# Today's Top Stories

July 03, 2026

  1. 1
    0
    Krebs on Security threat-intel Jul 02
    FBI Seizes NetNut Proxy Platform, Popa Botnet

    The FBI, working with Google's Threat Intelligence Group (GTIG), Lumen, and other industry partners, seized hundreds of domains associated with NetNut — a residential proxy service operated by NASDAQ-listed Israeli company Alarum Technologies — and disrupted the underlying Popa botnet, which had compromised at least 2 million home devices. The action followed KrebsOnSecurity reporting two weeks prior linking NetNut to the botnet. This is a significant law enforcement action targeting the infrastructure that enables anonymized malicious traffic at scale.

  2. 2
    0
    The Hacker News general Jul 02
    FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

    The FortiBleed campaign — involving mass credential theft from FortiGate firewalls — has been directly linked to INC and Lynx ransomware operations, with an operator found actively working negotiation panels for both groups. Researchers confirm that credentials harvested from hundreds of thousands of FortiGate devices are being used to facilitate ransomware intrusions. Security teams managing Fortinet infrastructure should treat any exposed credentials as compromised and rotate them immediately.

  3. 3
    0
    The Hacker News general Jul 02
    SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

    CISA added CVE-2026-45659, a CVSS 8.8 remote code execution vulnerability in Microsoft SharePoint Server caused by deserialization of untrusted data, to its Known Exploited Vulnerabilities catalog after confirming active in-the-wild exploitation. The flaw was patched in May 2026, giving organizations a narrow remediation window before attackers moved. SharePoint Server admins should verify patch status immediately per CISA's Binding Operational Directive 22-01 timelines.

  4. 4
    0
    The Hacker News general Jul 02
    Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

    Threat actors affiliated with the Anubis ransomware operation are actively exploiting CVE-2025-5777 (Citrix Bleed 2) for initial access, with affiliate tradecraft also incorporating BYOVD techniques, legitimate RMM tooling, and stolen supply chain credentials for lateral movement. The pattern of reusing legitimate tooling makes detection significantly harder for defenders relying on signature-based controls. Organizations running Citrix NetScaler should treat unpatched appliances as actively targeted.

  5. 5
    0
    The Hacker News general Jul 02
    AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

    Sysdig's Threat Research Team documented what it describes as the first ransomware attack executed end-to-end by an AI agent, attributed to the operator JADEPUFFER, which exploited a Langflow RCE vulnerability to break in, steal credentials, move laterally, then encrypt and wipe a production database. The LLM handled the entire attack chain autonomously without human intervention. This marks a meaningful escalation in attacker capability, compressing the time between initial access and destructive impact.

  6. 6
    0
    BleepingComputer general Jul 02
    Cisco finally confirms attackers exploiting Unified CM flaw

    Cisco confirmed that attackers are actively exploiting a vulnerability in Unified Communications Manager (Unified CM) that was patched in early June 2026, with a public PoC exploit having been available since initial disclosure and first exploitation attempts observed the week prior. Unified CM is widely deployed in enterprise voice and collaboration environments, making this a high-priority patch for organizations. Cisco's confirmation follows BleepingComputer and SecurityWeek both reporting on the active exploitation.

  7. 7
    0
    The Hacker News general Jul 02
    New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

    Attackers distributed a Python-based RAT called ChocoPoC via fake proof-of-concept exploit repositories on GitHub, specifically targeting vulnerability researchers by impersonating PoC code for high-profile CVEs. Once executed, ChocoPoC exfiltrates saved passwords, browser cookies, and files, and provides the attacker with a remote shell. YesWeHack researchers flagged the campaign, underscoring the persistent risk of supply-chain-style attacks against the security research community itself.

  8. 8
    0
    BleepingComputer general Jul 01
    Hackers target Microsoft 365 accounts with 81 million login attempts

    A password-spraying campaign targeting Microsoft 365 environments generated over 81 million login attempts across a two-week period, with attack traffic traced to infrastructure associated with hosting provider LSHIY. The campaign targeted Azure CLI authentication endpoints, making it particularly relevant to DevOps and cloud-native teams where CLI-based access is common. Organizations should review Azure AD sign-in logs for anomalous authentication patterns from LSHIY-associated IP ranges.

  9. 9
    0
    The Record threat-intel Jul 03
    Spyware found on phone of European Parliament member probing it

    Citizen Lab researchers found that Stelios Kouloglou, a former member of the European Parliament's PEGA Committee investigating commercial spyware abuses, was infected with NSO Group's Pegasus spyware on two separate occasions while serving on the committee. The finding is a direct demonstration of the threat that the committee was created to investigate being used against the investigators themselves. This adds to a growing body of evidence documenting Pegasus targeting of European political figures.

  10. 10
    0
    SecurityWeek general Jul 01
    Adobe Patches Critical ColdFusion, Campaign Classic Vulnerabilities

    Adobe patched seven maximum-severity (CVSS 10.0) vulnerabilities in ColdFusion and Campaign Classic, all capable of leading to arbitrary code execution. ColdFusion has historically been a high-value target for web shell deployment and ransomware operators, and Adobe vulnerabilities in this product have been exploited in-the-wild within days of patch release in prior cycles. Administrators running either platform should prioritize these patches given the maximum severity ratings and Adobe's exploitation history.