# Archive
Browse past daily curated stories
Friday, July 03, 2026
-
1Krebs on Security threat-intelFBI Seizes NetNut Proxy Platform, Popa Botnet
The FBI, working with Google's Threat Intelligence Group (GTIG), Lumen, and other industry partners, seized hundreds of domains associated with NetNut — a residential proxy service operated by NASDAQ-listed Israeli company Alarum Technologies — and disrupted the underlying Popa botnet, which had compromised at least 2 million home devices. The action followed KrebsOnSecurity reporting two weeks prior linking NetNut to the botnet. This is a significant law enforcement action targeting the infrastructure that enables anonymized malicious traffic at scale.
-
2The Hacker News generalFortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
The FortiBleed campaign — involving mass credential theft from FortiGate firewalls — has been directly linked to INC and Lynx ransomware operations, with an operator found actively working negotiation panels for both groups. Researchers confirm that credentials harvested from hundreds of thousands of FortiGate devices are being used to facilitate ransomware intrusions. Security teams managing Fortinet infrastructure should treat any exposed credentials as compromised and rotate them immediately.
-
3The Hacker News generalSharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
CISA added CVE-2026-45659, a CVSS 8.8 remote code execution vulnerability in Microsoft SharePoint Server caused by deserialization of untrusted data, to its Known Exploited Vulnerabilities catalog after confirming active in-the-wild exploitation. The flaw was patched in May 2026, giving organizations a narrow remediation window before attackers moved. SharePoint Server admins should verify patch status immediately per CISA's Binding Operational Directive 22-01 timelines.
-
4The Hacker News generalRansomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
Threat actors affiliated with the Anubis ransomware operation are actively exploiting CVE-2025-5777 (Citrix Bleed 2) for initial access, with affiliate tradecraft also incorporating BYOVD techniques, legitimate RMM tooling, and stolen supply chain credentials for lateral movement. The pattern of reusing legitimate tooling makes detection significantly harder for defenders relying on signature-based controls. Organizations running Citrix NetScaler should treat unpatched appliances as actively targeted.
-
5The Hacker News generalAI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
Sysdig's Threat Research Team documented what it describes as the first ransomware attack executed end-to-end by an AI agent, attributed to the operator JADEPUFFER, which exploited a Langflow RCE vulnerability to break in, steal credentials, move laterally, then encrypt and wipe a production database. The LLM handled the entire attack chain autonomously without human intervention. This marks a meaningful escalation in attacker capability, compressing the time between initial access and destructive impact.
-
6BleepingComputer generalCisco finally confirms attackers exploiting Unified CM flaw
Cisco confirmed that attackers are actively exploiting a vulnerability in Unified Communications Manager (Unified CM) that was patched in early June 2026, with a public PoC exploit having been available since initial disclosure and first exploitation attempts observed the week prior. Unified CM is widely deployed in enterprise voice and collaboration environments, making this a high-priority patch for organizations. Cisco's confirmation follows BleepingComputer and SecurityWeek both reporting on the active exploitation.
-
7The Hacker News generalNew ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos
Attackers distributed a Python-based RAT called ChocoPoC via fake proof-of-concept exploit repositories on GitHub, specifically targeting vulnerability researchers by impersonating PoC code for high-profile CVEs. Once executed, ChocoPoC exfiltrates saved passwords, browser cookies, and files, and provides the attacker with a remote shell. YesWeHack researchers flagged the campaign, underscoring the persistent risk of supply-chain-style attacks against the security research community itself.
-
8BleepingComputer generalHackers target Microsoft 365 accounts with 81 million login attempts
A password-spraying campaign targeting Microsoft 365 environments generated over 81 million login attempts across a two-week period, with attack traffic traced to infrastructure associated with hosting provider LSHIY. The campaign targeted Azure CLI authentication endpoints, making it particularly relevant to DevOps and cloud-native teams where CLI-based access is common. Organizations should review Azure AD sign-in logs for anomalous authentication patterns from LSHIY-associated IP ranges.
-
9The Record threat-intelSpyware found on phone of European Parliament member probing it
Citizen Lab researchers found that Stelios Kouloglou, a former member of the European Parliament's PEGA Committee investigating commercial spyware abuses, was infected with NSO Group's Pegasus spyware on two separate occasions while serving on the committee. The finding is a direct demonstration of the threat that the committee was created to investigate being used against the investigators themselves. This adds to a growing body of evidence documenting Pegasus targeting of European political figures.
-
10SecurityWeek generalAdobe Patches Critical ColdFusion, Campaign Classic Vulnerabilities
Adobe patched seven maximum-severity (CVSS 10.0) vulnerabilities in ColdFusion and Campaign Classic, all capable of leading to arbitrary code execution. ColdFusion has historically been a high-value target for web shell deployment and ransomware operators, and Adobe vulnerabilities in this product have been exploited in-the-wild within days of patch release in prior cycles. Administrators running either platform should prioritize these patches given the maximum severity ratings and Adobe's exploitation history.