Fog ransomware operators are blurring the line between admin tools and attack chains. In a recent incident, they deployed a mix of open-source and legitimate software to gain persistence and exfiltrate data undetected. The attack combined tools like Stowaway, Impacket, and 7-Zip to move laterally and quietly siphon off sensitive information.

A flaw in Secure Boot could let attackers hijack your system before the OS even loads. It affects the UEFI firmware layer and allows unsigned code execution during boot, leading to persistent malware installation. The issue stems from a vulnerable BIOS flashing utility signed by Microsoft, raising concerns about trusted bootchain integrity.

Legitimate testing tools are being twisted into powerful attack platforms. A campaign, dubbed UNK_SneakyStrike, has been using the TeamFiltration tool to compromise Microsoft Entra ID accounts and exploit services like OneDrive and Teams. Over 80,000 accounts have been targeted since late 2024, with activity tied to AWS-hosted infrastructure.

Top Malware Reported in the Last 24 Hours

Fog ransomware introduces new toolset

Fog ransomware operators have adopted a highly unusual toolset combining open-source penetration testing tools with legitimate software to enhance stealth and persistence. In a recent attack on a financial institution in Asia, researchers uncovered the use of Syteca (formerly Ekran), an employee monitoring software that captures screen activity and keystrokes. Syteca was covertly delivered via Stowaway, an open-source proxy tool, and executed using SMBExec, part of the Impacket framework. The attackers also used GC2, a rare backdoor that leverages Google Sheets or Microsoft SharePoint for C2 and exfiltration, previously seen only in APT41 campaigns. Additional tools included Adapt2x C2 (a post-exploitation Cobalt Strike alternative), Process Watchdog (to keep key processes running), PsExec, and Impacket SMB for lateral movement. Data exfiltration was handled via 7-Zip, MegaSync, and FreeFileSync. 

Malicious JavaScript campaign spotted

A recent cyber campaign has been identified that injects obfuscated JavaScript, known as JSFireTruck, into legitimate websites, redirecting users to malicious content such as malware and phishing pages. This obfuscation technique utilizes a limited set of characters and JavaScript's type coercion to conceal its true purpose, making the code difficult to analyze. Over 269,000 infected webpages were detected between March and April, indicating a widespread infection. The malicious scripts check for referrer sources, primarily targeting visitors from search engines, and deploy iframes to overlay content, facilitating clickjacking and further exploitation. 

Top Vulnerabilities Reported in the Last 24 Hours

New UEFI Secure Boot vulnerability spotted

A significant vulnerability, CVE-2025-3052, has been discovered in the UEFI ecosystem, affecting the Secure Boot mechanism used in most modern PCs and servers. This memory corruption flaw enables attackers to execute unsigned code during the early boot phase by exploiting an NVRAM variable called IhisiParamBuffer. By manipulating this variable, attackers can bypass Secure Boot protections and overwrite critical security variables, leading to the installation of persistent malware and complete OS compromise. The vulnerability is linked to a BIOS flashing utility signed with a trusted Microsoft certificate.

EchoLeak bug uncovered in Microsoft 365 Copilot

A critical zero-click AI vulnerability named EchoLeak was discovered in Microsoft 365 Copilot, allowing attackers to exfiltrate sensitive data without user interaction. The flaw was reported to Microsoft in January and assigned the CVE-2025-32711 identifier. Microsoft fixed the issue server-side in May, stating there was no evidence of real-world exploitation. The attack involves a malicious email containing a hidden prompt injection that bypasses security measures, tricking the LLM into extracting internal data when the user interacts with Copilot. This vulnerability highlights a new class of risks associated with large language models, known as 'LLM Scope Violation,' which can lead to silent data exfiltration in enterprise environments.

Threats in Spotlight

New UNK_SneakyStrike campaign uses TeamFiltration

Proofpoint researchers uncovered an active account takeover campaign, UNK_SneakyStrike, leveraging the TeamFiltration pentesting tool to target Microsoft Entra ID accounts. The campaign exploited Microsoft Teams API, AWS servers, and applications like OneDrive and Outlook for user enumeration, password spraying, and data exfiltration. TeamFiltration, initially developed for legitimate penetration testing, has been weaponized for malicious activities, including persistent access via OneDrive and user account compromise. The UNK_SneakyStrike campaign has targeted over 80,000 accounts across 100 organizations since December 2024, using burst attacks and focusing on specific user subsets. The campaign’s primary source geographies include the the U.S., Ireland, and Great Britain, with malicious activity linked to AWS-hosted IP addresses.

Coordinated attack on Apache Tomcat Manager

GreyNoise detected a significant coordinated attack on Apache Tomcat Manager interfaces, involving nearly 400 unique IP addresses. The attack included brute force attempts, with 250 IPs engaged in password-guessing attacks and 298 attempting unauthorized logins, far exceeding normal baseline activity. Most of the IPs were classified as malicious, primarily originating from DigitalOcean's infrastructure and spanning multiple countries, including the U.S., the U.K, and Germany. This campaign highlights a troubling trend of reconnaissance activities that often precede targeted exploitation, particularly given the critical Apache Tomcat remote code execution vulnerability, CVE-2025-24813, which has been actively exploited since March 2025.