The Good | Operation Secure Dismantles Global Infostealer Infrastructure in Multi-Nation Crackdown
An international law enforcement initiative dubbed “Operation Secure” delivered a significant blow to infostealer malware infrastructure this week. Led by Interpol and conducted across 26 countries between January and April 2025, the operation led to the arrest of 32 suspects, the seizure of 41 servers, and the take down of over 20,000 malicious IP addresses and domains. Authorities also confiscated 100 GB of stolen data and alerted over 216,000 associated victims.
One of the more notable discoveries during the operation was a network of 117 command and control (C2) servers in Hong Kong used to support phishing, social media scams, and various digital fraud campaigns. In Vietnam, local police forces arrested 18 individuals, including a suspected leader of a cybercrime group focused on selling access to compromised corporate accounts.
Infostealer malware is responsible for collecting sensitive data such as login credentials, browser cookies, and cryptocurrency wallet information. This stolen data is often sold on underground forums or used in subsequent attacks against individuals and organizations.
Operation Secure leveraged intelligence on infrastructure linked to Lumma, RisePro, and MetaStealer families, and involved tracking the operators’ presence on Telegram and the dark web. This marks the second major disruption for Lumma Stealer this year, following a U.S.-led operation from last month. MetaStealer also faced setbacks during Operation Magnus executed in 2024.
Operation Secure shows how cross-border collaboration and public-private partnerships can be successful in dismantling cybercriminal infrastructure and protecting victims at scale – a major step forward in the fight against infostealer threats.
The Bad | Fog Ransomware Uses Uncommon Tools in Suspected Cyberespionage Attack
While many ransomware actors pursue low-hanging fruit using common exploits and off-the-shelf tools, some groups adopt unconventional techniques and toolsets to complicate detection and response. Researchers recently uncovered one such case involving Fog ransomware group, which blends legitimate employee monitoring software and open-source penetration testing tools.
Active since May 2024, Fog initially accessed victim networks using compromised VPN credentials, followed by pass-the-hash techniques to escalate privileges, disable Windows Defender, and encrypt files. Its latest toolset was uncovered during an incident response at a financial institution in Asia.
Among the most unusual tools was Syteca, a legitimate employee monitoring solution that records screen activity and keystrokes. Fog actors covertly delivered Syteca via Stowaway, an open-source proxy tool used for communication and private file transfers. After execution by SMBExec from the Impacket framework, Syteca allowed Fog to harvest credentials and sensitive data.
The group also employed GC2, an open-source post-exploitation backdoor leveraging Google Sheets or Microsoft SharePoint for C2 and exfiltration. This is a tool rarely seen in ransomware attacks but previously linked to China-linked threat group APT41. Additional tools in Fog’s arsenal include Adapt2x C2 (a Cobalt Strike alternative), Process Watchdog, PsExec, and Impacket SMB for lateral movement. To exfiltrate data, the group used 7-Zip, MegaSync, and FreeFileSync.
The unusual mix of rarely-seen elements in this toolset suggest a deliberate attempt to evade standard defenses through atypical methods. This is most clearly seen in how Fog established persistence after data encryption – an uncommon tactic for ransomware operations. These factors raise the possibility that the ransomware served as a smokescreen for espionage activity, making this a dual-purpose attack that organizations should monitor closely.
The Ugly | Zero-Click AI Vulnerability “EchoLeak” Exposes Sensitive Data in Microsoft 365 Copilot
Thought to be the first zero-click attack chain on an AI agent, “EchoLeak” is a security vulnerability that allows data exfiltration from Microsoft 365 Copilot without requiring any user action, interaction, or awareness. The new discovery exposes a critical-level flaw in Copilot, enabling attackers to exfiltrate sensitive organizational data without user interaction. Tracked as CVE-2025-32711 with a CVSS score of 9.3, the flaw has already been patched by Microsoft and shows no signs of active exploitation.
Security researchers categorize EchoLeak as an AI command injection issue caused by what’s being called a “Large Language Model (LLM) Scope Violation”. This occurs when malicious prompts embedded in untrusted sources, such as externally sourced markdown emails, are processed by the LLM, tricking it into accessing and leaking internal information.
In this attack chain, an attacker sends a specially crafted email to an employee. When the employee later engages Copilot with a routine business question, the system’s retrieval-augmented generation (RAG) engine unwittingly blends the attacker’s input with internal data. The result: Copilot leaks the sensitive content back to the attacker via Microsoft Teams or SharePoint links.
What makes EchoLeak particularly dangerous is that it requires no user clicks or explicit interaction. It exploits Copilot’s default behavior of combining Outlook and SharePoint data without enforcing trust boundaries, turning what should be helpful workflow automation into a potential attack vector.
Researchers note that EchoLeak could be used for stealthy data exfiltration or extortion, and may affect both single-turn and multi-turn AI interactions. The vulnerability highlights the broader risks in generative AI design, where highly capable language models, if not properly isolated, can be manipulated into leaking their own privileged context.
