Ghostwire — Daily Intelligence Briefings

## Friday Intelligence Brief — March 20, 2026 --- ## Headline Threat **DarkSword iOS Exploit Kit: Full Device Takeover in the Wild** Google's Threat Intelligence Group has confirmed active exploitation of a sophisticated iOS exploit chain dubbed **DarkSword**, operational since at least November 2025. The kit chains six vulnerabilities — including three zero-days — to achieve complete device takeover and sensitive data exfiltration, and is already being leveraged by multiple threat actor groups. Apple device owners and enterprise MDM teams should treat this as an active emergency: assume any unpatched iOS device in your fleet is a viable target. (The Hacker News, CyberPress) --- ## Key Developments **APT28 Breaches Ukrainian Maritime Agency via Zimbra Flaw** Russian state-backed group APT28 (Fancy Bear) has successfully compromised a Ukrainian government maritime agency by exploiting a known vulnerability in Zimbra Collaboration Suite webmail software. CISA has concurrently added the Zimbra flaw to its Known Exploited Vulnerabilities catalog, confirming active exploitation is no longer theoretical. Organizations still running unpatched Zimbra instances — particularly in government, defense, and critical infrastructure — should treat remediation as a same-day priority. Separately, a web server misconfiguration exposed operational details of FancyBear's credential theft infrastructure, offering rare insight into their targeting methodology. (The Record, CyberPress) **Claude.ai Platform Hit by Multi-Stage Exfiltration Attack Chain** Security researchers have disclosed a critical attack chain against Anthropic's Claude.ai that enables silent data exfiltration and malicious user redirects. The vulnerability chain demonstrates how AI platforms are becoming high-value targets in their own right — not just tools for attackers. Security teams deploying Claude or similar LLM platforms in enterprise environments must audit permissions, input sanitization, and session handling controls immediately. This is a bellwether for AI-specific threat vectors that most SecOps programs are not yet equipped to handle. (CyberPress) **North Korea's WaterPlum Deploys StoatWaffle via Contagious Interview Campaign** North Korea-linked threat actor WaterPlum has introduced a new, highly evasive malware strain called **StoatWaffle**, delivered through VSCode-themed lures under the ongoing "Contagious Interview" campaign. This campaign continues to evolve its social engineering hooks, now targeting developers through legitimate-looking IDE tooling. Simultaneously, a malicious Open VSX extension was caught pulling a full-featured RAT and infostealer from GitHub, indicating developer toolchain compromise is an active and growing vector. Software supply chain defenders and developer security programs must increase scrutiny of IDE extensions and third-party repositories. (CyberPress, GBHackers) **Perseus Android Banking Malware Monitors Notes Apps for Credential Theft*

## CYBERSECURITY INTELLIGENCE BRIEF — Thursday, March 19, 2026 --- ## Headline Threat **DarkSword: Russia-Linked iOS Exploit Chain Goes Operational** A fully weaponized iOS exploit kit designated **DarkSword** is actively compromising iPhones across Saudi Arabia, Turkey, Malaysia, and Ukraine with little to no user interaction required (Dark Reading, The Record). The exploit chain leverages multiple zero-day vulnerabilities, extracts sensitive data within minutes, and self-erases forensic traces — a hallmark of high-end, state-developed tooling. Google's Threat Analysis Group (TAG) has attributed the campaign to Russia-linked actors, with Ukrainian targets representing the most strategically significant focus. This is a full-chain attack: assume any unpatched iPhone is a viable target. --- ## Key Developments **Interlock Ransomware Weaponized a Cisco Firewall Zero-Day for Months** The Interlock ransomware group has been exploiting a maximum-severity remote code execution vulnerability in Cisco's Secure Firewall Management Center (FMC) since at least January — operating undetected for nearly three months (BleepingComputer). This is a ransomware group demonstrating APT-level patience and operational security. Any organization running Cisco FMC should treat this as an active incident until proven otherwise and audit logs going back to early January. **CISA Adds SharePoint and Zimbra Flaws to KEV Catalog** CISA has updated its Known Exploited Vulnerabilities catalog with newly confirmed active exploitation of Microsoft SharePoint and Zimbra flaws (Security Affairs). Both platforms are ubiquitous in enterprise environments and have long histories of being targeted for initial access. Federal agencies have mandatory remediation deadlines under BOD 22-01; private sector organizations should treat KEV additions as urgent patch signals regardless of regulatory obligation. **AI-Generated Malware 'Slopoly' Marks New Ransomware Evolution** A newly observed ransomware strain dubbed **Slopoly** is assessed to be AI-generated, signaling that the barrier to producing functional, novel malware has effectively collapsed. The emergence of AI-authored ransomware means defenders can no longer rely on signature patterns derived from known author coding styles or toolkits. Behavioral detection and endpoint telemetry are now non-negotiable — static analysis alone will increasingly miss these threats. **ConnectWise Patches Critical ScreenConnect Hijacking Flaw** ConnectWise has issued an emergency patch for a cryptographic signature verification vulnerability in ScreenConnect that could allow unauthorized access and privilege escalation (BleepingComputer). ScreenConnect has been a recurring target for ransomware operators and initial access brokers. Given prior exploitation history with this platform, patching should be treated as immediate — not next patch cycle. **DPRK IT Worker Network Sanctioned by OFAC** The U.S. Treasury's OFAC sanctioned six indivi

## Daily Cybersecurity Intelligence Brief **Wednesday, March 18, 2026 | UNCLASSIFIED** --- ## Headline Threat The industrialization of infostealer malware and AI-enhanced social engineering drove a sharp spike in credential theft across the second half of 2025, and the operational model is now fully mature heading into 2026. Threat actors are no longer breaking through perimeters — they are logging in with legitimate credentials, rendering traditional edge defenses largely irrelevant. This shift demands an identity-first security posture across all enterprise environments. *(Dark Reading)* --- ## Key Developments **GlassWorm Poisons 400+ Repos Across GitHub, npm, and VSCode** The GlassWorm supply-chain campaign has resurged with a coordinated strike across hundreds of packages and extensions on GitHub, npm, and VSCode/OpenVSX. The breadth of the attack — spanning three major developer ecosystems simultaneously — signals a sophisticated, well-resourced threat actor with specific interest in developer tooling. Any organization consuming open-source packages or VSCode extensions should treat their dependency chain as a potential compromise vector and audit recently updated packages immediately. *(BleepingComputer)* **Medusa Ransomware Hits Mississippi's Largest Hospital** The Medusa ransomware gang has claimed responsibility for a nine-day system outage at Mississippi's largest hospital, and has separately targeted a New Jersey county government. Healthcare remains the highest-consequence ransomware target due to patient safety implications, and Medusa has demonstrated both persistence and technical capability. Security teams at healthcare organizations should validate offline backup integrity and ensure incident response plans account for extended operational degradation. *(The Record)* **Ransomware Actors Abandon Cobalt Strike, Embrace Living-Off-the-Land** As ransomware payment rates hit record lows, threat actors are adapting their toolkits — dropping commercially detectable tools like Cobalt Strike in favor of native Windows utilities such as WMI, PowerShell, and scheduled tasks. This shift is a direct countermeasure to improved EDR detection capabilities and makes attacker activity significantly harder to distinguish from legitimate administrative operations. Blue teams should prioritize behavioral analytics over signature-based detection and tighten audit logging on native OS tools. *(Dark Reading)* **EU Sanctions Chinese and Iranian Entities for Cyberattacks** The European Union has formally sanctioned three entities and two individuals — spanning Chinese and Iranian-linked cyber operations — for attacks against critical infrastructure across EU member states. The sanctions also specifically target an Iranian crew implicated in U.S. election interference operations. This escalation in diplomatic response signals growing Western consensus on attributing and penalizing state-sponsored cyber aggression, and organizations in critical in

## CYBERSECURITY DAILY BRIEF — Tuesday, March 17, 2026 --- ## Headline Threat **Iranian Hackers Hit U.S. Medical Equipment Supplier** Iranian threat actors have publicly claimed responsibility for a cyberattack against a U.S. medical equipment supplier, causing systems to go down and disrupting operations. This incident is consistent with a broader pattern of Iranian retaliation targeting American critical infrastructure and healthcare — sectors chosen for maximum societal pressure. A former NSA operative characterized the threat bluntly: much of Iran's offensive cyber capacity is now decentralized, with operations effectively "in the hands of a 19-year-old hacker in a Telegram room," making attribution and deterrence increasingly difficult. (Iran Cyber, Supply Chain) --- ## Key Developments **AI Model Poisoning Is Now a Commercial Industry** China's state broadcaster CCTV used its annual 3·15 consumer rights program to expose a fully operational black market for AI model poisoning. Undercover reporters fabricated a fictitious health device — the "Apollo-9" smartband — complete with invented quantum-sensor capabilities, then paid roughly $5.50 USD for a tool called the "LiQing GEO Optimization System." Within two hours, the software auto-generated dozens of convincing professional reviews and seeded them across major content platforms. Chinese financial regulators have separately issued risk notices about the "Lobster" AI agent, and multiple banks have been advised to restrict its use. The implications extend well beyond China: adversarial content injection into LLM training pipelines and public-facing knowledge bases is now a purchasable, low-skill attack. (4Hou) **Coupang Data Breach Exposes 33.7 Million South Korean Customers** South Korea's largest e-commerce platform, Coupang, has reportedly been compromised, with names, email addresses, phone numbers, and additional personal data for 33.7 million customers exposed. The scale places this among the largest consumer data breaches in South Korean history and carries significant downstream risk — the dataset is prime material for targeted phishing, SIM-swapping, and credential-stuffing campaigns. Organizations operating across the Asia-Pacific region should treat Coupang-associated credentials as compromised and alert relevant user bases. (North Korea Cyber) **Glassworm Campaign Poisons 151 GitHub Repos and VS Code** A newly detailed supply chain attack dubbed "Glassworm" has infected 151 GitHub repositories and Visual Studio Code extensions with invisible malicious code. The campaign leverages blockchain infrastructure as a command-and-control mechanism to exfiltrate tokens, credentials, and developer secrets — a technique that evades traditional network-based detection since blockchain traffic appears legitimate. Any organization with developers pulling dependencies from public GitHub repositories or using community VS Code extensions should treat this as an active supply chain ris

## Monday, March 16, 2026 — Cybersecurity Intelligence Brief --- ## Headline Threat **Iranian Threat Actors Launch Multi-Front Cyber Campaign** Suspected Iranian hackers have paralyzed Stryker, a major medical technology corporation, in a cyberattack that disrupted operations at one of the world's leading medical device manufacturers. Simultaneously, Israel confirmed that Iranian operatives breached security camera networks, providing adversarial surveillance of sensitive Israeli infrastructure. These operations align with a broader pattern of Iranian hybrid warfare, as Chinese state media trending topics reveal public Iranian rhetoric about fighting until U.S. and Israeli "surrender" — suggesting coordinated information operations accompanying the technical campaign. (SecurityWeek, Google News) --- ## Key Developments **Ransomware Hits U.S. Agricultural Sector at Critical Juncture** A massive ransomware attack has locked North Dakota farmers out of their smart planters during what would be a critical pre-planting window. This attack against precision agriculture technology represents a calculated strike at food supply chain infrastructure timed for maximum operational disruption. Security teams supporting agriculture sector clients should treat this as a bellwether — OT-connected farm equipment is a chronically underdefended attack surface. (Google News) **China-Sponsored Espionage Campaign Targeted COVID Research** Federal prosecutors have confirmed that a China-sponsored hacker successfully exfiltrated COVID-19 research data from top U.S. universities and federal laboratories. This case highlights the persistent threat posed by state-sponsored actors against academic and research institutions, which typically maintain weaker security postures than government or enterprise targets. Institutions involved in sensitive government-contracted research must treat their environments as high-value targets, not ivory tower networks. (Google News) **Loblaw Data Breach Exposes Customer PII** Canadian retail giant Loblaw confirmed a data breach affecting customer personal information, including names, email addresses, and phone numbers. While scope details remain limited, breaches of this profile are routinely leveraged for downstream phishing and credential stuffing campaigns targeting the same customer base. Organizations that share supplier or loyalty program integrations with Loblaw should monitor for anomalous authentication activity. (SecurityWeek) **Google Uncovers iOS Exploit Kit Used in Crypto Phishing** Google's Threat Analysis Group has identified an iOS exploit kit actively deployed in cryptocurrency phishing campaigns. This is a significant escalation — weaponized iOS exploits typically indicate well-resourced threat actors, and the crypto targeting suggests financially motivated groups with the capability to acquire or develop mobile zero-day tooling. Mobile device management policies and user awareness training for crypto-adjacent

## CYBERSECURITY INTELLIGENCE BRIEF — Sunday, March 15, 2026 --- ## Headline Threat **GlassWorm Supply-Chain Campaign Compromises 72 Open VSX Extensions** Researchers have flagged a significant escalation in the GlassWorm campaign, which has now weaponized 72 extensions in the Open VSX registry — the primary extension marketplace for VS Code-compatible editors widely used across enterprise and open-source development environments. Unlike prior iterations that targeted individual packages, this wave appears to systematically abuse the registry's trust model, meaning developers pulling routine updates may be silently infected. Any organization with developers using Open VSX-sourced extensions should treat all recent extension updates as suspect until integrity verification is confirmed. (The Hacker News) --- ## Key Developments **Stryker Hit by Ransomware, Global Operations Disrupted** Michigan-based medical device giant Stryker confirmed a cyberattack causing global network disruption, with manufacturing and shipping operations materially impacted. Attacks on medical device manufacturers carry compounded risk — not just operational and financial damage, but potential downstream effects on hospital supply chains and patient care continuity. This follows a well-established threat actor playbook of targeting high-revenue, operationally time-sensitive manufacturers to maximize ransom leverage. (Cybersecurity Dive, multiple) **INTERPOL-Led Operation Seizes 45,000 Malicious IPs** Global authorities coordinated a takedown of 45,000 IPs linked to ransomware and phishing infrastructure in what appears to be one of the largest single-operation IP seizures on record. While takedowns of this scale are operationally significant, threat actors historically reconstitute infrastructure within weeks using bulletproof hosting and fast-flux DNS. The immediate benefit is measurable disruption to active campaigns; the strategic benefit depends on whether arrests and attribution followed the infrastructure seizure. (GBHackers) **North Korea Nets $800M in Crypto — Treasury Responds with Sanctions** The U.S. Treasury Department imposed sanctions on a network facilitating North Korean cryptocurrency laundering tied to an $800 million operation. DPRK cyber units — primarily Lazarus Group and affiliated cells — continue to fund the regime's weapons programs through crypto theft and laundering at industrial scale. Organizations in the DeFi, exchange, and Web3 space should treat this as a persistent and escalating threat requiring dedicated threat modeling, not routine compliance posture. (multiple) **McKinsey Breach: 46.5 Million Employee Chat Records Exposed** Hackers reportedly gained access to 46.5 million employee chat records from McKinsey, exposing the acute risk of rapid enterprise AI tool adoption without adequate access controls or data segmentation. The breach underscores a pattern emerging across large enterprises: AI-integrated collaboration platforms a

## CYBERSECURITY DAILY BRIEF **Saturday, March 14, 2026 | Analyst Edition** --- ## Headline Threat Unit 42 at Palo Alto Networks has confirmed that a suspected Chinese state-sponsored threat actor has been running persistent cyber espionage operations against Southeast Asian military organizations since at least 2020, deploying novel malware families tracked as **AppleChris** and **MemFun**. The campaign's longevity and targeting of military networks suggests a strategic intelligence-collection mandate consistent with China's regional posture in the South China Sea theater. Defense and intelligence stakeholders across ASEAN should treat this as an active, ongoing threat — not a historical artifact. *(The Hacker News / Unit 42)* --- ## Key Developments **INTERPOL Dismantles 45,000 Malicious IPs in Global Sweep** INTERPOL's latest coordinated operation resulted in the takedown of 45,000 malicious IP addresses and servers linked to phishing, malware, and ransomware infrastructure, alongside 94 arrests. Separately, the SocksEscort residential proxy network — used extensively by cybercriminals to anonymize attack traffic — was shut down in a parallel U.S.-led multinational action. These dual takedowns represent a significant, if temporary, disruption to the global criminal-as-a-service ecosystem. *(The Hacker News / GBHackers / CyberPress)* **Storm-2561 Weaponizes SEO Poisoning to Distribute Trojan VPN Clients** Microsoft has disclosed a credential-theft campaign by the threat cluster **Storm-2561**, which is distributing trojanized VPN clients through SEO poisoning — manipulating search results to funnel victims toward malicious downloads spoofing Ivanti, Fortinet, and Cisco products. This is a high-leverage attack vector: security-conscious users actively searching for enterprise VPN tools are precisely the targets most likely to have privileged network access. Organizations should validate all VPN client downloads against official vendor hashes and disable auto-update mechanisms that don't enforce code signing. *(The Hacker News / Google News)* **Iran-Linked Operations Surge Amid Regional Conflict** Since the outbreak of conflict involving Iran in late February 2026, threat groups **TA453** and **TA473** have sharply escalated war-themed phishing campaigns targeting organizations across the Middle East. Simultaneously, the Iranian-linked wiper group **Handala** has expanded its destructive operations beyond Israeli targets to include U.S.-based organizations. The dual track of espionage-focused phishing and outright destructive attacks reflects a coordinated pressure campaign — defenders in financial, energy, and government sectors should elevate their threat posture accordingly. *(CyberPress)* **Poland's Nuclear Research Centre Hit by Cyberattack** Poland's national nuclear research centre suffered a cyberattack this week, marking one of the most sensitive critical infrastructure targeting events in Europe in recent months. No attribution

## Friday, March 13, 2026 — Cybersecurity Intelligence Brief --- ## Headline Threat Iran's Handala Hack group (aka Void Manticore), operating under the Ministry of Intelligence and Security (MOIS), is executing an accelerated wiper attack campaign against Israeli and Western targets. Unit 42 confirms the group is exploiting **phishing lures combined with deliberate misuse of Microsoft Intune** — a legitimate endpoint management platform — to mass-deploy destructive payloads at scale. This represents a dangerous escalation: weaponizing enterprise IT management tooling to detonate data-wiping malware across entire device fleets simultaneously. --- ## Key Developments **Iran Merges APT and Criminal Ecosystems (Dark Reading / North Korea Cyber feed)** Iranian APTs have historically impersonated criminal groups for plausible deniability. Intelligence now confirms a structural shift: MOIS-affiliated actors are **actively collaborating with genuine cybercriminal organizations**, purchasing capabilities, infrastructure, and operational cover. This dramatically expands Iran's offensive bandwidth and complicates attribution. Organizations that previously dismissed criminal-tier threats as lower-priority should reassess — the line between nation-state and criminal is now functionally erased in the Iranian context. **Iran Threatens Regional Power Grid Retaliation** Amid escalating Middle East tensions, Iranian officials publicly warned that any attack on Iranian electrical infrastructure would plunge "the entire region into darkness" — a statement trending heavily on Chinese social media (Weibo, 72K views). This signals Tehran is both anticipating infrastructure strikes and telegraphing its own offensive doctrine toward critical energy targets. Energy sector defenders in the Gulf, Israel, and Eastern Mediterranean should treat this as an active threat posture, not rhetoric. **Suspected China-Nexus Espionage Targets Southeast Asian Militaries (Unit 42)** A sophisticated, patient espionage campaign with indicators pointing to China-based operators has been confirmed targeting military organizations across Southeast Asia. The operation is characterized by **custom backdoor deployment** and extended dwell times, suggesting strategic intelligence collection rather than disruptive intent. The use of bespoke malware limits signature-based detection effectiveness. Defense ministries and contractors in ASEAN nations should conduct immediate threat hunts for indicators of compromise associated with this campaign. **SocksEscort Proxy Network Dismantled (The Record)** US authorities and Europol jointly disrupted SocksEscort, a criminal proxy network that monetized access to thousands of **compromised residential routers**. Cybercriminals used this infrastructure to mask their true IP addresses during attacks, fraud operations, and reconnaissance. The takedown degrades a significant anonymization layer used across multiple threat actor ecosystems. However, simil

## CYBERSECURITY INTELLIGENCE BRIEF **Thursday, March 12, 2026 | For Security Professionals** --- ## Headline Threat Iran's active mining of the Strait of Hormuz and ballistic missile strikes in Qatar territory are not merely kinetic events — they are the opening conditions for a sustained Iranian cyber campaign against Western and Gulf-aligned targets. The FBI has already issued warnings that Iran aspired to conduct drone attacks on California infrastructure in retaliation for U.S. military involvement, and historical Iranian threat actor behavior (APT33, APT34, Charming Kitten) strongly indicates that offensive cyber operations against energy, transportation, and financial sectors will accompany — or precede — further physical escalation. Security teams supporting energy, logistics, port operations, or Gulf-region clients should elevate their threat posture immediately. (Source: WSJ, Los Angeles Times, The Guardian) --- ## Key Developments **Iranian Infrastructure Attacks Signal Cyber Spillover** Iran has dramatically escalated strikes against civilian infrastructure and transport networks across the Gulf, with officials explicitly warning of a "war of attrition" designed to throttle global energy supplies. Nations have agreed to release 400 million barrels of oil reserves in response to the disruption, signaling the economic severity of the campaign. For defenders: energy sector OT/ICS environments, maritime logistics systems, and any organization with Gulf-region exposure should be operating under heightened alert, with particular attention to spearphishing and destructive wiper malware — tools historically favored by Iranian state actors. (Source: The Guardian, Washington Post, CNBC) **FBI Warns of Drone and Cyber Threats to U.S. Soil** A leaked memo warned that California could face Iranian drone attacks as retaliation for U.S. involvement in the Iran conflict, with the FBI confirming Iran had "aspirations" to target U.S. infrastructure. While officials have publicly downplayed the physical threat, the intelligence community's posture suggests otherwise. Security professionals supporting U.S. critical infrastructure — particularly utilities, water systems, and communications networks — should review incident response plans and validate out-of-band communication protocols now. (Source: Los Angeles Times) **INC Ransomware Hammers Healthcare in Oceania** The INC ransomware group has conducted a sustained campaign against healthcare targets across Australia, New Zealand, and Tonga, hitting government agencies, emergency clinics, and healthcare networks. This group has demonstrated operational patience and a willingness to disrupt life-critical services, making it a Tier 1 ransomware threat. Healthcare organizations globally — particularly those with under-resourced IT security functions — should treat INC as an active threat and audit exposed RDP, VPN endpoints, and unpatched internet-facing systems immediately. (Source: Dark Reading)

## CYBERSECURITY INTELLIGENCE BRIEF **Wednesday, March 11, 2026 | Classification: UNCLASSIFIED** --- ## Headline Threat **UNC6426 Achieves Full Cloud Compromise in 72 Hours via nx npm Supply Chain Attack** Threat actor UNC6426 has leveraged credentials harvested during last year's supply chain compromise of the widely-used `nx` npm package to fully breach a victim's cloud environment within 72 hours — escalating to AWS administrator access before defenders could respond (The Hacker News). This incident is a stark reminder that the blast radius of supply chain compromises does not expire with the initial disclosure; stolen keys and credentials persist as actionable weapons long after the original event. Organizations still running environments that ingested the compromised `nx` package must treat any stored credentials from that period as fully compromised and rotate immediately. --- ## Key Developments **Malicious AI Browser Extensions Harvest Nearly One Million Users** A trojanized AI browser sidebar extension has been caught exfiltrating data from approximately 900,000 users, masquerading as a legitimate productivity tool (AnQuanKe). The campaign highlights the growing threat surface introduced by the AI tool ecosystem, where users lower their guard for extensions promising AI-enhanced browsing. Security teams should enforce browser extension allowlisting and audit current deployed extensions across enterprise endpoints without delay. **Ingress-Nginx Injection Flaw Enables Cluster-Wide Secret Exfiltration** A critical injection vulnerability in Ingress-Nginx has been disclosed, enabling attackers to exfiltrate secrets across an entire Kubernetes cluster — including API keys, service credentials, and configuration data (AnQuanKe). The scope of exposure in a typical production cluster makes this a high-priority patch target for any organization running Kubernetes workloads. Defenders should apply available patches, audit Ingress-Nginx configurations, and review network segmentation policies immediately. **SurxRAT Android Malware Integrates AI to Automate Phishing at Scale** Zimperium researchers have identified SurxRAT, an advanced Android Remote Access Trojan operating within a Malware-as-a-Service (MaaS) ecosystem that uses AI to automate and personalize phishing attacks against victims (CyberPress). The integration of AI into commodity malware dramatically lowers the skill threshold for operators while increasing attack effectiveness and scale. Mobile device management policies and enterprise application vetting should be reviewed in light of this development. **Chinese APT Deploys PlugX Against Qatar Amid Middle East Tensions** Check Point Research has linked a Chinese-nexus APT to a targeted campaign against Qatar using PlugX lures, timed to coincide with escalating regional conflict (CyberPress). The operation follows an established pattern of Chinese state-affiliated actors exploiting geopolitical flashpoints to pursue espionage