In today’s cybersecurity news…
U.S. weighs private companies’ cyberwarfare roles
The US administration is considering a policy shift that would let private companies play a more direct role in offensive cyber operations, according to former senior officials speaking with the New York Times. The move would expand the current model where firms can build tools but not conduct attacks, and would require changes to federal law plus congressional approval. The idea is expected to surface during the confirmation hearing for NSA and U.S. Cyber Command nominee Lt. Gen. Joshua Rudd, raising open legal and operational questions about outsourcing cyberwarfare to the private sector. (New York Times)
China: stop using US and Israeli cybersecurity software
Reuters’ sources say the Chinese government has instructed Chinese companies to stop using cybersecurity products from around a dozen U.S. and Israeli vendors, citing national security risks. The banned products include software from VMware, Palo Alto Networks, Fortinet and Check Point. This is part of a broader push to replace Western tech with domestic alternatives amid escalating U.S.-China tech tensions and ahead of the US president’s expected visit to Beijing in April. (Reuters)
DeadLock uses smart contracts to hide work
Group-IB researchers say the DeadLock ransomware crew, first spotted in mid-2025, is using Polygon smart contracts to hide its command-and-control infrastructure. Instead of double extortion, DeadLock encrypts systems and threatens to sell stolen data on underground markets. Its smart contract system rotates proxy addresses, complicating blocking efforts and mirroring tactics recently seen in North Korean campaigns. Access vectors aren’t clear, but earlier Cisco Talos reporting linked DeadLock to BYOVD techniques and EDR-kill exploits. (The Register)
Microsoft disrupts RedVDS cybercrime platform
Microsoft and international law enforcement disrupted RedVDS, a cybercrime subscription platform used to run large-scale payment diversion scams. RedVDS rented disposable Windows RDP servers for as low as $24 per month, allowing phishing, mailbox hijacking, and impersonation campaigns that contributed to more than $40 million in U.S. fraud losses. Microsoft seized domains and servers and filed civil suits after tracing more than 191,000 compromised email accounts and 3,700 impersonation domains to the service. Real estate transactions were hit especially hard. (The Record)
Huge thanks to our sponsor, ThreatLocker
Predator spyware dodges researchers
Jamf Threat Labs found Predator spyware can diagnose failed infections and detect when security tools are present, using error codes like “304” to signal active analysis. The Intellexa-made tool can spot utilities such as Frida and even netstat, aborting deployment to avoid scrutiny, while also suppressing crash logs to limit forensic evidence. Jamf says Predator’s troubleshooting and anti-analysis features outclass other commercial spyware, following recent research that highlighted similar differentiators. (CyberScoop)
France fines Free Mobile over 2024 data breach
France’s data protection authority CNIL fined Free Mobile and parent company Free a cumulative €42 million for GDPR violations tied to an October 2024 breach that exposed data on nearly 23 million subscribers. CNIL cited weak VPN authentication, poor anomaly detection, vague breach notifications, and excessive retention of former customer data. The agency ordered security improvements within three months and data deletion within six months. (BleepingComputer)
Poland repels cyberattack on power grid
Poland says it stopped a cyberattack on its power grid in late December that officials warned came “very close to a blackout.” The intrusion targeted communications between renewable installations like solar and wind sites and distribution operators, but not large plants. Government ministers called it the most serious energy-sector incident in years and said the motives suggest coordinated Russian sabotage, although no formal attribution was made. (The Record)
Linux malware targets the cloud, steals creds, and vanishes
Researchers at Check Point detailed a new Linux cloud-focused malware framework dubbed VoidLink. Written in Zig and reportedly developed in a Chinese environment, VoidLink bundles more than 30 plugins for reconnaissance, credential theft, lateral movement, Kubernetes/Docker discovery, persistence, and anti-forensics. It also includes multiple kernel rootkits, Cobalt Strike-style APIs, and self-deletion if analysis is detected. No real-world infections have been noted, but cloud provider detection (AWS, GCP, Azure, Alibaba, Tencent) and long-term access design suggest a professional threat-actor tool. (The Register)