🔍 GitHub Used As North Korea C2
A phishing campaign linked to North Korean operators is targeting South Korean organizations using GitHub as a C2 infrastructure channel. Initial access is delivered via LNK files — Windows shortcut attachments that execute payloads upon interaction.
Routing command-and-control traffic through GitHub allows operators to blend malicious communications with legitimate platform activity, complicating network-level detection. The technique reduces the operational signature of the campaign by avoiding dedicated attacker-controlled domains.
🛰️ Open sources - closed narratives
@sitreports
A phishing campaign linked to North Korean operators is targeting South Korean organizations using GitHub as a C2 infrastructure channel. Initial access is delivered via LNK files — Windows shortcut attachments that execute payloads upon interaction.
Routing command-and-control traffic through GitHub allows operators to blend malicious communications with legitimate platform activity, complicating network-level detection. The technique reduces the operational signature of the campaign by avoiding dedicated attacker-controlled domains.
🛰️ Open sources - closed narratives
@sitreports
🔍 CERT-UA Identity Spoofed, RAT Deployed
Between March 26 and 27, 2025, the Computer Emergency Response Team of Ukraine disrupted a campaign in which threat actors impersonated CERT-UA itself to deliver a Go-based remote access trojan to targets in Ukraine.
Spoofing a national cybersecurity authority to distribute malware inverts the trust model those institutions depend on for incident response coordination. Targets conditioned to act on CERT-UA communications become the attack surface.
🛰️ Open sources - closed narratives
@sitreports
Between March 26 and 27, 2025, the Computer Emergency Response Team of Ukraine disrupted a campaign in which threat actors impersonated CERT-UA itself to deliver a Go-based remote access trojan to targets in Ukraine.
Spoofing a national cybersecurity authority to distribute malware inverts the trust model those institutions depend on for incident response coordination. Targets conditioned to act on CERT-UA communications become the attack surface.
🛰️ Open sources - closed narratives
@sitreports
📡 Kremlin Pushes State Messenger Adoption
The Kremlin is actively promoting MAX, a state-backed messaging application, as a preferred communications platform for Russian users. According to Reuters reporting, a segment of the population is declining to install the service.
State-promoted messaging infrastructure follows an established pattern in centralized communications strategy: routing civilian traffic through domestically controlled platforms enables metadata retention and content access under national law. Resistance from users indicates the substitution effort has not achieved passive adoption — a marker of incomplete normalization.
🛰️ Open sources - closed narratives
@sitreports
The Kremlin is actively promoting MAX, a state-backed messaging application, as a preferred communications platform for Russian users. According to Reuters reporting, a segment of the population is declining to install the service.
State-promoted messaging infrastructure follows an established pattern in centralized communications strategy: routing civilian traffic through domestically controlled platforms enables metadata retention and content access under national law. Resistance from users indicates the substitution effort has not achieved passive adoption — a marker of incomplete normalization.
🛰️ Open sources - closed narratives
@sitreports
🔍 Fortinet Patches FortiClient EMS Flaw
Fortinet has released a patch for CVE-2026-35616, a privilege escalation vulnerability scoring 9.1 on the CVSS scale, affecting FortiClient EMS versions 7.4.5 through 7.4.6. Active exploitation has been recorded since March 31, 2026.
The vulnerability allows local or remote attackers to escalate privileges within affected EMS deployments. FortiClient EMS is commonly used in enterprise environments for endpoint management, making privilege escalation flaws in this component operationally significant for lateral movement scenarios.
🛰️ Open sources - closed narratives
@sitreports
Fortinet has released a patch for CVE-2026-35616, a privilege escalation vulnerability scoring 9.1 on the CVSS scale, affecting FortiClient EMS versions 7.4.5 through 7.4.6. Active exploitation has been recorded since March 31, 2026.
The vulnerability allows local or remote attackers to escalate privileges within affected EMS deployments. FortiClient EMS is commonly used in enterprise environments for endpoint management, making privilege escalation flaws in this component operationally significant for lateral movement scenarios.
🛰️ Open sources - closed narratives
@sitreports
🔍 Axios npm Compromised via Social Engineering
A maintainer of the Axios HTTP client library — one of the most widely used npm packages — was targeted through a social engineering operation attributed to North Korean threat actors. The attack used a fabricated Microsoft Teams error fix as a pretext to gain access to the maintainer's account, as detailed in a post-mortem published by the Axios team.
The method follows an established pattern in DPRK-linked intrusion sets: targeting individual developers with elevated repository access rather than attacking package infrastructure directly. Compromising a maintainer account provides write access to published packages, enabling downstream supply chain manipulation at scale across dependent projects.
🛰️ Open sources - closed narratives
@sitreports
A maintainer of the Axios HTTP client library — one of the most widely used npm packages — was targeted through a social engineering operation attributed to North Korean threat actors. The attack used a fabricated Microsoft Teams error fix as a pretext to gain access to the maintainer's account, as detailed in a post-mortem published by the Axios team.
The method follows an established pattern in DPRK-linked intrusion sets: targeting individual developers with elevated repository access rather than attacking package infrastructure directly. Compromising a maintainer account provides write access to published packages, enabling downstream supply chain manipulation at scale across dependent projects.
🛰️ Open sources - closed narratives
@sitreports
🔍 150 Aircraft Deployed Over Iran
The U.S. military deployed over 150 aircraft to recover a downed aviator in Iran, according to Gen. Dan Caine. The recovery operation included tactical drones, strike aircraft, and additional assets providing overhead protection for search-and-rescue personnel on the ground.
The scale of the deployment reflects standard force-protection doctrine applied to personnel recovery in denied or contested territory — layered air cover to suppress interdiction of ground teams. Committing that volume of assets indicates the operation was conducted under conditions of active or anticipated threat, not permissive airspace.
🛰️ Open sources - closed narratives
@sitreports
The U.S. military deployed over 150 aircraft to recover a downed aviator in Iran, according to Gen. Dan Caine. The recovery operation included tactical drones, strike aircraft, and additional assets providing overhead protection for search-and-rescue personnel on the ground.
The scale of the deployment reflects standard force-protection doctrine applied to personnel recovery in denied or contested territory — layered air cover to suppress interdiction of ground teams. Committing that volume of assets indicates the operation was conducted under conditions of active or anticipated threat, not permissive airspace.
🛰️ Open sources - closed narratives
@sitreports
✈️ Air Force Requests $1B CCA Drones
The U.S. Air Force has submitted a request for nearly $1 billion in fiscal year 2027 to begin CCA procurement, marking the transition of the Collaborative Combat Aircraft program from development into initial acquisition.
The CCA program is designed to field autonomous drone wingmen capable of operating alongside crewed fighter aircraft. A dedicated FY2027 budget line indicates the Air Force is moving toward operational inventory rather than continued prototype evaluation.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Air Force has submitted a request for nearly $1 billion in fiscal year 2027 to begin CCA procurement, marking the transition of the Collaborative Combat Aircraft program from development into initial acquisition.
The CCA program is designed to field autonomous drone wingmen capable of operating alongside crewed fighter aircraft. A dedicated FY2027 budget line indicates the Air Force is moving toward operational inventory rather than continued prototype evaluation.
🛰️ Open sources - closed narratives
@sitreports
🔍 Marines Award ARV Second Prototype Phase
The U.S. Marine Corps has awarded a second prototyping phase for its Advanced Reconnaissance Vehicle to two major defense contractors. The ARV program targets a next-generation ground platform optimized for reconnaissance and intelligence-gathering in contested environments.
A dual-award structure at the second prototype phase indicates the Marine Corps is sustaining competitive pressure between vendors before committing to a single production contract. This approach distributes technical risk and preserves leverage over final design requirements.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Marine Corps has awarded a second prototyping phase for its Advanced Reconnaissance Vehicle to two major defense contractors. The ARV program targets a next-generation ground platform optimized for reconnaissance and intelligence-gathering in contested environments.
A dual-award structure at the second prototype phase indicates the Marine Corps is sustaining competitive pressure between vendors before committing to a single production contract. This approach distributes technical risk and preserves leverage over final design requirements.
🛰️ Open sources - closed narratives
@sitreports
🔍 Storm-1175 Chains Zero-Days to Ransomware
Storm-1175, a China-linked threat actor, has exploited over 16 CVEs since 2023 — including zero-days — to deploy Medusa ransomware within 24 hours of initial access. The operational tempo indicates a pre-staged pipeline: vulnerability exploitation feeds directly into ransomware execution with minimal dwell time, as detailed in this threat analysis.
The use of zero-days alongside known CVEs suggests tiered access to exploit inventory — high-value vulnerabilities deployed selectively, with patched CVEs used against unpatched infrastructure. Sub-24-hour ransomware deployment reduces the defensive detection window to near zero, consistent with actors prioritizing disruption over prolonged access.
🛰️ Open sources - closed narratives
@sitreports
Storm-1175, a China-linked threat actor, has exploited over 16 CVEs since 2023 — including zero-days — to deploy Medusa ransomware within 24 hours of initial access. The operational tempo indicates a pre-staged pipeline: vulnerability exploitation feeds directly into ransomware execution with minimal dwell time, as detailed in this threat analysis.
The use of zero-days alongside known CVEs suggests tiered access to exploit inventory — high-value vulnerabilities deployed selectively, with patched CVEs used against unpatched infrastructure. Sub-24-hour ransomware deployment reduces the defensive detection window to near zero, consistent with actors prioritizing disruption over prolonged access.
🛰️ Open sources - closed narratives
@sitreports
🔍 FBI Dismantles Russian DNS Hijacking Network
The FBI executed Operation Masquerade, dismantling a covert router hijacking network attributed to Russian actors. The operation targeted infrastructure used to conduct DNS hijacking attacks against high-value individuals and organizations across thousands of compromised devices.
DNS hijacking at router level allows traffic interception and credential harvesting without detectable presence on endpoint devices. Targeting routers rather than hosts indicates a collection posture optimized for persistence and broad access across networks sharing the same gateway.
🛰️ Open sources - closed narratives
@sitreports
The FBI executed Operation Masquerade, dismantling a covert router hijacking network attributed to Russian actors. The operation targeted infrastructure used to conduct DNS hijacking attacks against high-value individuals and organizations across thousands of compromised devices.
DNS hijacking at router level allows traffic interception and credential harvesting without detectable presence on endpoint devices. Targeting routers rather than hosts indicates a collection posture optimized for persistence and broad access across networks sharing the same gateway.
🛰️ Open sources - closed narratives
@sitreports
🔍 Iran-Linked Actors Hit U.S. PLCs
Iran-linked operators have disrupted U.S. critical infrastructure by targeting internet-exposed programmable logic controllers, deploying Dropbear SSH to establish persistent access across operational technology environments. The PLC campaign affected multiple sectors, indicating broad reconnaissance of exposed industrial control surfaces rather than a single-target operation.
The use of Dropbear — a lightweight SSH implementation common in embedded systems — points to a methodology optimized for low-footprint persistence on resource-constrained OT devices. Internet-exposed PLCs without segmentation or authentication controls represent a structurally persistent attack surface across U.S. industrial infrastructure.
🛰️ Open sources - closed narratives
@sitreports
Iran-linked operators have disrupted U.S. critical infrastructure by targeting internet-exposed programmable logic controllers, deploying Dropbear SSH to establish persistent access across operational technology environments. The PLC campaign affected multiple sectors, indicating broad reconnaissance of exposed industrial control surfaces rather than a single-target operation.
The use of Dropbear — a lightweight SSH implementation common in embedded systems — points to a methodology optimized for low-footprint persistence on resource-constrained OT devices. Internet-exposed PLCs without segmentation or authentication controls represent a structurally persistent attack surface across U.S. industrial infrastructure.
🛰️ Open sources - closed narratives
@sitreports
🔴 Centcom Expands Drone Strike Scale
U.S. Central Command announced Tuesday that additional one-way attack drones were launched against Iran as part of Operation Epic Fury. The Centcom commander stated that hundreds of U.S. drones are involved in the operation.
The use of one-way attack drones at this declared scale indicates a sustained attrition-based strike posture rather than a discrete strike package. Mass expendable drone employment reduces reliance on crewed aircraft and complicates adversary air defense prioritization across multiple simultaneous vectors.
🛰️ Open sources - closed narratives
@sitreports
U.S. Central Command announced Tuesday that additional one-way attack drones were launched against Iran as part of Operation Epic Fury. The Centcom commander stated that hundreds of U.S. drones are involved in the operation.
The use of one-way attack drones at this declared scale indicates a sustained attrition-based strike posture rather than a discrete strike package. Mass expendable drone employment reduces reliance on crewed aircraft and complicates adversary air defense prioritization across multiple simultaneous vectors.
🛰️ Open sources - closed narratives
@sitreports
🎯 Army Eyes Fourfold PrSM Procurement
The Trump administration's fiscal 2027 budget request allocates funds to quadruple Army procurement of the Precision Strike Missile, a long-range surface-to-surface system designed to replace the ATACMS.
The scale of the requested increase indicates a structural shift toward deep-fires capacity rather than incremental stockpile maintenance. Accelerated PrSM procurement fits a broader pattern of U.S. ground forces prioritizing long-range precision strike inventory ahead of potential high-intensity conflict scenarios.
🛰️ Open sources - closed narratives
@sitreports
The Trump administration's fiscal 2027 budget request allocates funds to quadruple Army procurement of the Precision Strike Missile, a long-range surface-to-surface system designed to replace the ATACMS.
The scale of the requested increase indicates a structural shift toward deep-fires capacity rather than incremental stockpile maintenance. Accelerated PrSM procurement fits a broader pattern of U.S. ground forces prioritizing long-range precision strike inventory ahead of potential high-intensity conflict scenarios.
🛰️ Open sources - closed narratives
@sitreports
🔍 DPRK Seeds 1,700 Malicious Packages
North Korean threat actors have distributed over 1,700 malicious packages across npm, PyPI, Go, and Rust repositories since January 2025, according to this reporting. The operation spans four major package ecosystems simultaneously, combining espionage objectives with financial theft.
The cross-ecosystem scope indicates a structured supply chain poisoning campaign rather than opportunistic package abuse. Targeting open-source registries used by developers globally maximizes downstream reach — compromised dependencies propagate automatically into production environments without direct targeting of end systems.
🛰️ Open sources - closed narratives
@sitreports
North Korean threat actors have distributed over 1,700 malicious packages across npm, PyPI, Go, and Rust repositories since January 2025, according to this reporting. The operation spans four major package ecosystems simultaneously, combining espionage objectives with financial theft.
The cross-ecosystem scope indicates a structured supply chain poisoning campaign rather than opportunistic package abuse. Targeting open-source registries used by developers globally maximizes downstream reach — compromised dependencies propagate automatically into production environments without direct targeting of end systems.
🛰️ Open sources - closed narratives
@sitreports
🔍 Japan Loosens Privacy Rules for AI
Japan's government is advancing privacy law changes intended to remove opt-out rights for personal data use in AI development. A cabinet minister framed individual opt-out mechanisms as a structural obstacle to AI adoption, signaling that regulatory acceleration takes precedence over data subject controls.
The move positions Japan in direct competition with jurisdictions offering permissive data environments for model training. Eliminating opt-out rights shifts the legal default from consent-based to use-based data access — a structural change that expands the pool of training data available to domestic and potentially foreign AI developers operating under Japanese law.
🛰️ Open sources - closed narratives
@sitreports
Japan's government is advancing privacy law changes intended to remove opt-out rights for personal data use in AI development. A cabinet minister framed individual opt-out mechanisms as a structural obstacle to AI adoption, signaling that regulatory acceleration takes precedence over data subject controls.
The move positions Japan in direct competition with jurisdictions offering permissive data environments for model training. Eliminating opt-out rights shifts the legal default from consent-based to use-based data access — a structural change that expands the pool of training data available to domestic and potentially foreign AI developers operating under Japanese law.
🛰️ Open sources - closed narratives
@sitreports
🔍 10PB Breach Claimed, Tianjin Supercomputer
Hackers have claimed a 10PB data breach at the National Supercomputing Center in Tianjin, China. The NSCC Tianjin operates as a shared infrastructure node serving thousands of client organizations, including defense contractors and advanced research institutions.
If the volume claim is accurate, the exfiltration would represent one of the larger supercomputing facility breaches on record. Supercomputing centers present high-value targets due to consolidated data holdings across multiple sensitive end-users — a single intrusion yields access to research, modeling data, and institutional records spanning many organizations simultaneously.
🛰️ Open sources - closed narratives
@sitreports
Hackers have claimed a 10PB data breach at the National Supercomputing Center in Tianjin, China. The NSCC Tianjin operates as a shared infrastructure node serving thousands of client organizations, including defense contractors and advanced research institutions.
If the volume claim is accurate, the exfiltration would represent one of the larger supercomputing facility breaches on record. Supercomputing centers present high-value targets due to consolidated data holdings across multiple sensitive end-users — a single intrusion yields access to research, modeling data, and institutional records spanning many organizations simultaneously.
🛰️ Open sources - closed narratives
@sitreports
🎯 Marines Test FPV Drone At Sea
U.S. Marines and Naval Special Warfare operators successfully struck an unmanned vessel using a small first-person view drone launched from a naval craft in the Pacific, according to a DefenseScoop report.
The exercise demonstrates integration of low-cost FPV platforms into maritime small-unit tactics. Deploying drone strikes from moving naval craft against unmanned surface targets extends a pattern established in littoral combat development — adapting commercial drone technology to naval interdiction roles.
Combining Naval Special Warfare personnel with Marine units in this test indicates a joint-force approach to unmanned surface vessel threat response, a capability with direct relevance to Pacific theater operational planning.
🛰️ Open sources - closed narratives
@sitreports
U.S. Marines and Naval Special Warfare operators successfully struck an unmanned vessel using a small first-person view drone launched from a naval craft in the Pacific, according to a DefenseScoop report.
The exercise demonstrates integration of low-cost FPV platforms into maritime small-unit tactics. Deploying drone strikes from moving naval craft against unmanned surface targets extends a pattern established in littoral combat development — adapting commercial drone technology to naval interdiction roles.
Combining Naval Special Warfare personnel with Marine units in this test indicates a joint-force approach to unmanned surface vessel threat response, a capability with direct relevance to Pacific theater operational planning.
🛰️ Open sources - closed narratives
@sitreports
🔍 Iran Drone Arsenal: Damage Assessed
Secretary Hegseth and General Caine stated that Operation Epic Fury inflicted significant damage on Iran's drone arsenal, though neither official provided a comprehensive accounting of remaining capacity. Battle Damage Assessments are ongoing, with fuller evaluations expected in the immediate post-operation period.
The gap between official claims and verified damage figures is a standard feature of post-strike reporting. BDA processes typically lag combat operations by days to weeks, and public statements from senior officials precede formal assessment cycles — a pattern that routinely produces discrepancies between initial characterizations and confirmed results.
🛰️ Open sources - closed narratives
@sitreports
Secretary Hegseth and General Caine stated that Operation Epic Fury inflicted significant damage on Iran's drone arsenal, though neither official provided a comprehensive accounting of remaining capacity. Battle Damage Assessments are ongoing, with fuller evaluations expected in the immediate post-operation period.
The gap between official claims and verified damage figures is a standard feature of post-strike reporting. BDA processes typically lag combat operations by days to weeks, and public statements from senior officials precede formal assessment cycles — a pattern that routinely produces discrepancies between initial characterizations and confirmed results.
🛰️ Open sources - closed narratives
@sitreports
🔍 APT28 Deploys PRISMEX Against Ukraine
Russia-linked APT28 has deployed a malware toolkit designated PRISMEX against Ukrainian and allied infrastructure, according to recent reporting. The operation employs stealthy execution techniques designed to maintain persistent command-and-control access while evading detection.
APT28 — attributed to Russian military intelligence — has sustained offensive cyber operations against Ukrainian state and allied targets since at least 2022. PRISMEX represents a continued investment in bespoke tooling, consistent with the group's pattern of developing dedicated malware for high-priority espionage campaigns rather than relying on commodity infrastructure.
🛰️ Open sources - closed narratives
@sitreports
Russia-linked APT28 has deployed a malware toolkit designated PRISMEX against Ukrainian and allied infrastructure, according to recent reporting. The operation employs stealthy execution techniques designed to maintain persistent command-and-control access while evading detection.
APT28 — attributed to Russian military intelligence — has sustained offensive cyber operations against Ukrainian state and allied targets since at least 2022. PRISMEX represents a continued investment in bespoke tooling, consistent with the group's pattern of developing dedicated malware for high-priority espionage campaigns rather than relying on commodity infrastructure.
🛰️ Open sources - closed narratives
@sitreports
🎯 Typhoon Tests Laser-Guided Drone Countermeasure
The Royal Air Force is evaluating laser-guided rockets fired from Typhoon jets as a lower-cost method of engaging uncrewed aerial threats, following trials conducted by BAE Systems. BAE assessed the approach as a potentially cheaper alternative to current air-to-air munitions used against drones, according to trial reporting.
The development reflects a structural shift in counter-UAS procurement logic: legacy air forces are under pressure to reduce the cost-per-kill ratio when engaging low-value drone targets with high-value fighter platforms. Laser-guided rockets occupy a cost tier below dedicated air-to-air missiles, making them operationally relevant against attritable uncrewed systems.
🛰️ Open sources - closed narratives
@sitreports
The Royal Air Force is evaluating laser-guided rockets fired from Typhoon jets as a lower-cost method of engaging uncrewed aerial threats, following trials conducted by BAE Systems. BAE assessed the approach as a potentially cheaper alternative to current air-to-air munitions used against drones, according to trial reporting.
The development reflects a structural shift in counter-UAS procurement logic: legacy air forces are under pressure to reduce the cost-per-kill ratio when engaging low-value drone targets with high-value fighter platforms. Laser-guided rockets occupy a cost tier below dedicated air-to-air missiles, making them operationally relevant against attritable uncrewed systems.
🛰️ Open sources - closed narratives
@sitreports
🎯 Army Seeks Automated Hazard Detection
The U.S. Army is conducting market research for algorithms and sensor systems capable of automated target recognition in breaching operations, with a focus on detecting explosive hazards and physical obstacles at the forward edge of battle.
The initiative follows a broader pattern of automated perception integration into ground force doctrine, where human-speed visual identification of IEDs and barriers is treated as a tactical bottleneck. Sensor-algorithm pairing in this role shifts detection from individual operator attention to persistent machine surveillance of the operational environment.
The U.S. Army is conducting market research for algorithms and sensor systems capable of automated target recognition in breaching operations, with a focus on detecting explosive hazards and physical obstacles at the forward edge of battle.
The initiative follows a broader pattern of automated perception integration into ground force doctrine, where human-speed visual identification of IEDs and barriers is treated as a tactical bottleneck. Sensor-algorithm pairing in this role shifts detection from individual operator attention to persistent machine surveillance of the operational environment.