[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYW_nS1DlNh-hDXlAV_xZV4bId2nCNGawIEd6Q3aaNws":3},{"article":4,"iocs":59},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"1e16e4fb-abc9-4df0-ba57-bc57d2fe33b5","⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More","weekly-recap-proxy-botnets-browser-ransomware-ai-agent-tricks-fake-poc-malware-a-cd04d9","A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary. Home devices became a routing cover. Clean code pulled dirt from a dependency. Identity shortcuts aged badly. AI systems trusted the wrong instructions. Same soft spot throughout: trust","Google and the FBI disrupted the NetNut residential proxy botnet affecting 2M+ devices globally, while security researchers face threats from malicious GitHub PoC repositories delivering the ChocoPoC RAT trojan. The week also highlighted WhatsApp's new username feature raising impersonation concerns in India, AI systems being tricked by malicious instructions, and identity management weaknesses across multiple attack vectors—all stemming from premature trust in ordinary-looking systems.","Weekly security recap covers NetNut proxy botnet disruption, WhatsApp username impersonation risks, ChocoPoC RAT","⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More Ravie LakshmananJul 06, 2026Cybersecurity \u002F Hacking A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary. Home devices became a routing cover. Clean code pulled dirt from a dependency. Identity shortcuts aged badly. AI systems trusted the wrong instructions. Same soft spot throughout: trust placed one layer too early. Below is the full recap, since this is apparently what counted as a normal week. ⚡ Threat of the Week NetNut Residential Proxy Network Disrupted — Google, in collaboration with the U.S. Federal Bureau of Investigation (FBI), Lumen, and other partners, took action against the NetNut residential proxy network, also known as Popa, building upon its takedown of IPIDEA in January 2026. Google said it disabled Google accounts and associated Google services used by NetNut for malware command-and-control (C2) and updated Google Play Protect, in addition to disabling applications known to incorporate NetNut SDKs. The size of the network is estimated to be at least 2 million devices globally. \"NetNut populates its botnet by distributing SDKs for devices commonly found in homes, such as smart TVs and streaming boxes,\" Google said, adding it \"identified NetNut botnet plugin components for large-scale botnets such as BADBOX 2.0.\" The end goal is to leverage the route traffic through these devices, allowing bad actors to mask malicious activity. The devices are pre-installed with malware before purchase or because users unknowingly download applications containing hidden proxy code. Case Study: How 1Password Secured Canva's Path to 260M Users When Canva 5xed their headcount across 8 countries, they needed security that could scale as fast as their business. See how 1Password helped them onboard teams in minutes, eliminate secret sprawl, and keep engineering moving. Learn More ➝ 🔔 Top News WhatsApp Gets Usernames But Impersonation Concerns Are Raised — WhatsApp officially announced the start of global reservations of usernames with an aim to protect the privacy of more than three billion users on the messaging platform. The optional feature is designed to help users connect with someone on the service through usernames, as opposed to directly sharing their phone numbers. The feature is expected to be generally available later this year. The rollout marks a shift in how people identify one another on the messaging app. It has also drawn scrutiny in India, its largest market, over concerns it could be abused to impersonate public authorities, financial institutions, government departments, and other prominent figures. While Meta told TechCrunch it reserves usernames for public figures, government entities, and some of their variations so that only legitimate users can claim them, it's currently not clear how it decides which lookalike usernames get reserved and which don't. ChocoPoC RAT Targets Vulnerability Researchers with Fake PoC Exploit Repos — Security researchers on the lookout for Python-based proof-of-concept (PoC) repositories on GitHub claiming to exploit new CVEs are being tricked into executing malicious code that delivers ChocoPoC. While the PoC in itself looks clean, the actual malware sits inside a dependency named \"skytext\" pulled by the PoC. The malware is a full-featured trojan capable of harvesting passwords, cookies, autofill, and history from Chrome, Brave, Edge, and Firefox. It also captures text files, notes, local databases, shell history, network settings, and a list of running processes, as well as supports running arbitrary shell commands or Python code. 19-Year-Old Alleged Scattered Spider Suspect Extradited to the U.S. — Peter Stokes (aka Bouquet, Spencer, and Jordan), a 19-year-old man with dual U.S. and Estonian citizenship, was extradited from Finland to the U.S. to face criminal charges over his involvement in a criminal scheme in connection with the Scattered Spider hacking group. Finnish police arrested him in April 2026. Stokes and other Scattered Spider members are alleged to have breached an unspecified \"luxury-jewelry retailer\" in May 2025 and demanded an $8 million ransom in cryptocurrency. The company incurred at least $2 million in losses from business disruption, incident response, and recovery efforts. Stokes was involved in at least four Scattered Spider breaches, the Justice Department said. Stokes faces charges of fraud, conspiracy, and computer intrusion. Ousaban Banking Trojan Targets Spain and Portugal — A new Brazilian banking trojan called Ousaban has been observed using fake PDF documents containing a link to a malicious web page that scans the user's environment. \"If they are in Spain or Portugal, the webpage downloads a VBS file to kickstart the next part of the attack,\" Fortinet said. \"The final payload is an EXE file that is dropped onto the victim's computer and executed by the VBS script.\" Ousaban gets triggered when victims visit a banking site, at which point it captures screenshots and keystrokes, tampers with the clipboard, and enables remote control. AI-Generated Browser Ransomware Exploits Chromium File Access API — A new malware artifact generated using DeepSeek has constructed a novel attack path combining \"unrealistic browser-malware concepts with a real browser capability\" to turn it into a working ransomware technique that runs entirely inside the browser on Windows, Linux, macOS, and Android devices. The approach is limited to web browsers that expose the picker-based File System Access API. This includes Google Chrome and other Chromium-based browsers across Windows, macOS, ChromeOS, Linux, and Android. There is no evidence that the browser-native ransomware pattern has been abused in the wild. \"What we are witnessing is a fundamental shift in how novel cyber attacks are born,\" Check Point said. \"For the first time, we have evidence that an AI model can independently reason across legitimate platform features and surface a working attack technique that humans had only theorised about – without the attacker ever knowing the underlying API existed.\" 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-48276, CVE-2026-48283, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, CVE-2026-48313, CVE-2026-48315 (Adobe ColdFusion), CVE-2026-48286 (Adobe Campaign Classic), CVE-2026-50548, CVE-2026-50549 (Cursor), CVE-2026-46242 aka Bad Epoll (Linux Kernel), CVE-2026-6682, CVE-2026-6687, CVE-2026-6688 (FatFs), CVE-2026-8037 (Progress Kemp LoadMaster), CVE-2026-28701, CVE-2026-33560, CVE-2026-31928 (Daktronics Controller Firmware), CVE-2026-41120 (Dell Wyse Management Suite), CVE-2026-41492 (Dgraph), CVE-2026-55047 (Anthropic Buffa), from CVE-2026-13774 through CVE-2026-13788 (Google Chrome), CVE-2026-48519, CVE-2026-48520, CVE-2026-7528, CVE-2026-7524 (Langflow), CVE-2026-3199 (Sonatype Nexus Repository), CVE-2026-12166, CVE-2026-12167, CVE-2026-12168 (Little Orbits GameFirst Anti-Cheat driver), CVE-2026-56141, CVE-2026-56142, CVE-2026-50242, CVE-2026-50242 (JetBrains), CVE-2026-20213, CVE-2026-20214, CVE-2026-20215, CVE-2026-20216, CVE-2026-20217, CVE-2026-20243, CVE-2026-20244 (ClamAV), CVE-2026-20191 (Cisco Catalyst Center), CVE-2026-53917, CVE-2026-54475, CVE-2026-49877 (Apache ActiveMQ), CVE‑2026‑13050, CVE‑2026‑13053, CVE‑2026‑13054, CVE-2026-13079 (WatchGuard Fireware OS), CVE-2026-45504 (Microsoft Exchange Server), CVE-2026-14191 (WinRAR), CVE-2026-44024, CVE-2026-44025 (Fluentd), CVE-2026-55957, CVE-2026-55956 (Apache Tomcat), CVE-2026-13136, CVE-2025-15660 (Synology MailPlus Server), CV","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fmonday-recap-proxy-botnets-browser.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjLyTSo2j_jLDBALDaJ6S4gpQf2xkxgGWRslJKuVLIrY-J7nsEG-zNgi02OKeABO5BNXCI1C05oTO1TdYYMtzjCHE7ugevubBOybwilFTXFY6wgXDBVkzMV3-cyYyZUfd-sfXmlfTtgyouay2kJYwxfclTk2M6PPOaLWdR-26P3TYuIm1l5wjQfoPVzk-ca\u002Fs1600\u002Frecapss.jpg","2026-07-06T13:01:14+00:00","2026-07-06T14:00:26.478019+00:00",8,[18,21,23,25,28,30],{"name":19,"type":20},"Google","vendor",{"name":22,"type":20},"Meta",{"name":24,"type":20},"Microsoft",{"name":26,"type":27},"WhatsApp","product",{"name":29,"type":27},"GitHub",{"name":31,"type":32},"Residential proxy networks","technology","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":33,"icon":35,"name":36,"slug":37},null,"Threat Intelligence","threat-intelligence",[39,44,49,54],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"7d8b5ab8-ea0b-4ced-ae97-ec251b86993a","Ransomware","ransomware",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":55},{"id":56,"icon":35,"name":57,"slug":58},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",[60,63,66,69,72,75],{"type":58,"value":61,"context":62},"NetNut","Residential proxy botnet disrupted by Google\u002FFBI, 2M+ devices globally, used for C2 and traffic masking",{"type":58,"value":64,"context":65},"Popa","Alternative name for NetNut residential proxy network",{"type":58,"value":67,"context":68},"IPIDEA","Predecessor botnet taken down in January 2026; NetNut follow-up operation",{"type":58,"value":70,"context":71},"BADBOX 2.0","Large-scale botnet with NetNut plugin components identified",{"type":58,"value":73,"context":74},"ChocoPoC","RAT trojan delivered via fake CVE PoC repositories on GitHub; harvests passwords, cookies, browser data; supports arbitrary code execution",{"type":58,"value":76,"context":77},"skytext","Malicious Python dependency used to deliver ChocoPoC RAT in fake GitHub PoC repos"]