780th Military Intelligence Brigade (Cyber)

New Select Committee Investigation Uncovers China’s Space Operations in Latin America Today, the Select Committee on China released a new investigation uncovering how China is using infrastructure in Latin America to advance its space capabilities and intelligence collection.

China is using Latin America as a launchpad for military space operations. What looks like civilian cooperation is actually part of a PLA-linked global network tracking satellites and monitoring adversaries.
The Select Committee on the CCP
chinaselectcommittee.house.gov/media/press-...

“Russia is testing us in the gray zone with tactics that are just below the threshold of war,” Blaise Metreweli, head of Britain’s MI6. “countering this activity is the work of intelligence and security services across Europe and the globe.”

Russia “is preparing for the possibility of a conflict with NATO and is conducting activities to test the West’s willingness to escalate,” argued a Feb. 19 report by the Dutch intelligence agencies, titled “Between War and Peace.”

“Every missile and drone that strikes Ukraine only strengthens our resolve,” British Foreign Secretary Yvette Cooper said Tuesday during a visit to Kyiv. “Putin thinks that he can outlast the U.K. and our allies. He is sorely mistaken.”

Opinion | The shadow war that’s strengthening Europe How Vladimir Putin’s campaign of sabotage and intimidation boomeranged on Russia.

The shadow war that’s strengthening Europe
How Vladimir Putin’s campaign of sabotage and intimidation boomeranged on Russia.
The Washington Post
www.washingtonpost.com/opinions/202...
@washingtonpost.com

#socialmedia #disinformation #ai #stratcom | NATO Strategic Communications Centre of Excellence | 12 comments In 2025, we stress-tested the social media ecosystem. As part of the “𝗦𝗼𝗰𝗶𝗮𝗹 𝗠𝗲𝗱𝗶𝗮 𝗠𝗮𝗻𝗶𝗽𝘂𝗹𝗮𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗦𝗮𝗹𝗲” experiment we examined how easy it is to buy inauthentic engagement and how effectively platfo...

Social Media Manipulation for Sale
NATO Strategic Communications Centre of Excellence
www.linkedin.com/posts/nato-s...

Russian Land Deals Near Military Sites Put Finland on Defensive The Finnish government is studying some of the hundreds of properties that have been bought near critical infrastructure and sensitive sites for signs of possible Russian infiltration.

Security for Sale
For decades, Finland allowed investors from Russia to buy real estate. Russians quietly amassed thousands of properties on NATO’s eastern flank, some close to military bases and critical infrastructure.
Bloomberg
www.bloomberg.com/graphics/202...
@bloomberg.com

The Reconnaissance General Bureau The Kim Regime's "Precious Treasured Sword" - HRNK North Korea’s Reconnaissance General Bureau (RGB) is the Kim regime’s leading foreign intelligence agency. However, it is far more than an intelligence agency in the traditional sense. Comparisons wit...

Reconnaissance General Bureau: The Kim Regime's Precious Treasured Sword
The Committee for Human Rights in North Korea
www.hrnk.org/documentatio...

N. Korea's Spy Agency a 'Complex Threat' Beyond Intelligence Role - UPI.com N. Korea's Reconnaissance General Bureau operates as a "complex threat entity" that merges military operations, cybercrime and terrorism. report said.

UPI: North Korea’s Reconnaissance General Bureau operates as a “complex threat entity” that merges military operations, cybercrime and terrorism under a single command structure
www.upi.com/Top_News/Wor...

APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz The APT37 Ruby Jumper campaign leverages newly discovered tools that can infect systems to communicate across air-gapped networks using removable media devices.

APT37 Adds New Capabilities for Air-Gapped Networks
Zscaler ThreatLabz discovered a campaign linked to APT37, which is a DPRK-backed threat group.
www.zscaler.com/blogs/securi...
@zscalerinc.bsky.social

Chinese Online Influence Operation Spreads Anti-American Conspiracy Claims President Donald Trump is to blame for the worsening fentanyl crisis in the United States. The U.S. manipulated the elections in Honduras last November. Japanese Prime Minister Sanae Takaichi is a cor...

Chinese Online Influence Operation Spreads Anti-American Conspiracy Claims
Foundation for Defense of Democracies
www.fdd.org/analysis/202...

PlugX is a long-running Remote Access Trojan (RAT) that has been consistently linked to multiple China-aligned threat actors and espionage operations worldwide.
Lab 52 | S2 Grupo
lab52.io/blog/plugx-m...

New Dohdoor malware campaign targets education and health care Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.”

New Dohdoor malware campaign targets education and health care
Cisco Talos
blog.talosintelligence.com/new-dohdoor-...
@talosintelligence.com

Disrupting the GRIDTIDE Global Cyber Espionage Campaign | Google Cloud Blog GTIG, Mandiant, and partners took action to disrupt a global espionage campaign from a suspected PRC-nexus cyber espionage group.

Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign
The threat actor, UNC2814, is a suspected People's Republic of China (PRC)-nexus cyber espionage group
Google Threat Intelligence Group | Mandiant
cloud.google.com/blog/topics/...
@mandiant.com

Disrupting malicious uses of our models (OpenAI): cdn.openai.com/pdf/df438d70...

Disrupting malicious uses of AI Our latest threat report examines how malicious actors combine AI models with websites and social platforms—and what it means for detection and defense.

Disrupting malicious uses of AI
"Threat activity is seldom limited to one platform; as our report on a Chinese influence operator shows, it is not always limited to one AI model."
OpenAI
openai.com/index/disrup...

Former U.S. Air Force Pilot Arrested, Charged with Providing Defense Services to the Chinese Military
U.S. Department of Justice
www.justice.gov/usao-dc/pr/f...

Implications of Chinese Influence Operations for South Korea and the US-ROK Alliance • Stimson Center Considering Chinese influence operations and their impacts on South Korean security and society.

Implications of Chinese Influence Operations for South Korea and the US-ROK Alliance
Stimson Center
www.stimson.org/2026/implica...
@stimsoncenter.bsky.social

Manufacturing Nuclear Panic: Russia’s “Dirty Bomb” Claims as Information Warfare - Robert Lansing Institute The press service of Russia’s Foreign Intelligence Service (SVR) published a press release accusing the United Kingdom and France of intending to covertly

Manufacturing Nuclear Panic: Russia’s “Dirty Bomb” Claims as Information Warfare
Robert Lansing Institute
lansinginstitute.org/2026/02/25/m...

How Russia Used Influence Operation To Undermine U.S. Interests in Africa Two years ago, the West African nation of Niger dismissed U.S. troops and welcomed Russian ones. A new report documents how Russian information operations exploited preexisting vulnerabilities that fa...

How Russia Used Influence Operation To Undermine U.S. Interests in Africa
Foundation for Defense of Democracies
www.fdd.org/analysis/202...

North Korea’s Integration of AI Across Cyber, Economic, and Military Domains • Stimson Center Exploring the role of AI across North Korea’s cyber and military programs.

North Korea’s Integration of AI Across Cyber, Economic, and Military Domains
Stimson
www.stimson.org/2026/north-k...
@stimsoncenter.bsky.social

Malicious Next.js Repos Target Developers Via Fake Job Interviews Linked to North Korean fake job-recruitment campaigns, the poisoned repositories are aimed at establishing persistent C2 links to infected machines.

Without specifically attributing the campaign to North Korea, the researchers noted that the activity “aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows...”
www.darkreading.com/cyberattacks... @darkreading.bsky.social

Developer-targeting campaign using malicious Next.js repositories | Microsoft Security Blog A developer-targeting campaign leveraged malicious Next.js repositories to trigger a covert RCE-to-C2 chain through standard build workflows. The activity demonstrates how staged command-and-control c...

Microsoft Defender Experts identified a coordinated developer-targeting campaign delivered through malicious repositories disguised as legitimate Next.js projects
www.microsoft.com/en-us/securi...
@threatintel.microsoft.com

China Airpower Tracker The People’s Liberation Army Air Force, or PLAAF, is growing rapidly in both quality and quantity each year. In just...

China Airpower Tracker
The Mitchell Institute’s China Airpower Tracker fuses open-source intelligence on China’s People’s Liberation Army Air Force (PLAAF).
Mitchell Institute for Aerospace Studies
www.mitchellaerospacepower.org/china/

Google disrupts Chinese-linked hackers that attacked 53 groups globally Google disrupted a Chinese-linked hacking group that breached at least 53 organizations across 42 countries, the company said Wednesday.

Google disrupts Chinese-linked hackers that attacked 53 groups globally
Reuters
www.reuters.com/sustainabili...
@reuters.com

Chinese group’s ChatGPT use reveals worldwide harassment campaign against critics
CyberScoop
cyberscoop.com/chinese-chat...
@cyberscoop.bsky.social

Cognitive Warfare and the Indo-Pacific Cognitive warfare plays a significant factor in the Indo-Pacific. In this Irregular Warfare Initiative republish, we dig into the challenge.

Cognitive Warfare and the Indo-Pacific
Small Wars Journal
“Psychologically, the PRC is trying to cause mental disarray and confusion, in order to weaken fighting will and determination to defend ourselves.” –Taiwan Ministry of National Defense
smallwarsjournal.com/2026/02/25/c...

Assessing Xi’s Unprecedented Purges of China’s Military: Key Developments and Potential Implications This report brings together top experts on China’s military to assess Xi Jinping’s unprecedented purge of officers from all areas of its armed forces. Experts predict what this means for military read...

Assessing Xi’s Unprecedented Purges of China’s Military: Key Developments and Potential Implications
Center for Strategic & International Studies
www.csis.org/analysis/ass...
@csis.org

Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools First-Ever Action Under the Protecting American Intellectual Property ActWASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Sergey Sergeyevich Zelenyuk (Zelenyuk) and his company, Matrix LLC (doing business as Operation Zero), as well as five associated individuals and entities, for their acquisition and distribution of cyber tools harmful to U.S. national security.  Zelenyuk and Operation Zero trade in “exploits”—pieces of code or techniques that take advantage of vulnerabilities in a computer program to allow users to gain unauthorized access, steal information, or take control of an electronic device—and have offered rewards to anyone who will provide them with exploits for U.S.-built software.  Among the exploits that Operation Zero acquired were at least eight proprietary cyber tools, which were created for the exclusive use of the U.S. government and select allies and which were stolen from a U.S. company.  Operation Zero then sold those stolen tools to at least one unauthorized user.“If you steal U.S. trade secrets, we will hold you accountable,” said Secretary of the Treasury Scott Bessent.  “Treasury will continue to work alongside the rest of the Trump Administration to protect sensitive American intellectual property and safeguard our national security.”This action coincides with an investigation by the Department of Justice and the Federal Bureau of Investigation of Peter Williams, an Australian national and a former employee of the aforementioned U.S. company who pleaded guilty on October 29, 2025, to two counts of theft of trade secrets. Williams stole several proprietary cyber tools from the company between 2022 and 2025 and sold them to Operation Zero in exchange for millions of dollars paid in cryptocurrencies.OFAC is designating Zelenyuk, Operation Zero, and the five associated individuals and entities pursuant to Executive Order (E.O.) 13694, as further amended by E.O. 14306 (“E.O. 13694, as further amended”).  In parallel with this action, the Department of State is sanctioning Zelenyuk, Operation Zero, and an affiliated UAE company, Special Technology Services LLC FZ (STS) pursuant to the Protecting American Intellectual Property Act (PAIPA).  These are the first persons sanctioned under this law, which provides for sanctions against persons who have knowingly engaged in, or benefitted from, significant theft of trade secrets of United States persons, if the theft of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.  Please refer to the Department of State’s press release for more information about this action under PAIPA. ZELENYUK’S ACQUISITION AND SALE OF CYBER TOOLSRussian national Zelenyuk,through his St. Petersburg, Russia-headquartered company Operation Zero, has been active as an exploit broker since 2021.  Operation Zero has offered millions of dollars in bounties to cybersecurity researchers and others for the development or acquisition of exploits targeting commonly used software, including U.S.-built operating systems and encrypted messaging applications.  Operation Zero does not disclose the discovered exploits to the companies developing the affected software, and Operation Zero customers could use the tools to launch ransomware attacks or engage in other malign activities.  In advertisements and other public-facing materials, Zelenyuk and Operation Zero have stated that they will only sell the exploits they acquire to customers from non-NATO countries.  Zelenyuk, through Operation Zero, has sought to sell exploits to foreign intelligence agencies.  Zelenyuk and Operation Zero have also sought to develop other cyber intelligence systems, including spyware and methods to extract personal identifying information and other sensitive data uploaded by users of artificial intelligence applications like large language models.  Operation Zero has sought to recruit hackers to support its activities and develop business relationships with foreign intelligence agencies through use of social media.OFAC is designating Zelenyuk and Operation Zero pursuant to E.O. 13694, as further amended, for being responsible for or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose of or involve causing a misappropriation of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.OPERATION ZERO’S AFFILIATESBeyond Zelenyuk and Operation Zero, OFAC is imposing sanctions on individuals and companies associated with them.  Marina Evgenyevna Vasanovich (Vasanovich) is Zelenyuk’s assistant. STS is a UAE-based technology company controlled by Zelenyuk.  OFAC is designating Vasanovich and STS pursuant to E.O. 13694, as further amended, for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, Zelenyuk.OFAC is also designating Azizjon Makhmudovich Mamashoyev (Mamashoyev) and Oleg Vyacheslavovich Kucherov (Kucherov).  Kucherov is a Russian national and a suspected member of the Trickbot cybercrime gang. OFAC previously designated members of the Trickbot group in February 2023 and September 2023.  Trickbot, first identified in 2016, is a highly modular malware suite that allows the Trickbot cybercrime gang to conduct a variety of malicious cyber activities, including ransomware attacks against the U.S. government, as well as hospitals and healthcare centers across the United States.  Kucherov and Mamashoyev have previously had work relationships with Operation Zero.  OFAC is designating Mamashoyev and Kucherov pursuant to E.O. 13694, as further amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods and services to or in support of, Zelenyuk,Additionally, OFAC is sanctioning Advance Security Solutions, another exploit brokerage firm that, like Operation Zero, offers bounties for exploits for U.S.-built software. Advance Security Solutions is an offensive cybersecurity company created by Mamashoyev with operations in the UAE and Uzbekistan.  OFAC is designating Advance Security Solutions pursuant to E.O. 13694, as further amended, for being owned or controlled by, or having acted or purported to act for or on behalf of, directly, Mamashoyev.SANCTIONS IMPLICATIONSAs a result of today’s action, all property and interests in property of the designated or blocked persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC.  In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.  Unless authorized by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked persons. Violations of U.S. sanctions may result in the imposition of civil or criminal penalties on U.S. and foreign persons.  OFAC may impose civil penalties for sanctions violations on a strict liability basis.  OFAC’s Economic Sanctions Enforcement Guidelines provide more information regarding OFAC’s enforcement of U.S. economic sanctions. In addition, financial institutions and other persons may risk exposure to sanctions for engaging in certain transactions or activities involving designated or otherwise blocked persons.  The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated or blocked person, or the receipt of any contribution or provision of funds, goods, or services from any such person.  The power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the SDN List, but also from its willingness to remove persons from the SDN List consistent with the law.  The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior.  For information concerning the process for seeking removal from an OFAC list, including the SDN List, or to submit a request, please refer to OFAC’s guidance on Filing a Petition for Removal from an OFAC List.Click here for more information on the individuals and entities designated or otherwise blocked today.###

Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools
U.S. Department of Treasury home.treasury.gov/news/press-r...

Treasury sanctions Russian firm said to have stolen and sold US cyber tools The sanctions coincide with an FBI investigation into Peter Williams, a former employee of U.S. defense contractor L3Harris who pleaded guilty to selling cyber exploits to a Russian entity.

Treasury sanctions Russian firm said to have stolen and sold US cyber tools
Nextgov/FCW
www.nextgov.com/cybersecurit...