This is your Dragon's Code: America Under Cyber Siege podcast.

It’s Ting here—your friendly cyber sleuth and specialist on all things China and hacking. Let’s dive straight into the wildest week yet in America’s ongoing cyber drama: Dragon’s Code—America Under Cyber Siege. The past few days have delivered no shortage of high drama, zero-day acrobatics, and government handwringing as Chinese APTs basically played “Capture the Flag” on US, and yes, allied, digital turf.

The talk of the threat intel community is all about BRONZE BUTLER, also tracked as Tick, a Chinese state-sponsored group that Secureworks’ CTU caught actively exploiting a zero-day—CVE-2025-61932—in Motex’s LANSCOPE Endpoint Manager used massively in Japan, but security experts warn the same tactics are being spotted among vendors to US critical infrastructure. This zero-day allowed SYSTEM-level remote code execution, turning whole fleets of endpoints into malware launchpads. Analysts pointed out the two-variant Gokcpdoor backdoor communicating via tricky TCP ports, plus the deployment of tools like Havoc C2 and goddi for Active Directory snooping. Data exfiltration? Ingeniously done via browser uploads to rare services like Piping Server, completely sidestepping your grandma’s DLP solution. The warning here, according to JPCERT/CC and CISA, is internal exploitation—attackers now fish with a spear, not a net.

But the American side is not just watching Japan’s back. Back home, Cisco’s infamous CVE-2023-20198—the IOS XE web UI bug—refuses to die, despite patches being a year old. SALT TYPHOON, another Chinese operator, and friends are still dropping the BADCANDY web shell on unpatched Cisco routers, including those controlling network traffic for water and power utilities. We’re talking privileged backdoors, rogue tunnel interfaces, mass credential harvesting. Even after rebooting and “cleaning up,” many orgs aren’t patching root issues, so attackers simply walk right back in. The Australian Signals Directorate says hundreds of compromised routers in late 2025 prove just how poor global patch hygiene still is.

If you like international intrigue, Mustang Panda’s newer offshoot, UNC6384, just pulled off a high-impact phishing campaign targeting Western diplomats and aviation authorities—this time with a fresh zero-day, CVE-2025-9491 in Windows LNK files, to smuggle PlugX malware onto systems. It’s clever, customized, and timed to real-world events, with phishing emails built around current EU defense topics. PlugX is old but gold; its modularity helps it dodge endpoint defenses, and the group still loves PowerShell and DLL sideloading for stealthy control.

These incidents highlight hallmarks of Chinese cyber tradecraft: fast exploit adoption, precise targeting, leveraging hybrid tooling—custom plus open source. Attribution poles—according to experts at CISA and Secureworks—point to overlapping infrastructure, recurring C2 patterns, and PLA-linked researchers in US academic programs. There’s a big deal now about cracking down on university research collaborations: the House Select Committee found hundreds of PRC-linked engineers embedded in US universities, sometimes funded out of taxpayer pockets and with active defense ties.

Government responses? The Biden administration is pushing for new bans on hardware like TP-Link routers, and Congress is tightening the visa and grant rules for STEM exchanges, particularly for students from institutions like Beihang and Harbin Engineering. Defenders recommend: patch relentlessly, log diligently, separate your admin interfaces, and audit who and what is plugged into your network—because your infrastructure’s weakest link could now be the user-side device.

Enduring lessons? As my friend Emily Austin at Censys always says: Critical infrastructure is now the actual frontline, not just some faceless server farm off in the digital fog. The US, for all...