice, and question everything.

Thanks for tuning in! Subscribe for your daily hit of tech intel you actually need, and stay paranoid, folks. This has been a quiet please production, for more check out quiet please dot ai.

For more http://www.quietplease.ai


Get the best deals https://amzn.to/3ODvOta