Synopsis

1. Hackers increased attacks on satellites and space industries during the Gaza conflict. Hackers leveraged attacks on “React” software. PRC and North Korean government hackers joined attacks exploiting “React”. Another major PRC hacking campaign was discovered, and a new PRC hacking team, “WARP PANDA”, was identified. PRC cyberattacks have become personal. Some PRC “students” may be government hackers.

2. It is our assessment that the three major cyber conflicts (Russia vs Ukraine, Iran vs Israel, and the People’s Republic of China) are the most likely sources for the creation of next-generation malware and/or primary sources of cyberattacks. This includes government-funded hackers (military, intelligence, and civilian employees), affiliated hackers (criminals and mercenaries), and volunteer “supporters”.

Cyberwarfare in Space

3. Cyberattacks on Satellites Ramped Up During the Gaza Conflict. The Center for Security Studies (CSS) at ETH Zürich reports that during the Israel–Iran conflict (read: Gaza conflict), there were 237 cyber operations targeting the space sector between January 2023 and July 2025. Attacks peaked in June 2025, with 72 incidents recorded.
   “All but one of the threat actors identified in the space sector were pro-Palestinian groups. … Hacktivists targeted 77 different space organizations or companies during the Gaza conflict. Rafael, the Israeli military technology company Elbit Systems, and the ISA were the most targeted, but international bodies such as the United States’ National Aeronautics and Space Administration (NASA) were also included. … More than 70 per cent of the cyberattacks in space were denial-of-service (DDoS) attacks, which flood a website with traffic so that a machine or network is overwhelmed and crashes for users. … Other types of attacks included data leaks, intrusions, and data breaches. … ‘Cyber operations against the space sector are now part of a general trend during armed conflicts’,”² the report stated, comparing the pattern to similar activity observed during Russia’s invasion of Ukraine.

4. Analysts’ Comments: We reviewed several reports describing cyberattacks on satellites. Some reports suggest that ground links were DDoSed, effectively jamming satellite communications. Other reports alluded to attacks on satellite systems themselves; however, no technical details were provided. The problem with civilian satellite systems is that many legacy or older satellites were not designed with secure communications in mind. Additionally, many engineering teams did not anticipate that hackers might attempt to take control of satellites or their subsystems. While no documentation exists on the percentage of vulnerable satellites, it is likely that insecure satellite constellations are currently in orbit.

The “React” Compromise

5. At Least 77,000 IPs Vulnerable. An initial count by the Shadowserver Foundation identified at least 77,000 websites (with unique IP addresses) vulnerable due to the React2Shell flaw in “React” software. React is a free and open-source JavaScript library used to power millions of websites and is utilized by popular services such as Airbnb and Netflix. Its core packages are downloaded approximately 60 million times per week.³
   Cybersecurity company Censys stated that it “observed over 250,000 instances of React, Waku, React Router, Next.js, and RedwoodSDK that could be vulnerable. Nearly 70,000 instances are in the United States, followed by China (30,000), Germany (25,000), and India (13,000). … Cloud security giant Wiz reported that 39% of the cloud environments it monitors include vulnerable React or Next.js versions.”⁴

6. PRC and North Korean Government Hackers Attack React2Shell. Hackers from the PRC and North Korea rapidly began exploiting the React2Shell vulnerability. AWS Security observed exploitation attempts in AWS MadPot originating from infrastructure linked to China-aligned groups Earth Lamia and Jackpot Panda—activity “historically linked to known China state-nexus threat actors.”⁵
   This was followed by North Korean hacker groups exploiting React2Shell to deliver a previously undocumented remote access trojan dubbed EtherRAT. EtherRAT combines tools and methodologies from at least separate hacking groups and “leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org.”⁶ All of this activity occurred within days of the exploit being publicly disclosed.

Broadside Malware Campaign

7. The newly identified Mirai-based Broadside botnet has been targeting vulnerable digital video recorder (DVR) products from TBK Vision in a campaign posing a significant threat to the maritime logistics sector (merchant ships, ports, and warehouses). An exploit was disclosed in April 2024. Kaspersky reported over 50,000 exposed DVR devices, with infections observed in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.
   Weeks later, Fortinet warned of a surge in exploitation attempts attributed to Condi, Fodcha, Mirai, and Unstable botnets. More recently, Cydome reported that the Broadside botnet joined the campaign, executing a mass loader script directly into device memory.
   Among its capabilities, the malware attempts to harvest system credential files for lateral movement. Infected devices could be used to access CCTV feeds from ship bridges, cargo holds, and engine rooms; flood satellite communications; or move laterally into critical operational technology (OT) systems.⁷ While the exact number of infected devices is unknown, over 50,000 DVRs remain potential targets.⁸

8. Analysts’ Comments: The presence of 50,000 vulnerable devices suggests a significant proportion of global merchant ships, ports, and warehouses may be exposed. This places the lifelines of global trade—from fuel to food—at risk through the Broadside malware campaign. To date, no nation-state participants have been identified.

People’s Republic of China (PRC)

9. New PRC Cyber Campaign Targeting VMware and vSphere Servers. Multiple agencies, including the U.S. National Security Agency (NSA) and Canada’s Cyber Security Centre, have warned that PRC hackers are targeting VMware and vSphere servers with Brickstorm malware. Brickstorm creates hidden rogue virtual machines to evade detection and steal cloned VM snapshots for credential theft. It employs multiple encryption layers (HTTPS, WebSockets, nested TLS), SOCKS proxies for tunneling and lateral movement, and DNS-over-HTTPS (DoH) for concealment. The malware also includes self-monitoring functions that automatically reinstall or restart it if disrupted.⁹
   Security agencies report that Brickstorm targeted multiple government services and IT entities. According to CISA Acting Director Madhu Gottumukkala, Chinese-linked operators are “infiltrating sensitive networks and embedding themselves to enable long-term access, disruption, and potential sabotage.” One documented intrusion persisted from April 2024 through at least 3 September 2025.¹⁰

10. Analysts’ Comment: Given Canada’s Cyber Security Centre’s typically conservative reporting posture, this announcement suggests Brickstorm penetrated an especially sensitive network, likely affecting the U.S. as well.

11. CrowdStrike Reveals PRC Hacking Group “WARP PANDA”. CrowdStrike identified the actors behind Brickstorm as a newly identified China-nexus adversary, WARP PANDA. The group demonstrates a high level of stealth and focuses on persistent, long-term covert access aligned with PRC intelligence objectives.¹¹

12. PRC Cyberattacks Become Personal. Media reports describe harassment of anti-PRC activists abroad, including AI-generated deepfake pornography targeting female activists. Montreal-based YouTuber Yao Zhang, who supports Taiwan, Hong Kong, and Uyghur causes, became the subject of widespread AI-generated explicit images in September 2024.¹²
    In the UK, Hong Kong pro-democracy activist Carmen Lau reported receiving letters from China containing sexually explicit deepfake images purporting to advertise sexual services.¹³
    Analysts’ Comments: Local reporting suggests this activity is widespread and coordinated with pro-PRC efforts targeting activists, strongly indicating state-directed campaigns.

13. Some PRC “Students” May Not Be Innocent. SentinelLabs researchers linked Yu Yang and Qiu Daibing—alleged members of the PRC state hacking group Salt Typhoon—to participants in the 2012 Cisco Networking Academy Cup. Both individuals are co-owners of Beijing Huanyu Tianqiong, a company identified in international advisories as a front for Salt Typhoon operations.¹⁴
    Researchers emphasized that Cisco and its Networking Academy had no involvement in these activities.
    Analysts’ Comment: This is not the first instance where PRC students abroad have been suspected of acting as government-affiliated hackers or military personnel.