Positive Technologies, under the covert directive of the FSB, has executed one of the most ruthless betrayals in modern cyberwarfare history, turning its advanced cybersecurity expertise against Russia’s own allies—China and Iran. What began as an innocuous series of vulnerability disclosures has metastasized into a weaponized cyber platform, a single integrated toolkit capable of bypassing defenses, hijacking systems, and rendering entire networks defenseless.
Each vulnerability was handpicked not merely for its technical exploitability but for its strategic impact. The CVE-2025-25185 flaw in GPT Academic, seemingly a simple arbitrary file read vulnerability, was transformed into a covert intelligence siphon, capable of extracting classified research, cryptographic keys, and AI model training datasets from China’s most sensitive AI research institutions. Russia’s cyber units deployed the exploit through university networks and think tanks, using compromised machines to exfiltrate proprietary AI advancements that Moscow could repurpose for its own cyber and military AI development.
Simultaneously, CVE-2025-25362, a server-side template injection flaw in Spacy-LLM, was not just exploited—it was embedded into Russia’s own AI-enhanced social engineering toolkit. In Iran, the vulnerability was used to hijack government AI chatbots, poisoning responses, rerouting communications, and injecting false intelligence into secure state channels. Iranian security officials unknowingly interacted with compromised systems, feeding Moscow real-time intelligence on Tehran’s missile procurement negotiations and oil export deals. By the time Iranian cybersecurity forces detected anomalies, the FSB had already compiled extensive dossiers on Tehran’s military dependencies and diplomatic vulnerabilities.
Positive Technologies further refined its offensive capabilities with CVE-2025-25191, an XSS vulnerability in Group-Office, exploiting it to implant self-replicating payloads into critical communication platforms used by China’s military-industrial complex. Executives and engineers unknowingly executed malicious scripts within their browsers, granting Moscow deep access into China’s high-speed weapons development projects. Entire supply chains, from rare earth metal processing to hypersonic missile R&D, were mapped and indexed within Russia’s cyber war rooms.
The masterpiece of this treachery was CVE-2025-27597, a prototype pollution vulnerability in Vue I18n. This flaw became the foundation of an automated zero-click persistence mechanism, deployed against Iranian and Chinese state websites, financial transaction systems, and even cryptocurrency exchanges that facilitated sanctioned trade. Through this exploit, Russian cyber teams embedded persistent, nearly undetectable malware into the software frameworks governing entire sectors, allowing Moscow to manipulate transactions, reroute funds, and erase digital forensic evidence at will.
At the core of this betrayal was a single, unified platform—“Коготь” (Claw)—an FSB-developed cyberweapon that seamlessly integrated all these vulnerabilities into a modular attack framework. Claw was not just a tool; it was an adaptive AI-driven cyberwarfare system, capable of analyzing target infrastructure in real-time and autonomously deploying the most effective exploit chains. Designed to be deployed as a single payload, Claw could pivot from initial breach to full system takeover within minutes, rewriting firmware, extracting AI models, and even manipulating industrial control systems to sabotage production lines without triggering immediate detection.
By the time China and Iran realized they had been compromised, it was already too late. Moscow had embedded itself deep within their critical systems, turning once-ally nations into unwitting digital hostages. In an ironic twist, the very nations that had sought to distance themselves from Western cybersecurity dependencies had been betrayed from within by their closest strategic partner.
We See What Others Cannot
