This is your China Hack Report: Daily US Tech Defense podcast.

Hey listeners, Ting here with your China Hack Report: Daily US Tech Defense, and today we’re diving straight into the freshest incursions on the digital front line.

Let’s start with the big new celebrity in malware hell: the Go-based backdoor BRICKSTORM. According to CISA, the NSA, and the Canadian Centre for Cyber Security, this tool is being run by People’s Republic of China state-sponsored actors to burrow deep into US and Canadian government and information technology networks. The advisory, covered by outlets like The Hacker News and Homeland Security Today, explains that BRICKSTORM targets VMware vSphere and Windows, sneaking in via virtual infrastructure that runs everything from cloud workloads to sensitive internal apps. Once inside, operators have been stealing login credentials, VM snapshots, and even Active Directory Federation Services keys, giving them golden-ticket access across entire environments.

CISA’s analysis shows one victim company was quietly compromised from April 2024 through early September 2025, which means these folks aren’t smash-and-grab; they’re long-term tenants. CISA and NSA are yelling the same message: patch VMware vSphere and vCenter, tighten identity management, lock down DNS-over-HTTPS egress, and monitor for weird WebSocket and encrypted command-and-control traffic. Broadcom’s VMware team is telling customers: update everything and stop exposing management interfaces to the internet, like, yesterday.

Now pivot with me to the JavaScript ecosystem, because Chinese state-nexus groups are also racing to weaponize the new React2Shell vulnerability, tracked as CVE-2025-55182. Breached.company and multiple threat intel shops report that threat groups including Earth Lamia, Jackpot Panda, and UNC5174—linked to China’s Ministry of State Security—jumped on this bug within hours of disclosure. React2Shell is a 10.0 CVSS remote code execution flaw hitting React Server Components and Next.js deployments.

Palo Alto Networks’ Unit 42 says more than 30 organizations have already been compromised, with AWS credentials stolen and implants like Cobalt Strike, Snowlight, Vshell, and Sliver dropped into cloud environments. Shadowserver is seeing over seventy-seven thousand internet-facing systems still vulnerable, roughly twenty-three thousand of them in the United States, and GreyNoise has logged more than a hundred active exploit sources in the last day.

CISA has slammed React2Shell into its Known Exploited Vulnerabilities catalog, effectively labeling it “patch or regret.” Federal agencies have a hard remediation deadline later this month, but private-sector teams, especially in finance, SaaS, and critical cloud service providers, should treat this as an all-hands incident. Immediate defensive moves: apply the vendor patches pushed to npm, rotate all exposed cloud credentials, enable strict web application firewall rules, and hunt for anomalous outbound traffic to unfamiliar command-and-control infrastructure.

Layer onto that CISA’s warning about the Iskra iHUB metering gateway flaw that could impact energy infrastructure, plus the BRICKSTORM campaign hitting government and IT, and you can see the pattern: Chinese-linked operators are going after the control plane—identity, virtualization, and cloud orchestration—because that’s where leverage lives.

That’s it for today’s sweep of China-linked cyber moves against US interests. Keep your patches current, your logs noisy, and your attack surface boring.

Thanks for tuning in, and don’t forget to subscribe. This has been a quiet please production, for more check out quiet please dot ai.

For more http://www.quietplease.ai


Get the best deals Back to Episodes