Security Advisories

Advisory • High Priority Reducing Exposure to Bulletproof Hosting  Cybercriminals increasingly rely on Bulletproof Hosting (BPH) providers—services that knowingly lease hosting, IP space, or entire ASNs to threat actors while ignoring abuse complaints and takedown requests. These networks provide a safe haven for malware delivery, phishing, fast-flux DNS, command-and-control, and data-extortion operations. BPH infrastructure is often blended into legitimate networks, using leased IP blocks and rapidly rotating ASNs to evade detection. This creates a difficult balance for defenders: block too aggressively and risk disrupting legitimate services; block too narrowly and leave malicious infrastructure untouched. The growth of BPH services amplifies cyber risk by enabling high-impact attacks such as ransomware, large-scale phishing, and data-extortion campaigns with minimal operational cost to attackers. Their constant infrastructure churn, cross-jurisdictional hosting, and opaque ownership make attribution and disruption significantly harder. In this environment, intelligence-led visibility into BPH infrastructure is essential. Without the ability to identify malicious ASNs, TLDs, and traffic patterns, organisations remain reactive while adversaries exploit resilient hosting to operate at scale. This report outlines how bulletproof hosting fuels modern cyber threats and provides clear, actionable strategies for reducing organisational exposure and improving resilience. Download Full Report Subscribe for weekly briefings → Read more:…

Advisory • High Priority Operation Cartograph: Flax Typhoon’s ArcGIS Exploitation Campaign Persistent loaders (PlugX, Bookworm, Turian) are enabling long-term access to subscriber and core network data across the region. Download Full Report Subscribe for weekly briefings → The China-linked threat actors are intensifying espionage campaigns across Asia, with telecommunications providers and government networks as prime targets. These operations leverage modernised versions of PlugX, Bookworm, and Turian loaders, all sharing stealthy DLL sideloading and advanced in-memory decryption pipelines. By compromising telecoms and their service providers, adversaries gain access to subscriber data, network management systems, and interconnection gateways—delivering both intelligence and operational leverage. Recent intelligence links a sustained espionage campaign, tracked as Flax Typhoon, to the exploitation of trusted geo-mapping platforms such as ArcGIS. The operators—Chinese-speaking and state-aligned—weaponized legitimate mapping components to gain and maintain covert, long-term access within enterprise networks. Initial compromise occurred through targeted phishing lures containing PowerShell and VBScript loaders, which retrieved a trojanized mapping “update” disguised as a legitimate patch. Once installed, the implant persisted via scheduled tasks and registry entries, encrypting its traffic to mimic normal mapping telemetry and effectively concealing command-and-control activity. It analyzed local geo-data to understand internal topology and prioritize lateral movement while deliberately…

Advisory • High Priority China-Linked Espionage Threatening Asia-Pacific Critical Communications Persistent loaders (PlugX, Bookworm, Turian) are enabling long-term access to subscriber and core network data across the region. Download Full Report Subscribe for weekly briefings →   The China-linked threat actors are intensifying espionage campaigns across Asia, with telecommunications providers and government networks as prime targets. These operations leverage modernised versions of PlugX, Bookworm, and Turian loaders, all sharing stealthy DLL sideloading and advanced in-memory decryption pipelines. By compromising telecoms and their service providers, adversaries gain access to subscriber data, network management systems, and interconnection gateways—delivering both intelligence and operational leverage. The tradecraft—spear-phishing, stealth persistence, and credential harvesting—enables long-term footholds that are difficult to detect or eradicate. For enterprises, this represents a sustained risk of data exfiltration, service disruption, and systemic exposure across critical infrastructure. What makes this campaign particularly dangerous is the convergence of multiple malware families into a shared ecosystem of loaders and toolkits, enabling adversaries to scale operations with minimal innovation. This ecosystem approach ensures persistence across borders, sectors, and technologies—posing not just a cybersecurity risk, but a direct challenge to regional resilience and national sovereignty. Read more: Download the full report