# Today's Top Stories

International law enforcement dismantled the SocGholish botnet linked to Evil Corp, taking down 106 servers and remediating nearly 15,000 infected WordPress sites. SocGholish has been a persistent initial-access tool used by the Russian cybercrime group Evil Corp, making this takedown a significant disruption to a long-running threat infrastructure.

Accenture is acquiring a majority stake in OT security firm Dragos (valued at $3.25 billion), plus full acquisitions of runZero and NetRise, in a combined $4.1 billion deal representing a major consolidation in the industrial cybersecurity market. The move signals growing enterprise demand for integrated OT/ICS security capabilities as AI-driven threats to critical infrastructure intensify.

Researchers from multiple security firms have linked the 'Popa' Android-based botnet — active for four years and forcing millions of consumer TV boxes to relay traffic for ad fraud and account takeovers — to NetNut, a residential proxy service operated by NASDAQ-listed Israeli firm Alarum Technologies (ALAR). The connection between a publicly traded company and a botnet infrastructure raises serious legal and regulatory implications for the proxy industry.

F5 released out-of-band patches for two critical vulnerabilities in NGINX Open Source, including CVE-2026-42530 (CVSS v4: 9.2), a use-after-free flaw in the ngx_http_v3_module exploitable by remote unauthenticated attackers for arbitrary code execution. Given NGINX's ubiquity as a web server and reverse proxy, security teams should prioritize patching immediately.

CVE-2026-20253, an unauthenticated remote code execution vulnerability in Splunk Enterprise, is already being exploited in the wild just days after public disclosure, prompting CISA to issue a binding directive giving federal agencies only three days to patch. The rapid weaponization of this flaw underscores the shrinking window between vulnerability disclosure and active exploitation.

ESET Research published a months-long investigation into the Gentlemen ransomware-as-a-service gang's custom suite of EDR killer tools, which affiliates actively use to disable endpoint defenses before deploying ransomware. The group's systematic investment in maintaining multiple EDR bypass tools represents an evolving operational security posture that directly challenges enterprise detection capabilities.

DragonForce ransomware operators deployed a custom Go-based RAT called Backdoor.Turn that conceals C2 traffic inside Microsoft Teams relay infrastructure, as observed by Symantec and Carbon Black in an attack against a major U.S. services firm. Abusing legitimate collaboration platform infrastructure for C2 communications makes this technique particularly difficult to detect with traditional network monitoring.

Market intelligence platform Klue suffered an OAuth breach that allowed the 'Icarus' threat actor to access and steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign — the third integrated Salesforce application compromised in this series, with victims including cybersecurity vendor Huntress. The pattern of third-party OAuth app compromises targeting Salesforce data signals a systematic supply-chain attack against CRM ecosystems.

Multiple threat actors are actively exploiting a pair of critical vulnerabilities in Fortinet FortiSandbox that were disclosed in April 2026, with SOCRadar identifying approximately 30,000 compromised Fortinet firewalls exposing networks to attack. The multi-source exploitation activity indicates broad opportunistic targeting rather than a single coordinated campaign, increasing risk for any organization running unpatched FortiSandbox instances.

INC ransomware-as-a-service has claimed over 830 victims since its launch in August 2023 and has emerged as one of the most prolific ransomware operations in 2026, partly by absorbing affiliates displaced by the LockBit disruption and BlackCat shutdown. INC's focus on high-pressure sectors like healthcare — where operational disruption creates immediate payment incentive — is driving its rapid expansion.