This is your Red Alert: China's Daily Cyber Moves podcast.

It’s Ting here, and if you’re tuning in today, you’ll want to buckle up—because the last 72 hours have been a digital game of whack-a-mole between American defenders and some seriously relentless cyber crews out of China. Let’s get into the nitty-gritty, because it’s not just zero-days and old exploits anymore—it’s persistent espionage, bold new tactics, and, you guessed it, everyone’s favorite alphabet soup of agencies issuing fresh emergency alerts.

Jumping to the headline: Just this week, sources inside both The Washington Post and CNN confirm the U.S. Congressional Budget Office—or CBO, for my policy wonks—was breached by suspected Chinese state hackers. This isn’t some throwaway target; the CBO shapes how Congress thinks about money, and the compromise could mean legislative forecasts, interoffice chats, and high-level negotiations are now part of someone’s Beijing homework. Staffers have been told to avoid any CBO email links, and the Senate’s Sergeant at Arms is overseeing an ongoing clean-up. Clearly, the stakes go way beyond the firewall.

Now, what tactics did these groups use? According to a coalition of reports including from Broadcom’s Symantec and Carbon Black, starting way back in April and extending to just days ago, threat actors like APT41, Kelp, and Space Pirates unleashed a suite of blended attacks against U.S. policy-oriented organizations. First came the mass network scans—think Atlassian OGNL injection, Log4j, Apache Struts, GoAhead RCE—classic Chinese toolkits, but repurposed for an adaptive, multi-vector onslaught. After the initial compromise, these groups didn’t smash-and-grab. Nope, they ran connectivity tests, used “netstat” to map out the network’s arteries, then dropped in automated scheduled tasks using schtasks to keep their beacons alive. They sideloaded DLLs through legit antivirus components, then injected payloads to mimic system processes—and even tried a Dcsync operation to nab domain controller credentials for future lateral movement.

This campaign isn’t an isolated incident. Just two weeks ago, a variant of the attack was used to target U.S. telecoms and industrial control, with the same “tool-sharing” evident across Salt Typhoon, Space Pirates, and their APT41 cousins. According to The Hacker News, these actors even exploited the notorious WinRAR zero-day, and deployed remote access trojans and custom loaders to stay undetected for weeks at a time.

CISA and the FBI have both released new guidance: Patch the usual suspects—Microsoft Exchange, VMware Tools, WinRAR, and basically any system where you haven’t closed old CVEs. Multi-factor authentication is now “mandatory, not optional,” and endpoint monitoring must be set to “paranoid.” Emergency alerts say watch lateral movement: if you see excessive scheduled task creation, system-level persistence, or odd traffic pinging command-and-control servers, pull the plug and escalate.

Here’s your quick Tuesday-to-Friday timeline: Congressional Budget Office breach detected—emergency advisory; tech-specific exploits light up in white-hat honeypots by Wednesday; by Thursday, confirmation from U.S. officials suggests attribution to Chinese state groups; today, new patches and hardening guidance drop, and incident response is ongoing—while staffers, for good measure, are told to pause internal comms just in case.

If you’re wondering about escalation, the playbook here is all about persistent access—not noisy destruction, at least not yet. But as tensions ratchet up, a compromised CBO or policy think tank could flip from mere reconnaissance to sabotage if diplomatic red lines are crossed.

That wraps your daily Red Alert—Ting style. Thanks for tuning in. Don’t forget to subscribe, and remember: in the cat-and-mouse cyber chase, staying patched and paranoid is your best bet. This has been a quiet please...