John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Persistent Espionage: Mustang Panda's LOTUSLITE Campaign Hits Banking
A refreshed LOTUSLITE variant from Mustang Panda is targeting Indian banks and South Korean policy groups. Nation-states aren't extortionists. They're collectors. And they're patient.
Read More
China Is Running Two Operations Against Taiwan at Once
Cisco Talos found Lua-based malware targeting Taiwanese NGOs and universities. Taiwan's intelligence service identified 13,000 AI-amplified influence accounts and 860,000 posts. These are not separate stories.
Read More
The AI Espionage Playbook: How a Hacker Used Claude and GPT-4.1 to Steal 415 Million Records
A threat actor used Claude Code and GPT-4.1 to automate a government-scale data breach in Mexico, exfiltrating 415 million records through 5,317 AI-generated commands. This is the first documented case of AI coding tools used as a nation-state espionage engine.
Read More
The FBI Used Your Router. They Had a Court Order. This Is the Third Time.
Operation Masquerade gave the FBI court authority to issue remote commands to privately owned home routers in 23 states, removing APT28's foothold. It worked. It also raises questions worth sitting with.
Read More
Stryker Recovered from an Iranian Wiper Attack. It Took Three Weeks and 80,000 Devices.
Iran's Handala group wiped 80,000 devices across Stryker's global network. Maryland EMS lost digital ECG transmission. The DOJ confirmed Iran's government runs Handala.
Read More
FBI Says China Hacked Its Surveillance Systems, Triggers 'Major Incident' Classification
The FBI classified a suspected Chinese intrusion into law enforcement surveillance infrastructure as a FISMA major incident, forcing Congressional notification within days.
Read More
Your Security Camera Is Probably Someone Else's Window Into the War
Nation-states are routinely hacking unpatched IP cameras to gather physical intelligence during active conflicts, and the cameras being targeted are the cheap, forgotten ones in your building's lobby.
Read More
Iran Is Running Every Cyberattack at Once
Iran isn't running a cyber campaign right now. It's running all of them simultaneously, and Unit 42's latest brief documents exactly that.
Read More
China's BPFDoor Got an Upgrade. Passive Defenses Still Can't See It.
Red Menshen's upgraded BPFDoor backdoor now hides even better inside telecom backbone networks, and the only way to find it is active threat hunting that most carriers aren't doing.
Read More
From Wiping 80,000 Devices to Hacking the FBI Director: Handala's March
Iran-linked Handala publicly warned they were coming for the FBI. Kash Patel said nothing. The next morning, his cigar photos were on the internet.
Read More
China Is Running Three Cyber Operations Against the West Simultaneously. Here's What They Look Like.
BPFDoor sleeping inside telecom networks, US officials blaming Beijing for enabling billion-dollar fraud, and a $20B Telegram black market just sanctioned by the UK. Three fronts, one picture.
Read More
iPhone Exploit Kits Go Mainstream: DarkSword, Coruna, and the End of 'iOS Is Enough'
New research from Google, iVerify, and Lookout confirms iOS exploit kits have moved from rare targeted spyware to website-level deployment against broad populations. A companion toolkit was found targeting US government officials specifically.
Read More
Handala, Publicly Attributed: What the FBI Seizure Changes About Iran Cyber Signaling
The FBI seized Handala's sites and released a 40-page warrant formally linking the group to Iran's intelligence ministry. Attribution just moved from analyst opinion to federal court filing.
Read More
Cyber Enforcement Is Moving Upstream, and Defenders Should Pay Attention
Recent actions show growing pressure on facilitators and infrastructure, not just frontline operators, which creates real defensive opportunities.
Read More
Breach Impact Without a Single Archetype: Vendor, Insider, and Nation-State Pressure
Navia, Aura, an insider ransomware conviction, and Lazarus attribution show why breach readiness should be built around resilient process, not assumptions about attacker type.
Read More
Iran Didn't Need Malware to Cripple Stryker. They Just Used Microsoft Intune.
The Handala group wiped tens of thousands of Stryker devices using the company's own MDM platform. No malware. No exploit. Just admin access and the willingness to press the button.
Read More
Hackers Used Stryker's Own IT Tool to Nuke Its Entire Device Fleet
An Iranian-linked group called Handala reportedly hijacked Microsoft Intune and wiped Stryker's devices at scale. The tool designed to secure their fleet became the weapon that destroyed it.
Read More
China's Been Quietly Spying on Southeast Asian Militaries for Years
Unit 42 documented a suspected Chinese state-sponsored espionage campaign with years of undetected access to military networks across Southeast Asia. This is what patient intelligence collection looks like.
Read More
APT28's Covenant Trick and North Korea's AirDrop Hack: How Nation-States Borrow Their Tools
Russia's APT28 hijacked an open-source red-team tool to hit Ukraine. North Korea's UNC4899 used Apple AirDrop to break into a crypto firm. Both attacks exploit the trust we put in legit software.
Read More
Russian Hackers Are Coming for Your Signal and WhatsApp
Dutch intelligence says Russian state hackers are running a global campaign to hijack Signal and WhatsApp accounts by abusing the linked-device feature. Here's how to check if you're compromised.
Read More
Your AI Assistant Is an Attack Surface Now
Exposed admin panels leaking API keys, prompt injection as a supply chain weapon, fake installer packages on npm, and nation-states using AI to hack at scale. AI agents just became everyone's security problem.
Read More