- Badbox 2.0Botnet of hijacked Android TV devices with overlapping components with Popa/NetNut
- NetNutResidential proxy botnet network spanning 2 million home devices
- PopaAlternative name/tracking identifier for NetNut botnet
- MiraiBotnet that has pulled devices from NetNut network
ThreatNoir Morning Brief — July 3
Morning Review in IT Security — July 3, 2026
The cybersecurity landscape continues to shift as major technology companies and law enforcement agencies take coordinated action against threat infrastructure, while attackers simultaneously evolve their tactics to exploit unpatched vulnerabilities and authentication weaknesses. Today's briefing covers significant disruptions to residential proxy networks, emerging ransomware exploitation chains, and new account hijacking techniques targeting enterprise environments.
Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices
Google's Threat Intelligence Group has successfully degraded NetNut, one of the largest residential proxy networks that converts compromised home devices into traffic relay nodes. Working collaboratively with the FBI, Lumen, and other partners, Google reduced the network's pool of usable devices by millions. The operation targeted NetNut, also tracked under the alias Popa, which had infected approximately two million residential devices. Source: Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices
The investigation identified multiple malware families associated with the infrastructure, including Badbox 2.0 and Mirai variants. This coordinated disruption represents a significant effort to dismantle the technical backbone supporting large-scale proxy abuse and related malicious activities.
Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
Threat actors affiliated with the Anubis ransomware operation have been actively exploiting the Citrix Bleed 2 vulnerability (CVE-2025-5777) to establish initial access into target networks. Analysis of attack patterns reveals common tradecraft elements including the deployment of legitimate Remote Management and Monitoring tools, credential harvesting, and hands-on-keyboard lateral movement procedures. Source: Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
The exploitation chain demonstrates how ransomware affiliates are chaining unpatched Citrix infrastructure flaws with stolen supply chain credentials to maximize their operational effectiveness. This convergence of vulnerability exploitation and credential reuse underscores the critical importance of timely patching and credential management practices.
FortiBleed Credential Theft Connected to INC and Lynx Ransomware
The FortiBleed credential theft campaign, targeting Fortinet infrastructure, has now been connected to both INC Ransom and Lynx ransomware operations. Investigation into the attack chain has also uncovered a Nextcloud zero-day vulnerability being leveraged in conjunction with the Fortinet exploitation. Source: FortiBleed Credential Theft Connected to INC and Lynx Ransomware
The convergence of FortiBleed with multiple ransomware families indicates a coordinated supply chain attack strategy where unpatched Fortinet firewalls serve as entry points for subsequent ransomware deployment. Organizations running vulnerable Fortinet appliances remain at elevated risk.
ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds
New attack techniques known as ConsentFix and ClickFix are enabling threat actors to steal Microsoft 365 authentication tokens within seconds using fraudulent OAuth consent prompts and fake login interfaces. These attacks bypass multi-factor authentication by targeting the token acquisition process rather than traditional credential theft. Source: ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds
The effectiveness of these techniques lies in their exploitation of user trust in legitimate OAuth flows and the speed at which tokens can be harvested before detection. Organizations should implement additional controls around OAuth consent prompts and educate users on recognizing suspicious authentication requests.
As infrastructure disruptions continue against proxy networks and ransomware operations adapt their exploitation chains, the security community faces an ongoing arms race where defenders must address both known vulnerabilities and emerging authentication bypass techniques simultaneously.
Sources & IOCs
Source articles and extracted indicators (defanged where appropriate).
- Citrix Bleed 2 vulnerability exploited for initial access
- FortiBleedCredential sniffing tool targeting FortiGate firewalls
- INC RansomRansomware-as-a-service operation linked to FortiBleed operators
- LynxRansomware-as-a-service operation linked to FortiBleed operators
- ClickFixAttack technique tricking users into executing commands via fake prompts.
- ConsentFixAttack technique targeting Microsoft 365 OAuth consent flows.