Ting Spills Tea: China Hackers Poison Notepad Updates and Hijack 70 Governments While We Slept episode artwork

EPISODE · Feb 8, 2026 · 4 MIN

Ting Spills Tea: China Hackers Poison Notepad Updates and Hijack 70 Governments While We Slept

from Digital Dragon Watch: Weekly China Cyber Alert · host Inception Point AI

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here with your Digital Dragon Watch: Weekly China Cyber Alert, diving straight into the hottest threats from the past seven days ending February 8, 2026. Buckle up—China-nexus hackers have been swinging hard, but we've got the intel to fight back. First off, the DKnife toolkit is making waves. Cyberrecaps reports a China-linked crew's been wielding this Linux-based beast since 2019 to hijack routers and edge devices, pulling off adversary-in-the-middle attacks. They're DNS-hijacking traffic, slipping ShadowPad and DarkNimbus backdoors into legit Android updates and Windows binaries, mostly targeting Chinese-speaking users on WeChat and email services. Compromised CentOS and Red Hat boxes at IPs like 43.132.205.118 are their playground—pure espionage gold for network gateway control. Then there's the Notepad++ supply chain nightmare. Don Ho, the developer, confirmed on his blog that from June to December 2025, hackers—tagged Lotus Blossom by Rapid7—hijacked the update server hosted by Hostinger. They selectively poisoned downloads for targeted users, dropping custom backdoors for data theft and lateral movement. CISA's on it, probing US government exposure. Lotus Blossom, active since 2009, loves hitting Southeast Asia's government, telecom, aviation, and critical infra—now creeping into Central America. Highly selective, not mass chaos, but a dev's worst dream. Scale up to Shadow Campaigns: Palo Alto Networks Unit 42 exposed TGR-STA-1030/UNC6619 breaching 70 government networks across 37 countries. This Asia-based op, likely Chinese-backed with GMT+8 ops, deploys ShadowGuard rootkit to cloak Linux processes, scanning SSH vulns and timing hits like the October 2025 US shutdown or pre-Honduras election recon. Targets? Finance ministries, parliaments, border control, power grids—spying on trade, diplomacy, and elections in South China Sea hotspots like Indonesia, Thailand, Vietnam. Sectors hammered: critical infrastructure, government, developers. New vectors? Router hijacks, update poisoning, rootkits evading EDR. US responses? CISA added SmarterMail's CVE-2026-24423 to KEV for active ransomware exploits, issued BOD 26-02 mandating federal agencies ditch EOL edge devices within 12 months—China and Russia love those unpatched routers and VPNs. They're tracking Shadow Campaigns too. Expert recs from Rapid7 and Unit 42: Patch Notepad++ now, scan for DKnife IOCs, enforce MFA beyond basics (ShinyHunters are MFA-phishing), inventory edge gear, block VPS/ Tor SSH attempts, and rotate creds. For routers, ditch defaults, enable MFA, and air-gap updates. Developers, vet supply chains like your life depends on it—because it does. Whew, dragons are roaring, but stay vigilant, listeners. This has been Ting signing off—thanks for tuning in to Digital Dragon Watch. Subscribe for more, and remember: This has been a Quiet Please production, for more check out quietplease This content was created in partnership and with the help of Artificial Intelligence AI.

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here with your Digital Dragon Watch: Weekly China Cyber Alert, diving straight into the hottest threats from the past seven days ending February 8, 2026. Buckle up—China-nexus hackers have been swinging hard, but we've got the intel to fight back. First off, the DKnife toolkit is making waves. Cyberrecaps reports a China-linked crew's been wielding this Linux-based beast since 2019 to hijack routers and edge devices, pulling off adversary-in-the-middle attacks. They're DNS-hijacking traffic, slipping ShadowPad and DarkNimbus backdoors into legit Android updates and Windows binaries, mostly targeting Chinese-speaking users on WeChat and email services. Compromised CentOS and Red Hat boxes at IPs like 43.132.205.118 are their playground—pure espionage gold for network gateway control. Then there's the Notepad++ supply chain nightmare. Don Ho, the developer, confirmed on his blog that from June to December 2025, hackers—tagged Lotus Blossom by Rapid7—hijacked the update server hosted by Hostinger. They selectively poisoned downloads for targeted users, dropping custom backdoors for data theft and lateral movement. CISA's on it, probing US government exposure. Lotus Blossom, active since 2009, loves hitting Southeast Asia's government, telecom, aviation, and critical infra—now creeping into Central America. Highly selective, not mass chaos, but a dev's worst dream. Scale up to Shadow Campaigns: Palo Alto Networks Unit 42 exposed TGR-STA-1030/UNC6619 breaching 70 government networks across 37 countries. This Asia-based op, likely Chinese-backed with GMT+8 ops, deploys ShadowGuard rootkit to cloak Linux processes, scanning SSH vulns and timing hits like the October 2025 US shutdown or pre-Honduras election recon. Targets? Finance ministries, parliaments, border control, power grids—spying on trade, diplomacy, and elections in South China Sea hotspots like Indonesia, Thailand, Vietnam. Sectors hammered: critical infrastructure, government, developers. New vectors? Router hijacks, update poisoning, rootkits evading EDR. US responses? CISA added SmarterMail's CVE-2026-24423 to KEV for active ransomware exploits, issued BOD 26-02 mandating federal agencies ditch EOL edge devices within 12 months—China and Russia love those unpatched routers and VPNs. They're tracking Shadow Campaigns too. Expert recs from Rapid7 and Unit 42: Patch Notepad++ now, scan for DKnife IOCs, enforce MFA beyond basics (ShinyHunters are MFA-phishing), inventory edge gear, block VPS/ Tor SSH attempts, and rotate creds. For routers, ditch defaults, enable MFA, and air-gap updates. Developers, vet supply chains like your life depends on it—because it does. Whew, dragons are roaring, but stay vigilant, listeners. This has been Ting signing off—thanks for tuning in to Digital Dragon Watch. Subscribe for more, and remember: This has been a Quiet Please production, for more check out quietplease This content was created in partnership and with the help of Artificial Intelligence AI.

NOW PLAYING

Ting Spills Tea: China Hackers Poison Notepad Updates and Hijack 70 Governments While We Slept

0:00 4:00

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

No similar episodes found.

No similar podcasts found.

Frequently Asked Questions

How long is this episode of Digital Dragon Watch: Weekly China Cyber Alert?

This episode is 4 minutes long.

When was this Digital Dragon Watch: Weekly China Cyber Alert episode published?

This episode was published on February 8, 2026.

What is this episode about?

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here with your Digital Dragon Watch: Weekly China Cyber Alert, diving straight into the hottest threats from the past seven days ending February 8, 2026....

Can I download this Digital Dragon Watch: Weekly China Cyber Alert episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!