A series of cybersecurity developments this week highlighted how everyday technologies, trusted applications, and widely used online services continue to become attractive targets for cybercriminals. From the disruption of a large residential proxy botnet to the emergence of browser based ransomware techniques and artificial intelligence powered attack methods, researchers observed threat actors increasingly taking advantage of trusted platforms and common user behavior. Security experts noted that many of the latest attacks did not rely on sophisticated vulnerabilities alone but instead exploited misplaced trust, exposed services, insecure software dependencies, and weak authentication mechanisms. The week’s findings also included multiple phishing operations, malware campaigns, law enforcement actions, and a growing list of critical vulnerabilities affecting enterprise software and infrastructure.
One of the most significant developments involved the disruption of the NetNut residential proxy network, also known as Popa, through a coordinated effort by Google, FBI, Lumen, and other partners. The operation followed earlier action against the IPIDEA network and targeted infrastructure that reportedly relied on more than two million compromised devices worldwide. According to Google, NetNut populated its network by distributing software development kits embedded in applications installed on consumer devices such as smart televisions and streaming boxes. These infected devices were then used to route malicious internet traffic while concealing attackers’ identities. Google disabled accounts and services associated with the botnet’s command infrastructure while updating Google Play Protect to detect applications containing NetNut components. Researchers also warned about a growing trend in artificial intelligence related attacks. Check Point demonstrated a browser based ransomware concept created using DeepSeek that leveraged Chromium’s File System Access API to encrypt files directly within supported browsers on Windows, Linux, macOS, ChromeOS, and Android. Although no evidence suggests the technique has been used in active attacks, researchers described it as an example of how AI systems can identify previously overlooked attack methods. Another emerging concern involved attackers abusing misconfigured Ollama model servers to power automated offensive security tools capable of identifying vulnerabilities, generating exploit code, and launching attacks without direct human involvement.
Researchers also identified numerous phishing and malware campaigns affecting businesses and individuals across multiple regions. Security analysts reported that fake proof of concept repositories hosted on GitHub were distributing ChocoPoC malware through a malicious dependency that stole browser credentials, cookies, local databases, and sensitive system information. Fortinet uncovered Ousaban, a Brazilian banking trojan targeting financial institutions in Spain and Portugal through fake PDF documents that ultimately deployed malicious Visual Basic scripts. Palo Alto Networks documented a ClickFix campaign that abused compromised websites and Polygon blockchain infrastructure to deliver malware using fake CAPTCHA pages, while Trend Micro revealed phishing attacks against Booking.com partner organizations in Japan that delivered TONResolver malware using the TON blockchain as a command and control mechanism. Researchers also observed the Mamont Android malware spreading through fake dating applications to facilitate financial fraud, while AsyncRAT continued to spread through phishing emails containing Dropbox links and malicious spreadsheets targeting procurement and sales professionals. Security researchers further disclosed that attackers exploited a critical Laravel Livewire vulnerability to compromise more than 6,100 applications and steal database credentials, cloud secrets, authentication tokens, and millions of email addresses from organizations operating across government, healthcare, finance, education, and commercial sectors.
The cybersecurity community also tracked a wide range of threat intelligence developments involving artificial intelligence, phishing services, identity attacks, and software vulnerabilities. Researchers demonstrated that indirect prompt injection attacks continue to pose risks to AI agents by manipulating search engine results and hidden website content to influence automated decision making. Microsoft announced that beginning in September 2026, Entra self service password reset will require explicitly registered authentication methods rather than relying on directory stored contact information, strengthening identity verification. NetSPI disclosed a method for bypassing Microsoft Entra Conditional Access policies through Nested App Authentication before Microsoft released a fix. ProjectDiscovery reported that more than 30,500 Common Vulnerabilities and Exposures have already been published during 2026, placing the year on track to exceed previous records as AI accelerates vulnerability discovery. Security researchers also identified multiple new phishing as a service platforms, including CodeStorm, ARToken, Console, Mirage2FA, and Bluekit, while Chinese language phishing communities expanded their use of AI generated phishing pages capable of cloning legitimate websites with greater accuracy. Additional law enforcement activity included the extradition of an alleged Scattered Spider member to the United States, prison sentences for two individuals involved in ATM malware operations, and continued investigations into malware campaigns targeting governments, financial institutions, software developers, and enterprise organizations worldwide. The collective findings reinforce the importance of timely patch management, stronger identity protection, careful software verification, and continuous monitoring as cyber threats continue to evolve across both consumer and enterprise environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.