EPISODE · Feb 8, 2026 · 4 MIN
Ting Spills Tea: China Hackers Poison Notepad Updates and Hijack 70 Governments While We Slept
from Digital Dragon Watch: Weekly China Cyber Alert · host Inception Point AI
This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here with your Digital Dragon Watch: Weekly China Cyber Alert, diving straight into the hottest threats from the past seven days ending February 8, 2026. Buckle up—China-nexus hackers have been swinging hard, but we've got the intel to fight back. First off, the DKnife toolkit is making waves. Cyberrecaps reports a China-linked crew's been wielding this Linux-based beast since 2019 to hijack routers and edge devices, pulling off adversary-in-the-middle attacks. They're DNS-hijacking traffic, slipping ShadowPad and DarkNimbus backdoors into legit Android updates and Windows binaries, mostly targeting Chinese-speaking users on WeChat and email services. Compromised CentOS and Red Hat boxes at IPs like 43.132.205.118 are their playground—pure espionage gold for network gateway control. Then there's the Notepad++ supply chain nightmare. Don Ho, the developer, confirmed on his blog that from June to December 2025, hackers—tagged Lotus Blossom by Rapid7—hijacked the update server hosted by Hostinger. They selectively poisoned downloads for targeted users, dropping custom backdoors for data theft and lateral movement. CISA's on it, probing US government exposure. Lotus Blossom, active since 2009, loves hitting Southeast Asia's government, telecom, aviation, and critical infra—now creeping into Central America. Highly selective, not mass chaos, but a dev's worst dream. Scale up to Shadow Campaigns: Palo Alto Networks Unit 42 exposed TGR-STA-1030/UNC6619 breaching 70 government networks across 37 countries. This Asia-based op, likely Chinese-backed with GMT+8 ops, deploys ShadowGuard rootkit to cloak Linux processes, scanning SSH vulns and timing hits like the October 2025 US shutdown or pre-Honduras election recon. Targets? Finance ministries, parliaments, border control, power grids—spying on trade, diplomacy, and elections in South China Sea hotspots like Indonesia, Thailand, Vietnam. Sectors hammered: critical infrastructure, government, developers. New vectors? Router hijacks, update poisoning, rootkits evading EDR. US responses? CISA added SmarterMail's CVE-2026-24423 to KEV for active ransomware exploits, issued BOD 26-02 mandating federal agencies ditch EOL edge devices within 12 months—China and Russia love those unpatched routers and VPNs. They're tracking Shadow Campaigns too. Expert recs from Rapid7 and Unit 42: Patch Notepad++ now, scan for DKnife IOCs, enforce MFA beyond basics (ShinyHunters are MFA-phishing), inventory edge gear, block VPS/ Tor SSH attempts, and rotate creds. For routers, ditch defaults, enable MFA, and air-gap updates. Developers, vet supply chains like your life depends on it—because it does. Whew, dragons are roaring, but stay vigilant, listeners. This has been Ting signing off—thanks for tuning in to Digital Dragon Watch. Subscribe for more, and remember: This has been a Quiet Please production, for more check out quietplease This content was created in partnership and with the help of Artificial Intelligence AI.
What this episode covers
This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here with your Digital Dragon Watch: Weekly China Cyber Alert, diving straight into the hottest threats from the past seven days ending February 8, 2026. Buckle up—China-nexus hackers have been swinging hard, but we've got the intel to fight back. First off, the DKnife toolkit is making waves. Cyberrecaps reports a China-linked crew's been wielding this Linux-based beast since 2019 to hijack routers and edge devices, pulling off adversary-in-the-middle attacks. They're DNS-hijacking traffic, slipping ShadowPad and DarkNimbus backdoors into legit Android updates and Windows binaries, mostly targeting Chinese-speaking users on WeChat and email services. Compromised CentOS and Red Hat boxes at IPs like 43.132.205.118 are their playground—pure espionage gold for network gateway control. Then there's the Notepad++ supply chain nightmare. Don Ho, the developer, confirmed on his blog that from June to December 2025, hackers—tagged Lotus Blossom by Rapid7—hijacked the update server hosted by Hostinger. They selectively poisoned downloads for targeted users, dropping custom backdoors for data theft and lateral movement. CISA's on it, probing US government exposure. Lotus Blossom, active since 2009, loves hitting Southeast Asia's government, telecom, aviation, and critical infra—now creeping into Central America. Highly selective, not mass chaos, but a dev's worst dream. Scale up to Shadow Campaigns: Palo Alto Networks Unit 42 exposed TGR-STA-1030/UNC6619 breaching 70 government networks across 37 countries. This Asia-based op, likely Chinese-backed with GMT+8 ops, deploys ShadowGuard rootkit to cloak Linux processes, scanning SSH vulns and timing hits like the October 2025 US shutdown or pre-Honduras election recon. Targets? Finance ministries, parliaments, border control, power grids—spying on trade, diplomacy, and elections in South China Sea hotspots like Indonesia, Thailand, Vietnam. Sectors hammered: critical infrastructure, government, developers. New vectors? Router hijacks, update poisoning, rootkits evading EDR. US responses? CISA added SmarterMail's CVE-2026-24423 to KEV for active ransomware exploits, issued BOD 26-02 mandating federal agencies ditch EOL edge devices within 12 months—China and Russia love those unpatched routers and VPNs. They're tracking Shadow Campaigns too. Expert recs from Rapid7 and Unit 42: Patch Notepad++ now, scan for DKnife IOCs, enforce MFA beyond basics (ShinyHunters are MFA-phishing), inventory edge gear, block VPS/ Tor SSH attempts, and rotate creds. For routers, ditch defaults, enable MFA, and air-gap updates. Developers, vet supply chains like your life depends on it—because it does. Whew, dragons are roaring, but stay vigilant, listeners. This has been Ting signing off—thanks for tuning in to Digital Dragon Watch. Subscribe for more, and remember: This has been a Quiet Please production, for more check out quietplease This content was created in partnership and with the help of Artificial Intelligence AI.
NOW PLAYING
Ting Spills Tea: China Hackers Poison Notepad Updates and Hijack 70 Governments While We Slept
No transcript for this episode yet
Similar Episodes
No similar episodes found.
Similar Podcasts
No similar podcasts found.