This is your China Hack Report: Daily US Tech Defense podcast.

I’m Ting, your cyber-wit on the pulse of China’s hacker underground. This past 24 hours—let’s just say, if you’re in US tech defense, your sleep schedule’s about as secure as an unpatched router on election night.

Let’s kick off with F5’s breach, lighting up the boards like it’s DEF CON and the badge contest is rigged. The nation-state group UNC5221, with ties to China according to Bloomberg and the Google Threat Intelligence Group, camped inside F5’s network for months, deploying their custom BRICKSTORM malware. They exfiltrated BIG-IP source code and configuration data—think infrastructure blueprints—and gave themselves a buffet of zero-days. While F5 says the breach is contained, the U.S. Cybersecurity and Infrastructure Security Agency, CISA, isn’t popping champagne. They hit federal agencies with emergency directive ED 26-01: inventory all F5 products, yank public access to management interfaces, and patch like the wind. Deadline for full compliance? October 29. Miss it and you’ll have more meetings than the Internals group at the NSA. CrowdStrike and Mandiant are circling like sharks to lock down the perimeter.

Meanwhile, Microsoft SharePoint’s ToolShell vulnerability, CVE-2025-53770, is being devoured by a buffet of China-linked threat actors—Budworm, Sheathminer, and Storm-2603, with Symantec confirming Salt Typhoon is all over it. University networks in the US got pwned, and finance, telco, and even government agencies across four continents fell to webshells, credential dumping, and creative side-loading moves utilizing legitimate security software. These attackers dropped the Go-based Zingdoor backdoor, ShadowPad Trojan, and RustyLoader to plant persistent, command-and-control frameworks on compromised systems. Microsoft’s fix is out—patch *now* or risk finding a Chinese APT in your org chart.

For today’s malware hall of fame, meet SnappyBee. Volt Typhoon, aka Salt Typhoon, breached a European telecom with this custom backdoor, leveraging a Citrix NetScaler zero-day, sneaking past antivirus with signed drivers, and stealing metadata and lawful intercept data. If you’re in telecom—especially here in the States—James Azar at CyberHub Podcast says treat network traffic analytics like your last bottle of Sriracha: handle with care and keep it close. CISA adds new exploits for Apple, Microsoft (CVE-2025-33073, the SMB client flaw), and Kentico to the Known Exploited Vulnerabilities list. Apple patched their bug back in 2022, but everyone’s got some aunt convinced updates are the enemy. Those unpatched iPhones—guess who’s test-driving Chinese malware?

Oracle has a new October update, dropping a whopping 374 patches. CISA flagged Oracle’s CVE-2025-61884, a server-side request forgery flaw in E-Business Suite, and mandated government agencies apply patches by November 10. If your Oracle stack isn’t up-to-date, you might as well run it on a Raspberry Pi taped to a drone headed for Beijing.

Emergency defense actions per CISA and cyber experts:

Audit Citrix NetScaler configs for SnappyBee indicators.

Patch Windows SMB (CVE-2025-33073), Kentico CMS, Apple Core, Adobe AEM Forms (CVE-2025-54253), and Oracle E-Business Suite (CVE-2025-61884) immediately.

Monitor for abnormal network traffic, credential dumps, and unauthorized admin logins.

If it uses open-source keys, reissue and revoke now. Over 120,000 Bitcoin wallets exposed last night—yup, that includes you, crypto bros.

Every sector is a target: government, law enforcement, universities, finance, telecoms, the supply chain. The PRC’s Salt Typhoon drove what Sen. Mark Warner calls the worst telecom hack in US history; stolen call logs, wiretap orders, and election materials underscore the urgency of these defenses.

Thanks for tuning in! Subscribe so you get each daily update...