Brave browser now blocks Microsoft Recall by default, preventing screenshots and protecting users’ browsing history on Windows 11.

Brave browser has announced a new privacy measure, automatically blocking Microsoft’s controversial Recall feature from taking screenshots of browsing activity. This move, implemented in version 1.81 for Windows users, aims to give users more control over their digital privacy, especially concerning their online history.

****What is Microsoft Recall?****

Microsoft Recall, first introduced in May 2024, is designed as a productivity tool for Copilot+ PCs, which are high-end, AI-enhanced computers. It works by taking periodic screenshots of a user’s screen activity and storing them in a local, searchable database. The idea is to allow users to easily ‘recall’ past actions and information using natural language queries, for instance, finding a website visited that featured specific content.

However, from its initial announcement, Recall faced significant criticism from privacy advocates and security experts. Early versions stored these screenshots in plain text, making them highly vulnerable if a system got compromised. While Microsoft has since made changes, including making Recall an opt-in feature and encrypting the data, concerns about a persistent, OS-level log of user activity remain.

****Brave’s Proactive Privacy Stance****

Brave’s Privacy Team specified that Recall contradicts the browser’s privacy-first mission. To address this, Brave has expanded upon Microsoft’s existing privacy commitment to not record private browsing sessions. Therefore, Brave now signals to the operating system that all Brave browser windows are “private,” effectively preventing Recall from capturing any screenshots from them by default.

Block Microsoft Recall toggle in Brave (Source: brave.com)

This approach ensures user browsing activity does not “accidentally end up in a persistent database,” which the Brave Privacy Team highlighted as particularly sensitive in cases like intimate partner violence. Details on this implementation were discussed in a relevant thread on the Brave GitHub repository. Details on this implementation were discussed in a relevant thread on the Brave GitHub repository.

While inspired by similar screenshot-blocking efforts from messaging platforms like Signal, Brave’s method is designed to avoid interfering with other legitimate functions, such as accessibility tools or regular screenshots. Users who wish to allow Recall to capture their Brave Browser can manually adjust a setting within brave://settings/privacy.

****Ongoing Changes and User Control****

This step comes as Microsoft is enhancing Recall, a feature currently in preview, with its final release form for all Windows 11 users remaining uncertain. The Brave Privacy Team has acknowledged that Microsoft has made several security and privacy-enhancing modifications to Recall due to initial concerns.

However, the rapid emergence of bypasses to Microsoft’s initial fixes, such as CVE-2025-53770 and CVE-2025-53771, indicates an ongoing challenge for software developers in securing against such deep-level system monitoring.

Nonetheless, Brave’s action reinforces its commitment to user privacy by offering a strong default defence against features that could potentially log extensive personal data.

Brave Browser Blocks Microsoft Recall from Tracking Online Activity

National Nuclear Security Administration and National Institutes of Health targeted in global Microsoft SharePoint vulnerability exploitation. Chinese hacking groups suspected in widespread data breaches.

A recent global cyberattack campaign, exploiting critical vulnerabilities in Microsoft’s on-premise SharePoint software, has impacted several US government agencies, including the National Institutes of Health (NIH) and the National Nuclear Security Administration (NNSA).

The breaches, which began around Friday, July 18, have prompted immediate action from affected organizations and a strong response from Microsoft, which attributes the attacks to groups linked to the Chinese government.

The NNSA, a division of the Department of Energy responsible for the nation’s nuclear weapons stockpile, confirmed it was affected, but stated that only a “very small number of systems” were impacted. Notably, no classified information was compromised due to NNSA’s widespread use of Microsoft M365 cloud services and strong cybersecurity systems, as reported by Bloomberg News.

“A very small number of systems were impacted. All impacted systems are being restored,” the agency stated.

Similarly, The Washington Post reported that the NIH, a major biomedical research funder, confirmed that at least one SharePoint server system was involved, with eight servers disconnected as a precaution. While one server was compromised, there is no indication that any sensitive information was stolen.

The Washington Post also noted that the California Independent System Operator, which manages most of California’s electric grid, was also targeted. The non-profit “did not confirm nor deny” the breach but confirmed taking immediate actions to contain the threat with no impact on grid reliability.

For your information, these attacks capitalize on a zero-day vulnerability in Microsoft SharePoint. Hackread.com has extensively covered this issue, Microsoft’s investigation and subsequent patches in its recent reports.

So far, what we know is that the vulnerabilities, identified as CVE-2025-49706, CVE-2025-49704, and a variant CVE-2025-53770, allow for network spoofing and remote code execution, giving unauthorized actors full access to SharePoint content, including file systems and internal configurations. These particular flaws affect SharePoint deployments hosted directly by customers, rather than Microsoft’s cloud-based SharePoint Online.

Microsoft has identified three distinct hacking groups, “Linen Typhoon,” “Violet Typhoon,” and “Storm-2603,” all linked to the Chinese government, as being behind these exploitations. These groups are known for targeting government, business, and educational institutions worldwide. The FBI and other relevant agencies are currently investigating the full extent of the compromise.

A Chinese Foreign Ministry spokesperson, when asked about the accusations, stated that China “opposes and fights hacking activities in accordance with the law” and “oppose smears and attacks against China under the excuse of cybersecurity issues.”

Nevertheless, this incident intensifies scrutiny on Microsoft’s security protocols, especially given past criticisms regarding its core products’ vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA)is also facing criticism.

The agency is reportedly facing budget cuts and high staff turnover, which has possibly hampered the timely dissemination of threat warnings to state and local entities, leaving them more susceptible to such pervasive cyber campaigns.

National Nuclear Security Administration Systems Breached in SharePoint Cyberattack

FBI warns of Interlock ransomware using unique tactics to hit businesses and critical infrastructure with double extortion.

The Federal Bureau of Investigation (FBI), alongside the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a warning regarding increased activity by the Interlock ransomware group.

This financially motivated threat targets a wide range of organizations, including businesses and vital critical infrastructure across North America and Europe, employing a dangerous double extortion model to maximize pressure on victims.

****Interlock’s Uncommon Attack Methods****

Interlock ransomware was first detected in late September 2024, with FBI investigations as recent as June 2025 detailing their evolving tactics. The group develops encryptors for both Windows and Linux operating systems, with a particular focus on encrypting virtual machines (VMs). Open-source reports also suggest similarities between Interlock and the Rhysida ransomware variant.

This group stand out for its initial access techniques, which differ from many ransomware groups. One observed method involves ‘drive-by downloads’ from legitimate but compromised websites, where malicious software is disguised as fake updates for popular web browsers like Google Chrome or Microsoft Edge, or even common security tools such as FortiClient or Cisco-Secure-Client.

Moreover, they leverage a social engineering trick called ClickFix, where users are tricked into running harmful files by clicking on fake CAPTCHAs that instruct them to paste and execute malicious commands in their system’s run window.

Once inside a network, the ransomware deploys web shells and tools like Cobalt Strike to establish control, move between systems, and steal sensitive information. They gather login details, including usernames, passwords, and even use keyloggers to record keystrokes.

According to the advisory (PDF), After stealing data, Interlock encrypts systems, appending files with .interlock or .1nt3rlock extensions. They then demand ransom without an initial amount in their note, instead instructing victims to contact them via a special .onion website over the Tor browser. The group threatens to leak exfiltrated data if the ransom, typically paid in Bitcoin, is not met, a threat they have consistently followed through on.

****Urgent Defences for Organizations****

To counter the Interlock threat, federal agencies urge organizations to implement immediate security measures. Key defences include:

*   Preventing initial access by using DNS filtering and web access firewalls, and training employees to spot social engineering attempts.

*   Patching and updating to make sure all operating systems, software, and firmware are up to date, prioritizing known vulnerabilities.

*   Strong authentication implementation, like multi-factor authentication (MFA) for all services where possible, along with stronger identity and access management policies.

*   Network Control by segmenting networks to limit how far ransomware can spread.

*   Backup and recovery by maintaining multiple, offline, immutable (unchangeable) backups of all critical data.

Also, no-cost resources are available through the ongoing #StopRansomware initiative.

FBI and CISA Warn of Interlock Ransomware Targeting Critical Infrastructure

XSS.IS has been seized after its admin was arrested in Ukraine, however its dark web and mirror domains only show a 504 Gateway Timeout error.

Earlier this morning, it was **reported** that on 22 July 2025, Ukraine arrested a man suspected of being the administrator of XSS.IS, one of the world’s most notorious and sophisticated cybercrime platforms. The arrest was made with the assistance of Europol and French authorities. Now, as seen by Hackread.com, the forum itself has also been seized.

Visitors to XSS.IS now see a seizure notice stating, “This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance from the SBU Cyber Department.”

The seizure notice on XSS.IS (Image credit: Hackread.com)

The “SBU Cyber Department” refers to the Cyber Security Department of the Security Service of Ukraine (SBU). La Brigade de Lutte Contre la Cybercriminalité (BL2C) is a branch of the French judicial police that specialises in combating cybercrime.

****XSS.IS Dark Web (.onion) and Clearnet Domains Show 504 Gateway Timeout Error****

At the time of writing, the main domain of the forum displays a seizure notice, while its dark web domain and clearnet mirror (XSS.AS) both return a “504 Gateway Timeout” error. Notably, the Telegram channel linked to the XSS.IS administrator shows no signs of seizure and is marked as “recently seen.” It remains unclear whether authorities have access to these domains or control over the forum’s Telegram account.

The dark web domain of the XSS.IS forum (Image credit: Hackread.com)

****Background of XSS.IS****

The XSS.IS forum was originally launched in 2004 under the name DaMaGeLaB, a well-regarded Russian-language hacking community. The site was briefly shut down in December 2017 after one of its administrators, Belarusian national Sergey Yarets, known on the forum as “Ar3s,” was arrested.

In late 2018, a prominent forum administrator acquired a backup of the site and relaunched it under the new name XSS, a reference to the web security vulnerability known as **cross-site scripting**.

The name change served two main purposes. First, it distanced the forum from its past associations with law enforcement under the DaMaGeLaB name. Second, it gave the site a more technical and modern image by referencing a vulnerability familiar to its target audience.

Authorities and the cybersecurity community have long suspected that XSS.IS was operated or supported by Russian intelligence agencies, including the Foreign Intelligence Service (SVR), the Federal Security Service (FSB), and the Main Intelligence Directorate (GRU). However, the administrator was found to be in Ukraine. It remains unconfirmed whether the suspect is a Ukrainian or Russian national.

Authorities are analysing the suspect’s electronic devices (Via Europol)

****A Major Blow to Cybercrime****

Although cybercrime forums frequently **appear** and **disappear**, the seizure of XSS.IS marks a significant setback for the global cybercrime community. The forum had more than 50,000 registered users, with membership granted only after a thorough vetting process. In some cases, users were even required to pay a fee to create an account in order to prevent spam.

XSS.IS became a highly prominent and notorious marketplace for **hijacked system access**, malware, stolen credentials, databases, ransomware kits and an encrypted Jabber channel that hackers used to coordinate deals. The forum generated millions of dollars through advertising and facilitation fees.

According to Europol’s **press release**, authorities have also seized user data, which is now being analysed and will be used to track cybercriminals and support ongoing operations against cybercrime both in Europe and globally.

In the end, the message is clear: if you are involved in crime, especially at the scale of running a major cybercrime forum, authorities will eventually catch up. No matter how high-profile the platform may be, it is only a matter of time before it is taken down.

XSS.IS Cybercrime Forum Seized After Admin Arrested in Ukraine

Suspected admin of XSS.IS, a major Russian-language cybercrime forum, arrested in Ukraine after years of running malware and data trade operations.

Ukrainian authorities, with help from French police and Europol, have arrested a person suspected of running one of the largest Russian-language cybercrime hubs out there, XSS.is.

It all started with a long-running investigation that began in mid‑2021 in France. Prosecutors gradually traced encrypted logs and hacker chatter back to an individual living in Ukraine, culminating in their arrest on July 22, 2025.

Press release of the XSS.IS’ suspect admin arrest from the Paris Public Prosecutor’s Office on LinkedIn

XSS.is has been quietly operating since around 2013. The forum became notorious as a central marketplace for hijacked system access, malware, stolen credentials, ransomware kits and an encrypted Jabber channel hackers used to coordinate deals.

You might wonder how the biggest-ever Russian-language cybercrime board ended up with an admin based in Ukraine. The truth is, cybercriminals aren’t bound by borders. Ukraine’s large tech-savvy population and lax oversight may have created ideal conditions for operators like this to manage illicit activities without raising suspicion for years.

Inside XSS.is, users could browse and buy everything from data dumps and remote access trojans to ransomware deployment tools. Its encrypted Jabber server lets members communicate anonymously, making it a go-to platform for organising global cyberattacks.

As of July 2025, XSS.is had been online for over 12 years. That kind of longevity is rare in cybercrime. This arrest highlights how even entrenched networks can be infiltrated with sustained international cooperation.

Current homepage of the XSS.IS forum

****Ex-DaMaGeLaB****

This is not the first time the forum has had its administrator arrested. The forum originally launched in 2004 under the name DaMaGeLaB, a respected Russian-language hacking community. The site was briefly shut down in December 2017 after one of its administrators, Belarusian national Sergey Yarets, known on the forum as “Ar3s,” was arrested.

In late 2018, another prominent forum admin acquired a backup and relaunched it under the new name XSS, referencing the web‑security vulnerability “cross-site scripting.” Switching to the name XSS had two main purposes. First, it distanced the forum from its law‑enforcement-linked past tied to the DaMaGeLaB name. Second, it adopted a tech‑savvy rebrand by invoking a specific vulnerability known to its audience.

Reboot message from XSS.IS’s admin (Image via: ReliaQuest)

For now, XSS.is’s future looks uncertain. With its alleged administrator in custody, authorities in France and Ukraine have a chance to unravel the forum’s infrastructure and financial trail. Europol’s involvement adds weight to the operation and shows a growing international resolve to tackle cybercriminal networks.

Stay tuned, this article will be updated with more information.

Suspected Admin of XSS.IS Cybercrime Forum Arrested in Ukraine

Microsoft was the most impersonated brand in phishing attacks during Q2 2025, accounting for 25% of all attempts, according to Check Point Research.

According to Check Point Research’s (CPR) latest report, cybercriminals spent the second quarter of 2025 impersonating the world’s most familiar brands to steal credentials and payment information. The data shows a mix of predictable targets and a few surprising returns, with Spotify reappearing as a key lure for the first time in years.

Microsoft once again topped the list, featuring in a quarter of all phishing attacks during Q2. Tech brands remained the primary focus, but cybercriminals also went after streaming services and travel platforms that people use daily without a second thought.

Screenshot of a Microsoft 365 phishing email tricking users into calling fake support. This scam was first reported in March 2025.

While the latest research shows Meta no longer at the top as it was in 2024, Microsoft taking the lead again doesn’t come as a surprise. As of 2025, over 1.6 billion people were using the Windows operating system. On top of that, Microsoft 365 had around 345 million paid subscribers and roughly 321 million active users each month.

That massive user base is exactly why Microsoft Office was the most targeted software in malware attacks back in 2022. It also explains why Microsoft was the most impersonated brand in phishing campaigns during Q2 2023, and why it has returned to the top spot now.

Spotify’s return to phishing charts for the first time since 2019 was linked to a spoofing campaign that mimicked the company’s login flow almost perfectly. The fake page, hosted on a malicious URL, asked victims to input credentials before redirecting them to a counterfeit payment form. Both the design and branding were polished enough to fool unsuspecting users, many of whom may have believed they were logging into their real account.

Spotify phishing login page (Image via CPR)

This renewed targeting of entertainment services shows attackers aren’t just looking at corporate systems anymore. Everyday platforms with large user bases are just as likely to be exploited, especially when those users are less suspicious of messages related to subscriptions or media.

Booking.com was also hit by a surge in impersonation. Researchers flagged over 700 newly registered domains with names resembling real booking confirmation URLs. Compared to previous quarters, that’s a spike by a factor of 100.

As Hackread.com reported on multiple occasions, most recently in June 2025, Booking.com was abused in a ClickFix email scam. Back in April 2025, another ClickFix scam exploited Booking.com to infect unsuspecting users with AsyncRAT.

Booking.com ClickFix phishing scam that delivered AsyncRAT (Image credit: Hackread.com)

These scams used personal details like names and email addresses to create urgency. While the domains have since been taken down, the approach revealed how much more personalised phishing tactics have become.

Outside these two cases, as per CPR’s report, the overall trend remains predictable. The tech sector continues to be the most impersonated, with Microsoft, Google, and Apple taking the top three spots.

Social media platforms like LinkedIn, WhatsApp, and Facebook remain common targets, while retail and travel services like Amazon and Booking.com round out the top ten. It is worth noting that CPR’s report

If you use any of these services, keep in mind that phishing campaigns count on people clicking without thinking. A few simple steps can help protect your data. Start by using multi-factor authentication, double-check URLs, run suspicious links through VirusTotal before opening them, and don’t get caught up in the urgency scammers try to create.

For businesses, keep employees informed and alert on cybersecurity, since phishing is still one of the easiest ways attackers gain access to internal systems. And finally, for ongoing updates and insights on cybersecurity, make sure to follow Hackread.com.

Microsoft Most Phished Brand in Q2 2025, Check Point Research

Coyote Trojan becomes first malware to abuse Microsoft’s UI Automation in real attacks, targeting banks and crypto platforms with stealthy tactics.

A new version of the Coyote banking trojan has been spotted, and what’s noticeable about it is not just who it’s targeting, but how it’s going about it. Cybersecurity researchers at Akamai have confirmed that this variant is the first malware seen actively using Microsoft’s UI Automation (UIA) framework to extract banking credentials. It’s a method that had only been a conceptual risk a few months ago.

Back in December 2024, Akamai warned that Microsoft’s UIA, which helps assistive technologies interact with software, could be misused by threat actors. Until now, that concern remained a proof-of-concept. Things changed when Akamai spotted Coyote using UIA in attacks targeting Brazilian users, aiming to extract sensitive information from browser windows tied to banks and cryptocurrency platforms.

This shows that Coyote trojan is changing the way it operates, making it harder to detect and stop. The malware, first detected in February 2024, is known for phishing overlays and keylogging aimed at Latin American financial targets. But what makes this variant different is its use of UIA to bypass detection tools like endpoint detection and response software.

Instead of relying on conventional APIs to check which banking site a victim is visiting, Coyote now uses UI Automation. When the active window title doesn’t match any of the malware’s preloaded banking or crypto site addresses, it changes its tactics and uses a UIA COM object to start crawling through the sub-elements of the active window, searching for telltale signs of financial activity.

Akamai’s blog post, shared with Hackread.com ahead of publishing on Tuesday, found that Coyote’s hardcoded list includes 75 financial institutions and crypto exchanges. What’s worse, these aren’t just names or URLs. The malware maps them to internal categories, allowing it to prioritise or customise its credential-stuffing attempts. This approach not only increases its chances of hitting the target but also makes it more flexible across browsers and applications.

Normally, an attacker would need detailed knowledge of a specific application’s design. UIA simplifies that process. With this framework, malware can scan the UI of another app, extract content from fields like address bars or input boxes, and use that information to customise attacks or steal login data.

Coyote trojan doesn’t stop at identifying banks. It also sends system details back to its command-and-control infrastructure, including the computer name, username, and browser data. If offline, it still performs many of these checks locally, making it harder to catch through network traffic alone.

According to researchers, the bigger concern here is how UIA could open up new attack paths. Akamai demonstrated this by showing how attackers might not just scrape data but also manipulate UI elements. One proof of concept shows the malware altering a browser’s address bar, then simulating a click to quietly redirect the user to a phishing site, all while looking legitimate on screen.

Akamai’s PoC (Click to Play GIF)

On the defensive side, there are ways to catch this kind of abuse. Akamai recommends monitoring for the loading of UIAutomationCore.dll into unfamiliar processes. They also provide osquery commands to flag processes that interact with UIA-related named pipes. These are early warning signs that an attacker may be snooping on the user interface.

Akamai’s threat hunting service has already started scanning environments for such anomalies. According to their report, customers were alerted when suspicious UIA activity was detected.

Coyote Trojan First to Use Microsoft UI Automation in Bank Attacks

Flowable’s 2025.1 update brings powerful Agentic AI features to automate workflows, boost efficiency, and scale intelligent business operations.

Flowable has taken a significant leap forward in the realm of intelligent process automation with its Summer 2025 release. The update brings a comprehensive set of features centered around agentic AI, signaling a new era where artificial intelligence seamlessly integrates into business workflows as a first-class citizen.

Released on July 22, 2025, the Flowable 2025.1 update will empower businesses to seamlessly integrate AI into workflows, driving greater efficiency, collaboration, and scalability, and will redefine business process automation forever.

****AI Agents as Core Components of Flowable****

The summer 2025 release makes Agentic AI a central element of the Flowable platform. Businesses can now create, orchestrate, and manage AI agents using the same powerful tools they rely on for BPMN and CMMN workflows, providing a unified environment for advanced enterprise process automation.

This new release offers enterprises the opportunity to scale AI adoption and integration, unlocking new levels of productivity and business process optimization.

****Key Features of Flowable’s New AI Agents****

The update includes a range of new features designed to optimize business processes and enhance automation:

*   **Flexible Agent Creation:** Users can create AI agents of varying complexity to work with simple tasks or complex workflows, directly within the Flowable platform.

*   **External AI Integration:** Flowable integrates with external AI services, such as AWS Bedrock, Azure Foundry, and Salesforce Agentforce, enabling businesses to extend their automation capabilities.

*   **Multi-Agent Collaboration:** The platform supports complex workflows with multiple AI agents working together across internally configured and external systems for efficient automation.

*   **AI-Powered Case Management:** The new “AI button” in Flowable’s case automation links cases to AI models, enabling real-time summaries, question answering, actionable suggestions, and autonomous customer communication and task completion.

****AI Agent Autonomy: Adaptive Decision-Making****

Flowable’s new AI agents offer dynamic autonomy, meaning they can adapt their level of decision-making based on the nature of the task at hand. In unpredictable, organic scenarios, agents provide AI-powered assistance. For more structured, well-defined processes, they revert to deterministic solutions, ensuring businesses can handle both structured workflows and complex, evolving situations effectively.

****Document and Data Processing with AI****

A key feature of this update is the Document Agent Type, which automates the processing of unstructured documents. This agent classifies documents, such as invoices, passports, and contracts, extracting relevant information and significantly reducing manual data entry, thereby improving efficiency and reducing errors in document-heavy workflows.

****AI-Driven Contextual Assistance****

The Orchestrator Agent Type provides businesses with an intelligent assistant to manage cases and workflows. It offers capabilities such as:

*   Summarizing case details and providing task overviews.

*   Triggering actions based on user interactions or document uploads, such as initiating an “invoice intent analysis” after an invoice is uploaded.

*   Suggesting or automating steps in workflows based on case events, like starting a “customer escalation” if a customer expresses frustration.

These features enhance case management by improving both responsiveness and decision-making.

****A Suite of AI Agents for Every Business Need****

The Flowable 2025.1 release introduces four powerful types of AI agents, each designed to address specific business needs:

*   **Utility Agent:** Automates tasks like data enrichment, sentiment analysis, and classification.

*   **Document Agent:** Extracts and processes data from unstructured documents such as invoices, contracts, and other records.

*   **Knowledge Agent:** Provides contextual answers by tapping into internal knowledge bases, FAQs, or documentation.

*   **Orchestrator Agent:** Coordinates and manages other agents or tasks based on dynamic inputs, rules, or goals.

****Empowering Enterprises with Intelligent Automation****

Flowable’s latest release enables enterprises to seamlessly integrate agentic AI into their workflows, unlocking new levels of automation and intelligence. By leveraging agentic AI, organizations can enhance decision-making, streamline operations, and drive digital transformation. 

With this next generation of AI-powered automation, businesses are poised to lead the future of intelligent business processes.

****About Flowable****

Flowable is a leader in digital transformation, offering a unified platform for business process management (BPM), business process automation (BPA), case management, and AI-powered automation. Flowable helps organizations streamline operations, improve decision-making, and drive innovation at scale, supporting businesses in their digital transformation journey. 

****Media Contact:****

*   Violet Diamanti-Race
*   Product Marketing Manager
*   Email: \[email protected\]
*   Marketing: \[email protected\]

Flowable’s Summer 2025 Update Introduces Groundbreaking Agentic AI Capabilities

Microsoft reveals Chinese state-backed hacker groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, are exploiting SharePoint flaws, breaching over 100 organisations. Discover threat actors, their tactics and Microsoft's urgent security guidance.

Microsoft’s critical new update reveals that specific Chinese nation-state threat groups are actively exploiting vulnerabilities in its on-premises SharePoint servers. Following an earlier report from Hackread.com, which highlighted the compromise of over 100 organisations globally, Microsoft has now identified the key players behind the intrusions and released comprehensive security updates for all affected SharePoint versions.

The ongoing cyberattacks leverage two distinct zero-day flaws, CVE-2025-49706, a spoofing vulnerability that allows attackers to trick systems, and CVE-2025-49704, a remote code execution (RCE) vulnerability enabling them to run malicious code remotely. These flaws are related to the previously highlighted CVE-2025-53770 and CVE-2025-53771.

> Microsoft is sharing details from ongoing investigations of threat actors exploiting vulnerabilities targeting on-premises SharePoint servers. Linen Typhoon, Violet Typhoon, and Storm-2603 have been observed exploiting the vulnerabilities: https://t.co/oQ2HDZZbJB
> 
> — Microsoft Threat Intelligence (@MsftSecIntel) July 22, 2025

****Named Threat Actors and Attack Tactics****

Microsoft’s Threat Intelligence unit confirms that Chinese nation-state actors Linen Typhoon, Violet Typhoon, and another China-based group tracked as Storm-2603, are exploiting these vulnerabilities. Observed attacks begin with threat actors conducting reconnaissance and sending crafted POST requests to the ToolPane endpoint on SharePoint servers.

These groups are known for espionage, intellectual property theft, and persistently targeting exposed web infrastructure. Attacks are widespread, with CrowdStrike observing hundreds of attempts across over 160 customer environments since July 18, 2025.

Linen Typhoon, active since 2012, focuses on stealing intellectual property from government, defence, and human rights sectors. Violet Typhoon, tracked since 2015, specialises in espionage against former military personnel, NGOs, and financial institutions, often by scanning for and exploiting vulnerabilities.

While Storm-2603 has previously deployed ransomware like Warlock and Lockbit, their current objectives with these SharePoint exploits are still being assessed. Here is a summary of these groups’ activities:

****1\. Linen Typhoon****

*   Chinese state-sponsored group
*   Previously known as Hafnium
*   Target focuses on the Government, defence, NGOs, and education
*   Known for attacks on US critical infrastructure and academic institutions
*   Notable activity includes Exploited Microsoft Exchange vulnerabilities (ProxyLogon)

****2\. Violet Typhoon****

*   Chinese threat actor
*   Previously known as APT41 (also known as Barium or Winnti, depending on activity)
*   Known for a mix of state-backed espionage and financially motivated attacks
*   Target focuses on healthcare, telecom, software, and gaming industries
*   **Notable activity**: includes supply chain compromises, backdoored software updates

****3\. Storm-2603****

*   Believed to be China-linked
*   “Storm” is a temporary name Microsoft uses for emerging or unattributed groups
*   Known for exploiting zero-day vulnerabilities in Microsoft products
*   Target focus includes government and corporate systems
*   Status is under investigation, but early indicators point toward Chinese origin

According to Microsoft’s investigation, attackers are deploying web shells, such as modified spinstall0.aspx files, to steal critical IIS Machine Keys, which can bypass authentication, and early exploitation attempts date back to July 7, 2025. As previously noted by Shadowserver Foundation, these persistent backdoors allow hackers to maintain access even after systems are updated.

****Urgent Fixes and Mitigation Steps****

On July 19, 2025, Microsoft Security Response Centre (MSRC) published security updates for all supported SharePoint Server versions (Subscription Edition, 2019, and 2016). This is a crucial development, as previously, updates for SharePoint 2016 were still pending. Microsoft urges immediate application of these updates.

Other than patching, Microsoft recommends enabling Anti-malware Scan Interface (AMSI) in Full Mode and deploying Microsoft Defender Antivirus or equivalent solutions on all SharePoint servers.

Microsoft Reveals Chinese State Hackers Exploiting SharePoint Flaws

Hackers are exploiting critical SharePoint flaws (CVE-2025-53770/53771) to breach global targets, including governments and corporations. Microsoft urges immediate action. Learn about the active attacks and how to protect your network from credential theft and backdoors.

New information has emerged regarding ongoing cyberattacks against Microsoft’s on-premises SharePoint servers, revealing a wider impact than initially understood. Yesterday, Hackread.com reported on Microsoft’s urgent warnings and new security updates for critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) that allow attackers to execute malicious code.

Now, cybersecurity researchers have confirmed a significant escalation: approximately 100 organisations worldwide have been successfully breached so far. This widespread exploitation has impacted governments, businesses, and other entities globally.

Victims include national governments in Europe and the Middle East, along with US government systems such as the Department of Education, Florida’s Department of Revenue, and the Rhode Island General Assembly.

A US-based healthcare provider and a public university in Southeast Asia have also been targeted, with attempted breaches observed in countries like Brazil, Canada, Indonesia, Spain, South Africa, Switzerland, and the UK.

Attackers are, reportedly, exploiting zero-day flaws, meaning these weaknesses were previously unknown, allowing spies to gain deep access and potentially install persistent backdoors. Cybersecurity firms like CrowdStrike, Mandiant Consulting, Shadowserver Foundation, and Eye Security are tracking multiple hacker groups involved in these attacks.

Netherlands-based Eye Security first identified active exploitation on Friday, noting that even after initial patches from Microsoft in early July, hackers found “ways around the patches” to continue their intrusions. CrowdStrike also observed active exploitation beginning July 18, 2025, blocking hundreds of attempts across over 160 customer environments.

SharePoint flaws exploitation attempts over time (Source: CrowdStrike)

A common sign of infection is the presence of a suspicious file named “spinstall0.aspx,” which attackers use to steal IIS Machine Keys after being written via PowerShell commands, CrowdStrike found.

****Urgent Call for Action****

The stolen information is highly sensitive, including sign-in credentials like usernames, passwords, and hash codes. SharePoint’s deep integration with other Microsoft services like Office, Teams, OneDrive, and Outlook means a compromise isn’t contained and “opens the door to the entire network,” according to Michael Sikorski of Palo Alto Networks.

While Microsoft released patches over the weekend for SharePoint 2019 and Subscription Edition, updates for SharePoint 2016 are still under development. Organisations are strongly advised to not only apply available patches but also to rotate machine keys and restart their IIS services to fully mitigate the threat.

Adding to these critical steps, the CISA (Cybersecurity and Infrastructure Security Agency) on July 20, 2025, issued its own guidance. They recommend configuring Antimalware Scan Interface (AMSI) in SharePoint, deploying Microsoft Defender AV on all SharePoint servers, and, if AMSI cannot be enabled, disconnecting affected public-facing products until official mitigations are fully applied.

The vast number of potentially vulnerable SharePoint servers, estimated at over 8,000 globally by search engines like Shodan, highlights the urgent need for comprehensive security measures. The breaches have also brought renewed scrutiny to Microsoft’s cybersecurity practices, with a 2024 US government report recommending urgent reforms to its security culture.

“Cryptographic asset theft is the new ‘phishing’, in that, bad actors have learnt that, like stealing passwords, getting an important cryptographic asset like API Keys or a Machine Identity, is much easier than brute force methods,_“_ said Robert Hann, Global VP Technical Solutions at Entrust.

“To protect sensitive data with encryption and HSMs, it’s essential to first understand which cryptographic assets, like private keys, digital certificates, and encryption algorithms, are securing which systems and information. Leveraging an HSM is especially important for data that is sensitive or carries compliance requirements,” Robert advised.

“In addition to HSM protection, it’s crucial for companies to implement other security best practices for SharePoint, such as keeping the software up to date with the latest patches and security updates, using strong passwords, rolling over keys regularly and following secure configuration guidelines,” he emphasised.

According to Andrew Obadiaru, CISO, Cobalt, an offensive security company, “Zero-day vulnerabilities in widely deployed platforms like SharePoint are a goldmine for attackers because they provide immediate, scalable access to high-value environments. The challenge isn’t just patching; it’s that attackers typically implant persistence mechanisms within hours, ensuring long-term footholds._“_

“Defence strategies need to assume breach and validate controls through proactive testing, including red teaming and continuous pentesting, to uncover weaknesses before adversaries do. In today’s threat landscape, reactive security alone is a losing game,” Andrew advised.

Source

HackRead