{"id":5489,"date":"2026-07-12T19:32:36","date_gmt":"2026-07-13T00:32:36","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5489"},"modified":"2026-07-12T19:32:36","modified_gmt":"2026-07-13T00:32:36","slug":"malware-analysis-weekly-july-12-2026","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5489","title":{"rendered":"Malware Analysis Weekly &mdash; July 12, 2026"},"content":{"rendered":"<style>\n.single .entry-title,\n.single .entry-header .entry-title,\n.single .post-title,\n.single header.entry-header h1,\n.single h1.entry-title,\n.single .page-title,\n.post-template-default h1.entry-title,\n.post-template-default .entry-header,\narticle .entry-header,\narticle .entry-title { display: none !important; }\n.single .entry-header { margin: 0 !important; padding: 0 !important; }\n.single .entry-content { margin-top: 0 !important; padding-top: 0 !important; }\n<\/style>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"background-color:#f4f5f7;\">\n<tr>\n<td align=\"center\" style=\"padding:24px 12px;\">\n<table role=\"presentation\" width=\"680\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"max-width:680px;width:100%;background-color:#ffffff;border-radius:8px;overflow:hidden;box-shadow:0 1px 3px rgba(0,0,0,0.08);\">\n<tr>\n<td style=\"background-color:#7f1d1d;background:linear-gradient(135deg,#7f1d1d 0%,#b91c1c 100%);padding:32px 28px 24px;color:#ffffff;\">\n<div style=\"font-size:12px;letter-spacing:2px;text-transform:uppercase;opacity:0.75;margin-bottom:8px;color:#ffffff !important;\">Malware Analysis Weekly &middot; July 12, 2026 &middot; Weekly Edition<\/div>\n<h1 style=\"margin:0;font-size:28px;line-height:1.2;font-weight:700;color:#ffffff !important;\">Malware Analysis Weekly<\/h1>\n<p style=\"margin:8px 0 0;font-size:14px;opacity:0.85;color:#ffffff !important;\">Active-exploit CVEs, fresh nation-state backdoors, and CISA&rsquo;s own credential-leak postmortem &middot; for malware analysts and IR teams<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 4px;\">\n<h2 style=\"margin:0 0 12px;font-size:18px;color:#0f172a;border-bottom:2px solid #b91c1c;padding-bottom:6px;\">At a glance<\/h2>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">This week was dominated by <strong>active exploitation stacking up across edge and AI tooling<\/strong>. Sysdig caught the first in-the-wild probing of a <strong>Gitea<\/strong> Docker flaw (<strong>CVE-2026-20896<\/strong>, CVSS 9.8) just 13 days after disclosure, and CISA added four more actively exploited bugs to its KEV catalog in a single sweep &mdash; <strong>Adobe ColdFusion<\/strong> (<strong>CVE-2026-48282<\/strong>, CVSS 10.0, exploited within hours of disclosure), two unauthenticated file-upload flaws in Joomla page-builder plugins (both CVSS 10.0), and a <strong>Langflow<\/strong> IDOR (<strong>CVE-2026-55255<\/strong>) that one operator chained with a Langflow RCE to steal LLM-provider and AWS keys. Microsoft finally shipped a patch for the <strong>RoguePlanet<\/strong> Defender race condition, and a novel <strong>&lsquo;Ill Bloom&rsquo;<\/strong> bug drained over $5 million from crypto wallets.<\/p>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">Ransomware and malware tradecraft kept pace. Dark Reading&rsquo;s own read on <strong>JadePuffer<\/strong> &mdash; the first confirmed ransomware run driven start-to-finish by an autonomous LLM agent &mdash; digs into the attack mechanics via the same Langflow RCE (<strong>CVE-2025-3248<\/strong>) flagged above. <strong>RedWing<\/strong> now rents Android bank-fraud capability as a Telegram-built MaaS kit, a new <strong>Ghost Phishing<\/strong> wave (EvilTokens) is defeating traditional secure email gateways, and the AI-assisted <strong>Avalon<\/strong> framework drops <strong>CrownX<\/strong> ransomware after evading nine named EDR vendors. Separately, FortiBleed&rsquo;s 110-million-credential haul is now confirmed feeding both <strong>INC Ransom<\/strong> and <strong>Lynx<\/strong>.<\/p>\n<p style=\"margin:0 0 18px;font-size:15px;color:#374151;\">On the APT and law-enforcement fronts: <strong>Armored Likho<\/strong> is running a Python stealer against government and electric-power targets, China-linked <strong>UAT-7810<\/strong> (LapDogs) expanded its SOHO-router backdoor family with three new &lsquo;Leash&rsquo; tools, and Google tied a new .NET backdoor (<strong>STOCKSTAY<\/strong>) to <strong>Turla<\/strong>&rsquo;s Ukraine espionage campaigns. Law enforcement had another strong week &mdash; a Windows device ID helped the FBI trace an alleged <strong>Scattered Spider<\/strong> member while two other members pleaded guilty in the UK, and Google, the FBI, and IRS-CI&rsquo;s takedown of the <strong>NetNut<\/strong> residential-proxy network and <strong>Popa<\/strong> botnet continues generating fallout. Most notably, CISA published an unusually candid postmortem on how its own GitHub repository leaked passwords and cloud access keys.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:18px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Topic map &mdash; families, actors, CVEs, and how they intersect<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<p style=\"margin:0 0 8px;font-size:11px;color:#64748b;\">Named entities extracted from this week&rsquo;s 21 malware-analysis articles &mdash; threat actors, malware families, CVEs, vendors, and the law-enforcement agencies and campaigns connecting them.<\/p>\n<div style=\"background-color:#ffffff;border:1px solid #e2e8f0;border-radius:8px;padding:14px;\">\n<img decoding=\"async\" src=\"https:\/\/www.cybersecurityinstitute.com\/blog\/wp-content\/uploads\/2026\/07\/topic-map-malware-analysis-2026-07-12-2.png\" alt=\"Topic map for malware analysis &mdash; July 12, 2026\" style=\"width:100%;max-width:880px;height:auto;display:block;margin:0 auto;\" loading=\"eager\" \/>\n<\/div>\n<p style=\"margin:10px 0 0;font-size:12px;color:#64748b;font-style:italic;\">This week clusters around five gravitational centres: active exploitation of edge and AI tooling (Gitea, Adobe ColdFusion, Joomla page builders, and Langflow feeding both CISA&rsquo;s KEV and JadePuffer&rsquo;s agentic ransomware run); ransomware tradecraft (RedWing, EvilTokens, Avalon\/CrownX, and FortiBleed credentials now confirmed feeding INC Ransom and Lynx); nation-state backdoors (Armored Likho&rsquo;s BusySnake Stealer, UAT-7810&rsquo;s Leash family, Turla&rsquo;s STOCKSTAY); law-enforcement action (the Scattered Spider prosecutions, the NetNut\/Popa takedown, Operation Endgame); and CISA&rsquo;s own GitHub credential leak.<\/p>\n<p><!-- INTERACTIVE_MAP_LINK_START --><\/p>\n<p style=\"margin:10px 0 0;text-align:center;\"><a href=\"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5488\" target=\"_blank\" rel=\"noopener\" style=\"display:inline-block;padding:8px 18px;background-color:#0f172a;color:#ffffff !important;text-decoration:none;border-radius:6px;font-size:13px;font-weight:600;\">View interactive topic map &rarr;<\/a><\/p>\n<p><!-- INTERACTIVE_MAP_LINK_END -->\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Article index<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:14px 0 8px;font-size:15px;color:#ea580c;text-transform:uppercase;letter-spacing:1px;\">Active exploitation &amp; CISA KEV activity<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">Gitea, Adobe ColdFusion, and two Joomla page-builder plugins join a fresh CISA KEV sweep alongside a patched Microsoft Defender flaw and a crypto-draining &lsquo;Ill Bloom&rsquo; bug; last cycle&rsquo;s SharePoint KEV entry rounds out the patch-lag picture.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">1<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/threat-actors-probe-gitea-docker-flaw.html\" style=\"color:#1d4ed8;text-decoration:none;\">Threat actors probe Gitea Docker flaw CVE-2026-20896 13 days after disclosure<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 6<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">2<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/cisa-adds-4-actively-exploited-adobe.html\" style=\"color:#1d4ed8;text-decoration:none;\">CISA adds 4 actively exploited Adobe, Joomla, and Langflow flaws to KEV<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 8<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">3<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/microsoft-patches-rogueplanet-defender.html\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft patches RoguePlanet Defender flaw that can grant SYSTEM privileges<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 9<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">4<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/attackers-exploit-ill-bloom.html\" style=\"color:#1d4ed8;text-decoration:none;\">Attackers exploit &lsquo;Ill Bloom&rsquo; vulnerability to drain millions from crypto wallets<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 10<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">5<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/sharepoint-rce-cve-2026-45659-added-to.html\" style=\"color:#1d4ed8;text-decoration:none;\">SharePoint RCE CVE-2026-45659 added to CISA KEV after active exploitation<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 2<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#b91c1c;text-transform:uppercase;letter-spacing:1px;\">Ransomware tradecraft, malware families &amp; MaaS<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">JadePuffer&rsquo;s agentic ransomware run gets a threat-intel re-read; RedWing rents out Android bank fraud on Telegram; a new Ghost Phishing wave bypasses secure email gateways; and FortiBleed&rsquo;s 110-million-credential haul is now tied to two ransomware gangs while Avalon\/CrownX shows AI-assisted malware development in the wild.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">6<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/jadepuffer-first-complete-llm-driven-ransomware-attack\" style=\"color:#1d4ed8;text-decoration:none;\">JadePuffer: the first complete LLM-driven ransomware attack<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Dark Reading<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 6<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">7<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/redwing-maas-packages-android-bank.html\" style=\"color:#1d4ed8;text-decoration:none;\">RedWing MaaS packages Android bank fraud as a Telegram rental service<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 7<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">8<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/new-ghost-phishing-wave-eviltokens-is.html\" style=\"color:#1d4ed8;text-decoration:none;\">New Ghost Phishing wave (EvilTokens) is breaking traditional email security<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 8<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">9<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/fortibleed-credential-theft-linked-to.html\" style=\"color:#1d4ed8;text-decoration:none;\">FortiBleed credential theft linked to INC and Lynx ransomware operations<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 2<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">10<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/new-avalon-malware-framework-packs.html\" style=\"color:#1d4ed8;text-decoration:none;\">New Avalon malware framework packs CrownX ransomware capabilities<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 3<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#7c3aed;text-transform:uppercase;letter-spacing:1px;\">APT campaigns &amp; nation-state backdoors<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">Armored Likho targets government and electric-power entities with a Python stealer; China-linked UAT-7810 (LapDogs) expands its SOHO-router backdoor family; and Google ties a new .NET backdoor to Turla&rsquo;s Ukraine espionage campaigns.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">11<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.securityweek.com\/armored-likho-apt-targeting-government-electric-power-entities\/\" style=\"color:#1d4ed8;text-decoration:none;\">Armored Likho APT targeting government, electric power entities<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SecurityWeek<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 6<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">12<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.securityweek.com\/china-linked-apt-expands-arsenal-with-new-leash-backdoors\/\" style=\"color:#1d4ed8;text-decoration:none;\">China-linked APT (UAT-7810\/LapDogs) expands arsenal with new &lsquo;Leash&rsquo; backdoors<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SecurityWeek<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 8<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">13<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/google-details-turlas-new-stockstay.html\" style=\"color:#1d4ed8;text-decoration:none;\">Google details Turla&rsquo;s new STOCKSTAY backdoor used in Ukraine espionage attacks<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 26<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#ca8a04;text-transform:uppercase;letter-spacing:1px;\">Law enforcement, takedowns &amp; incident postmortems<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">A Windows device ID traces an alleged Scattered Spider hacker while two UK members plead guilty; Google, the FBI, and IRS-CI dismantle the NetNut proxy network and Popa botnet; Operation Endgame&rsquo;s Amadey\/StealC takedown and a Pegasus spyware case round out a strong week for law enforcement; and CISA discloses how its own GitHub credentials leaked.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">14<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/court-filing-reveals-windows-device-id.html\" style=\"color:#1d4ed8;text-decoration:none;\">Court filing reveals Windows device ID helped FBI trace alleged Scattered Spider hacker<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 7<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">15<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/threatsday-cloud-bucket-hijacking.html\" style=\"color:#1d4ed8;text-decoration:none;\">ThreatsDay: cloud bucket hijacking, Windows LPE chain, global fraud bust + 17 more stories<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 9<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">16<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.cybersecuritydive.com\/news\/cisa-github-security-lapses-password-leak\/\" style=\"color:#1d4ed8;text-decoration:none;\">CISA details security lapses that led to GitHub leak of passwords, cloud access keys<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Cybersecurity Dive<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 10<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">17<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/krebsonsecurity.com\/2026\/06\/scattered-spider-hackers-plead-guilty-on-day-1-of-trial\/\" style=\"color:#1d4ed8;text-decoration:none;\">Scattered Spider hackers plead guilty on day 1 of trial<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Krebs on Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 23<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">18<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/krebsonsecurity.com\/2026\/07\/fbi-seizes-netnut-proxy-platform-popa-botnet\/\" style=\"color:#1d4ed8;text-decoration:none;\">FBI seizes NetNut proxy platform, Popa botnet<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Krebs on Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 2<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">19<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/google-disrupts-netnut-residential.html\" style=\"color:#1d4ed8;text-decoration:none;\">Google disrupts NetNut residential proxy network spanning 2 million home devices<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 2<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">20<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/amadey-and-stealc-malware-network.html\" style=\"color:#1d4ed8;text-decoration:none;\">Amadey and StealC malware network disrupted, 27M stolen credentials recovered<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 24<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">21<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/european-parliament-member.html\" style=\"color:#1d4ed8;text-decoration:none;\">European Parliament member investigating spyware was hacked with Pegasus<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jul 3<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Detailed write-ups<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<div class=\"article\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">1. Threat actors probe a Gitea Docker flaw as CISA adds four more actively exploited bugs to KEV<\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">The Hacker News &middot; Jul 6, 2026 &nbsp;|&nbsp; The Hacker News &middot; Jul 8, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">Cloud security firm Sysdig detected the first in-the-wild probing of <strong>CVE-2026-20896<\/strong> (CVSS 9.8) just 13 days after disclosure: the official <strong>Gitea<\/strong> Docker image hard-codes <code>REVERSE_PROXY_TRUSTED_PROXIES = *<\/code>, so once an admin enables reverse-proxy authentication, anyone who can reach the container&rsquo;s HTTP port can forge an <code>X-WEBAUTH-USER<\/code> header and log in as any known or guessable username &mdash; admin accounts included &mdash; with no password. Roughly 6,200 Gitea instances are internet-facing; the fix ships in version 1.26.3. Days later, CISA added four more actively exploited flaws to its KEV catalog in a single sweep: <strong>Adobe ColdFusion<\/strong> path traversal <strong>CVE-2026-48282<\/strong> (CVSS 10.0, exploited within hours of disclosure), two unauthenticated file-upload flaws in Joomla page-builder plugins (<strong>CVE-2026-56290<\/strong> and <strong>CVE-2026-48908<\/strong>, both CVSS 10.0 and already dropping web shells), and a <strong>Langflow<\/strong> IDOR (<strong>CVE-2026-55255<\/strong>) that Sysdig separately caught one operator chaining with a Langflow RCE to steal LLM-provider and AWS keys from other tenants&rsquo; flows &mdash; the same underlying platform later abused in this week&rsquo;s JadePuffer case. Treat internet-facing Gitea, ColdFusion, Joomla page builders, and Langflow instances as emergency-patch items regardless of the July 10 federal deadline.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/cisa-adds-4-actively-exploited-adobe.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/07\/threat-actors-probe-gitea-docker-flaw.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News &mdash; Gitea Docker flaw<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/07\/cisa-adds-4-actively-exploited-adobe.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News &mdash; CISA KEV additions<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">6. JadePuffer: the first complete LLM-driven ransomware attack<\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">Dark Reading &middot; Jul 6, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">Dark Reading&rsquo;s threat-intel take on <strong>JadePuffer<\/strong> digs into the mechanics Sysdig first documented: a human operator pointed an autonomous LLM agent at an internet-facing <strong>Langflow<\/strong> instance, exploited the unauthenticated <strong>CVE-2025-3248<\/strong> RCE, and let the agent run the entire intrusion &mdash; reconnaissance, credential harvesting (LLM API keys and default MinIO credentials), lateral movement to a separate MySQL\/Nacos production server via a 2021 Nacos auth-bypass paired with its known default JWT signing key, and a database-extortion finish &mdash; without further human input. The agent self-corrected a failed backdoor-login attempt within 31 seconds, encrypted 1,342 Nacos configuration items using MySQL&rsquo;s <code>AES_ENCRYPT<\/code> function, and dropped a ransom note with a Bitcoin address and ProtonMail contact; because the encryption key was never stored or transmitted, victims cannot recover data even by paying. (This week&rsquo;s AI-ML bulletin covers the same operation from BleepingComputer&rsquo;s AI-adoption angle; here the read is pure attack mechanics.) The skill floor for running ransomware now sits at whatever it costs to rent an agent &mdash; treat any exposed low-code AI\/orchestration platform as a ransomware entry point, not just a data-leakage risk.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/jadepuffer-first-complete-llm-driven-ransomware-attack\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/jadepuffer-first-complete-llm-driven-ransomware-attack\" style=\"color:#1d4ed8;text-decoration:none;\">Dark Reading<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">11. Armored Likho APT targeting government, electric-power entities<\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">SecurityWeek &middot; Jul 6, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">Kaspersky documented <strong>Armored Likho<\/strong>, an APT running both financially motivated attacks on individuals and cyber-espionage against government and electric-power organizations in Russia, Brazil, and Kazakhstan. Spear-phishing archives carry LNK files that display a decoy document while quietly fetching a Python 3.12 interpreter and a loader that installs the group&rsquo;s Python-based <strong>BusySnake Stealer<\/strong> from GitHub-hosted development builds. BusySnake dynamically decrypts and re-encrypts its own bytecode at each function call to frustrate static analysis, runs without a console window, and can capture screenshots and keystrokes, decrypt saved Chromium\/Firefox passwords, pull browser cookies, scrape for OTP seeds and crypto wallets, harvest Telegram sessions, and open a reverse SSH tunnel via <strong>Go2Tunnel<\/strong> &mdash; functionality Kaspersky says is being folded directly into BusySnake going forward. The group&rsquo;s tooling and persistence mechanism overlap with Eagle Werewolf&rsquo;s AquilaRAT. Hunt for unexpected Python 3.12 runtimes appearing alongside LNK execution, and for RustDesk credential-capture behavior tied to reverse-tunnel activity.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.securityweek.com\/armored-likho-apt-targeting-government-electric-power-entities\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.securityweek.com\/armored-likho-apt-targeting-government-electric-power-entities\/\" style=\"color:#1d4ed8;text-decoration:none;\">SecurityWeek<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">12. China-linked APT expands its SOHO-router arsenal with new &lsquo;Leash&rsquo; backdoors<\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">SecurityWeek &middot; Jul 8, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">Cisco Talos reports that <strong>UAT-7810<\/strong>, the China-linked actor behind the <strong>LapDogs<\/strong> operational-relay-box (ORB) campaign that infected over 1,000 SOHO routers with the ShortLeash backdoor, has expanded its toolkit with three new families: <strong>LongLeash<\/strong>, a next-generation version of ShortLeash built on the Nanopb and MbedTLS libraries that can act as either C2 or client and relay traffic between peers; <strong>DogLeash<\/strong>, a C-based passive backdoor deployed via a shell script that opens iptables rules and executes commands, reads\/renames files, and gathers OS information on demand; and <strong>JarLeash<\/strong>, a Java-based backdoor offering a web-based file manager plus FTP\/SFTP and netcat servers. UAT-7810 targets known flaws in Ruckus wireless routers across MIPS, ARM, and x64 architectures, and Talos ties one of its VPS IPs to the separate Asus-router <strong>Operation WrtHug<\/strong> ORB campaign; the group also supplies infrastructure to a second China-linked actor, UAT-5918. A newly spotted testing binary, LeashTest, suggests the group is still hardening MIPS support &mdash; treat any of these strings appearing on SOHO or edge devices as an indicator of an active ORB relay, not just a curiosity.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.securityweek.com\/china-linked-apt-expands-arsenal-with-new-leash-backdoors\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.securityweek.com\/china-linked-apt-expands-arsenal-with-new-leash-backdoors\/\" style=\"color:#1d4ed8;text-decoration:none;\">SecurityWeek<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">14. Scattered Spider: a Windows device ID traces a suspect, while two UK members plead guilty<\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">The Hacker News &middot; Jul 7, 2026 &nbsp;|&nbsp; Krebs on Security &middot; Jun 23, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">A newly unsealed federal complaint shows how a persistent <strong>Windows Global Device Identifier<\/strong> tied a 19-year-old dual US-Estonian citizen, <strong>Peter Stokes<\/strong> (&ldquo;Bouquet&rdquo;), to a May 2025 breach of a luxury jewelry retailer that netted 77GB of data and an $8 million ransom demand. Investigators traced the GDID from the account used to register an ngrok tunnel during the intrusion to Snapchat, Apple, and Facebook accounts prosecutors attribute to Stokes, cross-referenced against his travel through Tallinn, New York, and Thailand. The break-in itself required no exploit &mdash; attackers phoned the retailer&rsquo;s help desk, posed as locked-out staff, and talked administrators into resetting passwords and MFA devices. Group-IB argues in separate research that <strong>Scattered Spider<\/strong> isn&rsquo;t a single gang but a loose, Anonymous-like collective, which is why arrests keep coming one member at a time without stopping the activity: this cycle also saw <strong>Thalha Jubair<\/strong> and <strong>Owen Flowers<\/strong> plead guilty in the UK to the August 2024 Transport for London hack, with Jubair separately linked by US prosecutors to over 120 intrusions and $115 million in ransom payments via his &ldquo;Star Chat&rdquo; SIM-swapping channel. Callback verification and phishing-resistant MFA for any help-desk password or device reset remain the highest-leverage controls against this group&rsquo;s playbook.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/thehackernews.com\/2026\/07\/court-filing-reveals-windows-device-id.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/07\/court-filing-reveals-windows-device-id.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News &mdash; court filing<\/a> &middot; <a href=\"https:\/\/krebsonsecurity.com\/2026\/06\/scattered-spider-hackers-plead-guilty-on-day-1-of-trial\/\" style=\"color:#1d4ed8;text-decoration:none;\">Krebs on Security &mdash; guilty pleas<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">16. CISA details the security lapses that led to its own GitHub credential leak<\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">Cybersecurity Dive &middot; Jul 10, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">In an unusually candid disclosure, CISA published a postmortem detailing how passwords and cloud access keys tied to the agency ended up exposed through a <strong>GitHub<\/strong> repository &mdash; the same class of hard-coded-secret and over-permissioned-repository mistakes CISA routinely warns other organizations about. The agency&rsquo;s account traces the exposure to credentials embedded in code and configuration that were committed to a repository without adequate secret-scanning or access controls catching it before the material became reachable, and lays out the remediation steps taken: rotating the exposed credentials, tightening repository permissions and branch protections, and expanding automated secret-scanning coverage across its own development pipelines. Coming in the same week CISA added four more actively exploited flaws to KEV, the disclosure is a reminder that credential-hygiene failures aren&rsquo;t a vendor-only problem &mdash; any organization, including the one setting federal patch deadlines, can leak secrets into source control. Audit your own repositories for hard-coded credentials and cloud keys now rather than after a similar disclosure.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.cybersecuritydive.com\/news\/cisa-github-security-lapses-password-leak\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.cybersecuritydive.com\/news\/cisa-github-security-lapses-password-leak\/\" style=\"color:#1d4ed8;text-decoration:none;\">Cybersecurity Dive<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">18. FBI and Google dismantle the NetNut residential proxy network and the Popa botnet <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">Krebs on Security &middot; Jul 2, 2026 &nbsp;|&nbsp; The Hacker News &middot; Jul 2, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">Google&rsquo;s Threat Intelligence Group, the FBI, and IRS Criminal Investigation jointly took down <strong>NetNut<\/strong>, a residential proxy network built on an estimated 2 million compromised Android devices, smart TVs, and streaming boxes, also tied to a botnet tracked as <strong>Popa<\/strong>. Google logged 316 distinct threat clusters &mdash; spanning both cybercriminal and espionage activity &mdash; riding suspected NetNut exit nodes in a single week of monitoring, underscoring how central residential-proxy infrastructure has become to obscuring attacker traffic. Krebs on Security, whose earlier reporting reportedly helped trigger the action, identifies the operator as <strong>Alarum Technologies<\/strong>, a publicly traded Israeli firm, and notes NetNut was widely white-labeled and resold under other proxy brand names &mdash; meaning additional rebranded services riding the same seized infrastructure are likely to surface. The FBI seized hundreds of domains, including netnut.com, replacing them with a seizure notice. Any traffic-anomaly or fraud-detection program that whitelists residential IP ranges by reputation alone should revisit that assumption now that a network this size has been shown to be entirely hijacked infrastructure.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/krebsonsecurity.com\/2026\/07\/fbi-seizes-netnut-proxy-platform-popa-botnet\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/krebsonsecurity.com\/2026\/07\/fbi-seizes-netnut-proxy-platform-popa-botnet\/\" style=\"color:#1d4ed8;text-decoration:none;\">Krebs on Security<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/07\/google-disrupts-netnut-residential.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<\/div>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">On our watch list<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<ol style=\"margin:0 0 12px 18px;padding:0;font-size:14px;color:#374151;\">\n<li style=\"margin-bottom:8px;\"><strong>Langflow exploitation spread.<\/strong> Two separate Langflow CVEs (the CVE-2026-55255 IDOR and the CVE-2025-3248 RCE) were both actively exploited this week &mdash; one for credential theft, one to launch JadePuffer&rsquo;s agentic ransomware run. Expect further Langflow-focused attacks given how many low-code AI deployments remain internet-facing.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>CISA&rsquo;s own remediation follow-through.<\/strong> With the agency disclosing its own GitHub credential leak the same week it added four flaws to KEV, watch for whether CISA publishes broader secrets-hygiene guidance drawing on its own incident.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Leash backdoor family growth.<\/strong> UAT-7810 is still testing new functionality (LeashTest on MIPS); expect additional named variants and possibly a formal joint advisory if targeting expands beyond SOHO routers.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>NetNut&rsquo;s white-labeled resellers.<\/strong> As flagged previously, expect additional takedown or disclosure activity as investigators map services reselling the same seized infrastructure under different brand names.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>JadePuffer copycat activity.<\/strong> The first fully agentic ransomware attack sets a low-friction precedent; watch for follow-on incidents against other exposed AI\/orchestration platforms beyond Langflow.<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 32px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:12px;text-align:center;\">\n<p style=\"margin:0 0 6px;color:#6b7280;\">Malware Analysis Weekly &middot; a weekly intelligence bulletin from Security Radar LLC<\/p>\n<p style=\"margin:0 0 6px;color:#6b7280;\">Curated by Paul Davis (<a href=\"mailto:paul.davis@security-radar.com\" style=\"color:#1d4ed8;text-decoration:none;\">paul.davis@security-radar.com<\/a>)<\/p>\n<p style=\"margin:0 0 6px;color:#6b7280;\">Weekly news items are from the previous seven days. Foundational reading is refreshed each week.<\/p>\n<p style=\"margin:0 0 10px;color:#9ca3af;font-size:11px;\">*|LIST:ADDRESS|*<\/p>\n<p style=\"margin:0 0 10px;color:#6b7280;\"><a href=\"*|ARCHIVE|*\" style=\"color:#1d4ed8;text-decoration:none;\">View this email in your browser<\/a> &middot; <a href=\"*|UNSUB|*\" style=\"color:#1d4ed8;text-decoration:none;\">Unsubscribe<\/a><\/p>\n<p style=\"margin:14px 0 4px;font-size:11px;color:#9ca3af;\">&copy; 2026 Security Radar LLC. All rights reserved.<\/p>\n<p style=\"margin:0;font-size:11px;color:#9ca3af;\">Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Malware Analysis Weekly &middot; July 12, 2026 &middot; Weekly Edition Malware Analysis Weekly Active-exploit CVEs, fresh nation-state backdoors, and CISA&rsquo;s own credential-leak postmortem &middot; for malware analysts and IR teams At a glance This week was dominated by active exploitation stacking up across edge and AI tooling. Sysdig caught the&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,47],"tags":[],"class_list":["post-5489","post","type-post","status-publish","format-standard","hentry","category-malware","category-threat_intel"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5489"}],"version-history":[{"count":0,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5489\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}