Chinese espionage campaign targeted House staffers ahead of trade talks

Metacurity needs your help!

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

Sources say that in July, a cyber espionage campaign linked to Beijing was targeted at staffers on the House committee focused on US competition with China, the Select Committee on the CCP, via puzzling inquiries ahead of the Trump administration’s contentious trade talks with China.

Several trade groups, law firms, and US government agencies had all received an email appearing to be from the committee’s chairman, Rep. John Moolenaar (R., Mich.), asking for input on proposed sanctions with which the legislators were planning to target Beijing.

Cyber analysts, presumably from cybersecurity firms Mandiant and SentinelOne, traced the embedded malware to a hacker group known as APT41, believed to be a contractor for Beijing’s Ministry of State Security.

The hacking campaign appeared to be aimed at giving Chinese officials an inside look at the recommendations Trump was receiving from outside groups. It couldn’t be determined whether the attackers had successfully breached any of the targets.   

Mandiant determined the spyware would allow the hackers to burrow deep into the targeted organizations if any of the recipients had opened the purported draft legislation. (Joel Schectman / Wall Street Journal)

Related: Reuters, WebProNews, The Australian

Ethical hackers BobDaHacker and BobTheShoplifter uncovered “catastrophic” vulnerabilities in multiple platforms hosted by Restaurant Brands International (RBI), which operates mega brands like Burger King, Tim Hortons, and Popeyes.

“Their security was about as solid as a paper Whopper wrapper in the rain,” the BobDaHacker blog said, sharing the full technical exposé, which has since been taken down by a DMCA request from Cyble Inc., acting on behalf of Burger King, but appears on the Wayback Machine.

The two hackers focused on something called the "assistant" platform, the digital brain behind every drive-thru screen, bathroom tablet review, and the employee asking if you want to make it a combo. Each of the following platforms had the same vulnerabilities: https://assistant.bk.com, https://assistant.popeyes.com
and https://assistant.timhortons.com.

The vulnerabilities allowed the researchers to access employee accounts, ordering systems, and listen to recorded drive-thru conversations, among other exploits. Despite this, the ethical hacking duo that responsibly informed RBI of the flaws was never acknowledged. (Mark Tyson / Tom's Hardware)

Related: Web Archive, BobDaHacker, PC Gamer

Salesloft issued a new advisory about the recent security incident involving its Drift application that allowed attackers to gain access to Salesforce data, confirming that the breach has been contained and customer protections are in place.

Salesloft’s advisory detailing Mandiant’s findings shows that the attacker gained access to a Salesloft GitHub account between March and June 2025. During this period, they downloaded content from several private repositories, added a guest user, and created new workflows.

Additionally, reconnaissance activity was also detected in both the Salesloft and Drift environments. However, investigators found no evidence that the attacker moved beyond limited probing in the Salesloft environment itself.

The attacker ultimately shifted focus to Drift’s AWS environment, where they obtained OAuth tokens from Drift customers. These tokens were then abused to access customer data through integrated applications.

Salesloft says it acted quickly to contain the incident. Mandiant confirmed that the Drift and Salesloft platforms are technically segmented, a factor that helped limit the attacker’s reach.

The breach is not limited to Drift alone. According to Google’s Threat Intelligence Group and Mandiant, the attack was part of a coordinated campaign that targeted Salesforce integrations across multiple companies in August.

Google has linked threat actor group UNC6395 to the campaign. At the same time, although unconfirmed, a separate group known as “Scattered Lapsus$ Hunters,” an apparent coalition that combines the tactics and branding of Scattered Spider, Lapsu$, and ShinyHunters, has publicly claimed responsibility. (Waqas / HackRead)

Related: Salesloft Drift

Wealthsimple, a leading Canadian online investment management service, disclosed a data breach after attackers stole the personal data of an undisclosed number of customers in a recent incident.

The company detected the breach on August 30th.

"We learned that a specific software package that was written by a trusted third party had been compromised. This resulted in personal data belonging to less than 1% of our clients being accessed without authorization for a brief period," Wealthsimple said.

"Data that was accessed was personal information like contact details, government IDs provided during the Wealthsimple sign-up process, financial details, such as account numbers, IP address, Social Insurance Number, or date of birth."

Since detecting the incident, the financial services company has notified impacted customers via email, and it is now providing them with two years of complimentary credit monitoring, as well as dark-web monitoring, identity theft protection, and insurance.

Affected customers are advised to secure their accounts using two-factor authentication (2FA) with an authenticator app, never reuse passwords, and remain vigilant against potential phishing attempts impersonating Whealthsimple.

While the company didn't provide any information on how the attackers gained access to the customers' personal information, the details shared in the statement and data breach notifications seemed to suggest that the company may have been one of the victims in a recent wave of Salesforce data breaches linked to the ShinyHunters extortion group. (Sergiu Gatlan / Bleeping Computer)

Related: Wealth Simple, Global News, CBC, Insurance Business America

Sources say Donald Trump is expected to nominate Lt. Gen. William Hartman, the acting leader of both the National Security Agency and US Cyber Command, to formally lead both agencies.

As part of the process, Hartman’s paperwork will be sent to the National Security Council before hitting the president’s desk. The dual role is a Senate-confirmed position, given that it is a promotion to four-star general.

Hartman has led both agencies in an acting capacity since April, when Trump abruptly fired Gen. Timothy Haugh from the role. Hartman had served as the deputy commander of US Cyber Command and previously served as commander of the Cyber National Mission Force. Before that, he served in various infantry, intelligence, and cyber operations military roles in the US, Germany, South Korea, Iraq, Afghanistan, and other locations.

Hartman is unlikely to face much pushback to his nomination in the Senate. 

While Hartman has largely remained politically neutral and rarely speaks publicly, the New York Times reported last month that Hartman asked Director of National Intelligence Tulsi Gabbard to refrain from firing one of the NSA’s top scientists, but was rebuffed.

His nomination will come on the heels of Joe Francescon being picked to serve as deputy director of the NSA. (Daniel Lippman and Maggie Miller / Politico)

X, formerly Twitter, has started rolling out its new encrypted messaging feature called “Chat” or “XChat.”

The company claims the new communication feature is end-to-end encrypted, meaning messages exchanged on it can only be read by the sender and their receiver, and, in theory, no one else, including X, can access them.

Cryptography experts, however, are warning that X’s current implementation of encryption in XChat should not be trusted. They’re saying it’s far inferior to Signal, a technology widely considered the state of the art when it comes to end-to-end encrypted chat. 

Security researchers Matthew Garrett and cryptography professor Matthew Green said that XChat is not at the point where users should trust it. “For the moment, until it gets a full audit by someone reputable, I would not trust this any more than I trust current unencrypted DMs,” Green said. (Lorenzo Franceschi-Bicchierai / TechCrunch)

The Czech Republic's National Cyber and Information Security Agency (NUKIB) is instructing critical infrastructure organizations in the country to avoid using Chinese technology or transferring user data to servers located in China.

The agency warned that these actions constitute a significant cybersecurity threat and should be entirely avoided unless there's a reasonable justification for continuing the practice.

"Current critical infrastructure systems are increasingly dependent on storing and processing data in cloud repositories and on network connectivity enabling remote operation and updates," NUKIB said.

NUKIB noted that it has already confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs.

The agency also emphasizes that the Chinese government has access to data stored by private cloud service providers within the country, ensuring that sensitive data is always within its reach.

Apart from critical infrastructure, NUKIB also warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms.

These are all characterized as risky devices that can transfer potentially sensitive data to Chinese infrastructure. (Bill Toulas / Bleeping Computer)

Related: NUKIB, WebProNews, Security Affairs, Industrial Cyber

VirusTotal discovered a phishing campaign hidden in SVG files that create convincing portals impersonating Colombia's judicial system that deliver malware.

VirusTotal detected this campaign after it added support for SVGs to its AI Code Insight platform.

VirusTotal's AI Code Insight feature analyzes uploaded file samples using machine learning to generate summaries of suspicious or malicious behavior found in the files.

After adding support for SVGs, VirusTotal found an SVG file that had zero detections by antivirus scans, but whose AI-powered Code Insight feature detected using JavaScript to display HTML, impersonating a portal for Colombia's government judiciary system.

In the campaign discovered by Virustotal, SVG image files are used to render fake portals that display a phony download progress bar, ultimately prompting the user to download a password-protected zip archive [VirusTotal]. The password for this file is displayed in the fake portal page. (Lawrence Abrams / Bleeping Computer)

Related: Virus Total, Tom's Hardware, WinBuzzer

Former Top Gear star Jeremy Clarkson revealed that his pub, The Farmer's Dog in the Cotswolds, has been plagued by several problems, including being hacked and swindled out of £27,000 (around $37,000).

Clarkson revealed the hack with few details in a Times column that recounts the challenges of operating a pub. (Jeremy Clarkson / The Times)

Related: The Standard, Oxford Mail, LADBible, Cyber Daily, The Sun, The Telegraph, The Mirror, Metro, Manchester Evening News

Hackers calling themselves SafePay carried out a ransomware attack on the five-star K Club resort in Co. Kildare as it prepared to host some of the world’s top golfers at the Irish Open this weekend.

Some data stolen during the breach was uploaded to the darknet. The leaked files included financial records, IT documentation, and administrative information.

Rory McIlroy, Shane Lowry, Tyrrell Hatton, and Brooks Koepka have reported difficulty using the resort’s wi-fi, with some saying they were unable to access Gmail.

Cybersecurity specialists believe the group is likely to be Russian. Its ransomware has been designed not to infect systems configured in the Russian Cyrillic alphabet, a characteristic often associated with Russian-based criminal operations.

Garda Headquarters became aware of the hack through its digital intelligence monitoring, which scans the darknet for threats against Irish organisations and the state. Despite this, no formal criminal investigation has yet been launched. The Data Protection Commission (DPC) has been notified and has opened an inquiry, however. (John Mooney / The Times)

Related: Kfm Radio

Microsoft said it’s no longer detecting issues with its Azure cloud platform after multiple international cables in the Red Sea were cut.

The company earlier advised that clients may experience increased latency, and that traffic traversing through the Middle East that originated or ended in Asia or Europe was being affected.

The Red Sea is a critical telecommunications route, connecting Europe to Africa and Asia via Egypt. Repairing subsea cables in the area can prove to be difficult, particularly since Yemen’s Houthis continue to attack vessels in the area. (Susanne Barton / Bloomberg)

Related: Associated Press, azure.status.microsoft, TechCrunch, Engadget, The Register, Tom's Hardware, Reuters, BBC, Al Jazeera, The Verge, Benzinga, Newsweek, Livemint, Reuters, India Today, Türkiye Today, WinBuzzer, SiliconANGLE, UPI

Data and cybersecurity startup Shift5 announced it had raised $75 million in a Series C venture round.

Hedosophia with participation from Insight Partners, Center 15 Capital, 645 Ventures, Moore Strategic Ventures, Booz Allen Ventures, Squadra Ventures, AE Industrial, Disruptive, CSP Equity Partners, and Savano Capital Partners. (Chris Metinko / Axios)

Related: citybiz, ExecutiveBiz, Shift5, Business Journals, Washington Technology, BankInfoSecurity

Cloud-based cybersecurity firm Netskope is seeking a valuation of up to $6.5 billion in its initial public offering in the United States.

Netskope said it would sell 47.8 million shares, priced between $15 and $17 apiece, to raise as much as $813 million. (Prakhar Srivastava and Pritam Biswas / Reuters)

Related: Techzine

Best Thing of the Day: More Proof Cyber Insurance Premium Growth Is Slowing

Swiss Re reports that the full-year 2025 cyber insurance premium will hit USD 15.6 billion, with growth estimates dropping from 6% to 5%.

Worst Thing of the Day: Ignore Security Pros at Your Own Risk

Security researcher Micah F. Lee, who reported that the ICE sitings app called ICEBlock was little more than activism theater, now reports that the app's developer, Joshua Aaron, failed to patch the flaws on his Apache server, making it trivial to hack.

Bonus Worst Thing of the Day: And the Award to Least Attractive New Product Goes to...

The AI-powered Friend pendant that listens to whatever you're doing as you move about the world is now available for $129 and will offer you critical feedback about yourself in case you need a dose of that in your life.

Closing Thought