INTERPOL Dismantles 20,000+ Malicious IPs in Operation Secure
INTERPOL’s Operation Secure, a global cybersecurity initiative conducted between January and April 2025, dismantled over 20,000 malicious IP addresses and domains linked to 69 information-stealing malware variants. This large-scale operation involved law enforcement agencies from 26 countries, who successfully identified and seized 41 servers and over 100 GB of stolen data. Additionally, the operation led to the arrest of 32 individuals involved in illegal cyber activities, with the highest number of arrests occurring in Vietnam. These malicious IP addresses were linked to sophisticated cybercrime infrastructure that launched various malicious campaigns, including phishing, social media scams, and online fraud. The operation targeted command-and-control servers hosted across multiple internet service providers in various countries, disrupting a critical element of cybercrime operations and rendering many cybercriminal networks inactive. The primary focus of these malicious operations involved information-stealing malware, which allows attackers to siphon sensitive data, including browser credentials, passwords, cookies, credit card information, and cryptocurrency wallet details. These stolen credentials are often sold or traded on underground forums, which are used for further exploitation, including follow-up attacks like ransomware, data breaches, and business email compromise. The involvement of private sector companies, like Group-IB, which provided intelligence on compromised user accounts from malware families like Lumma, RisePro, and Meta Stealer, was critical in identifying and tracking the perpetrators. The success of Operation Secure emphasizes the growing threat of infostealers as initial vectors for financial fraud and ransomware campaigns, underscoring the need for continued global cooperation to combat evolving cyber threats.
DanaBot Malware Exposed and Dismantled Following C2 Vulnerability
DanaBot, a sophisticated malware-as-a-service (MaaS) platform, was exposed and subsequently dismantled after discovering a significant vulnerability in its command and control (C2) infrastructure, known as 'DanaBleed.' The malware, which had been active since 2018, was primarily used for banking fraud, credential theft, and DDoS attacks. The flaw was introduced in June 2022 with an update to the malware’s C2 protocol and resulted in a memory leak, exposing sensitive data from the malware's internal operations. This data included usernames, IP addresses, backend infrastructure, exfiltrated victim information, and private cryptographic keys. Zscaler’s ThreatLabz researchers were able to exploit this vulnerability, gathering valuable intelligence over three years, ultimately leading to a global law enforcement action known as 'Operation Endgame.' This operation successfully seized over 650 domains, $4 million in cryptocurrency, and critical C2 servers, significantly disrupting DanaBot’s operations. Despite the successful takedown of the malware's infrastructure, the core team behind DanaBot remains active, with members primarily based in Russia. Although the researchers gathered extensive data over the years, including SQL queries and C2 interface snippets, the group’s developers have yet to be arrested. The operation has left a major impact on DanaBot's activities, but it is suspected that the group may attempt to resume operations. However, the exposure of their operations and the decreased trust from the hacker community due to the vulnerability are expected to complicate their attempts to regroup. As a result, this case highlights the importance of proactive monitoring of C2 communications and the potential for law enforcement to target cybercrime operations through vulnerabilities in malware platforms.
FIN6 Targets Recruiters Using AWS Fake Resumes to Spread More_eggs Malware
The financially motivated cybercrime group FIN6 has been leveraging fake resumes hosted on Amazon Web Services (AWS) infrastructure as part of a sophisticated phishing campaign to distribute the More_eggs malware. This malware, developed by the Golden Chickens group, is a JavaScript-based backdoor capable of stealing credentials, providing system access, and enabling follow-up attacks. FIN6, which has been operational since 2012 and previously targeted point-of-sale (PoS) systems, is using social engineering tactics to initiate conversations with recruiters on platforms like LinkedIn and Indeed, posing as job seekers. These fake job seekers distribute links to resume files hosted on bogus domains, further masked by GoDaddy’s domain privacy services to make attribution more difficult. Once victims click the link, they download a ZIP archive containing the More_eggs malware, which triggers an infection sequence and compromises their system. The malware’s use of trusted cloud services, including AWS Elastic Compute Cloud (EC2) and S3, as well as CAPTCHA-based traffic filtering, ensures that only victims are served malicious content while bypassing security scanners and VPN users. This advanced evasion tactic, coupled with cloud services and realistic job lures, makes it a highly effective tool for FIN6 as it continues to evade detection. AWS has stated that it takes violations of its terms seriously and investigates potential abuse, collaborating with the security community to mitigate such threats. This campaign highlights the growing use of cloud infrastructure and social engineering in cybercrime, demonstrating how low-complexity phishing attacks can be highly effective when combined with advanced evasion techniques. Organizations and individuals must remain vigilant, scrutinizing suspicious job applications and using robust security tools to protect against such threats.
