Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

JadePuffer Uses AI to Streamline End to End Ransomware Operations


 

Researchers have discovered the first ransomware intrusion conducted almost entirely by an autonomous large language model (LLM) agent, further demonstrating how generative AI and cybercrime are convergent. 

Sysdig researchers were able to detect the campaign by analyzing an attack linked to the JadePuffer threat actor that exploited a critical vulnerability in Langflow to gain initial access. Following reconnaissance, credential harvesting, privilege escalation, lateral movement, persistence, and encryption of data, an AI agent was able to conduct these activities independently. 

Instead of operating as a scripted automation tool, the agent demonstrated an ability to assess its environment, recover from failed actions, and dynamically adjust its approach throughout the intrusion, which highlights a significant shift toward AI-assisted offensive operations with minimal direct human intervention.

During the intrusion, CVE-2025-3248 was exploited, which was a critical unauthenticated remote code execution vulnerability in Langflow that enabled arbitrary Python code execution when the deployment was exposed to the internet. Although patched in April and later added to CISA's Known Exploited Vulnerabilities catalog following active exploitation, internet-exposed Langflow instances remained attractive targets because they commonly stored cloud credentials, API tokens, and application secrets. 

The AI-driven operation then systematically extracted Langflow's PostgreSQL database and profiled the compromised host before expanding its reconnaissance to connected MinIO object storage, enumerating environment variables and sensitive configuration files, and harvesting available credentials. When an API returned XML instead of the expected JSON, the agent automatically adjusted its parsing logic and continued enumeration without manual intervention. 

The operation also established persistence through a cron job configured to contact attacker-controlled infrastructure every 30 minutes. Once persistence and reconnaissance were established, the AI agent moved to the destructive phase of the attack by dynamically refining its execution in response to its environment of target. 

A Sysdig analysis found that the ransomware model modified payloads to satisfy authentication checks, verified that User Defined Functions (UDFs) were present, and signaled that work had been completed before initiating ransomware activity. By using MySQL's AES_ENCRYPT() function, all 1,342 Nacos service configuration records were encrypted, the original configuration_info and history tables were removed, and a README_RANSOM table was created containing the extortion message, Bitcoin payment address, and Proton Mail contact information for negotiations. 

Although the ransom note claimed AES-256 encryption, Sysdig assessed the implementation more closely resembled AES-128 in ECB mode. In addition, the encryption key was generated locally, but was neither retained nor transmitted to attackers' infrastructure.

The researchers also noted the Bitcoin wallet embedded in the ransom instructions matched a public documentation address, suggesting that the LLM reproduced this address from its training data rather than generating an operational payment destination for the ransom. Each captured payload included an explanation in natural language explaining how the actions were carried out, demonstrating the agent's ability to interpret system feedback, diagnose errors, and revise its logic, rather than relying on repetitive scripted retries, throughout the intrusion.

Aside from rapid troubleshooting execution failures, Sysdig also documented the agent's ability to interpret error responses and alter its approach in real time. The model was observed to correct an unsuccessful authentication attempt within 31 seconds by identifying the root cause of the failure rather than repeating the same steps over and over again. There were over 600 distinct payloads recorded throughout the intrusion, which each reflected deliberate progression through sequential attack stages rather than static automation. 

A Bitcoin wallet incorporated into the ransom note was an unresolved anomaly, which precisely matched an address published in Bitcoin developer documentation, an address which is well known for its use. 

Investigators were unable to determine whether the address was reproduced from the training data or if it was deliberately selected by the operator since both references are readily available in technical resources. It is also indicative of a larger evolution in cyber operations assisted by artificial intelligence during the past year. Earlier claims of AI-powered ransomware, including PromptLock, were ultimately linked to controlled research rather than active criminal operations. 

The use of generative artificial intelligence in operational situations has become increasingly evident in recent incidents. Anthropic previously disclosed the use of its Claude Code assistant in extortion against at least 17 organizations under human supervision in an extortion campaign, followed by a largely autonomous state-linked espionage operation using artificial intelligence to develop exploits and facilitate data theft. 

Operator involvement was limited. Similar fabricated credentials were also observed in the JadePuffer campaign, reinforcing the possibility that the unusual Bitcoin addresses observed may have been the result of model hallucinations rather than deliberate malicious intent. Collectively, these incidents demonstrate the ways in which artificial intelligence is automating discrete phases of sophisticated intrusion, reducing the expertise and effort normally required to conduct large-scale offensive operations. 

From a defensive perspective, Sysdig recommends maintaining established security practices. Langflow deployments should be fully patched against CVE-2025-3248 and code execution interfaces should not be exposed directly to the internet. Secrets should be stored in dedicated secrets managers rather than accessible runtime environments. Additionally, the company recommends replacing default signing keys, restricting public exposure, preventing database connections from root accounts, as well as enforcing outbound network controls so that compromised hosts are not able to communicate with command and control systems.

According to Sysdig, autonomous agents are able to detect and exploit new vulnerabilities within hours of their disclosure, which makes runtime detection and behavioral monitoring equally critical as timely patch management.

It was reported by the researchers that indicators of compromise associated with the campaign were released in support of incident response efforts, including the use of CVE-2025-3248 as the initial entry vector, command-and-control infrastructure located at 45.131.66[.]106 with an ongoing beacon program, and a staging server located at 64.20.53[.]230. There are three ransom artifacts associated with the ransom attack, namely the table README_RANSOM, the wallet 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy, and the email address e78393397[@]proton[.]me. 

JadePuffer is not regarded by Sysdig as introducing fundamentally new attack techniques, but the researchers consider it to be an important indicator of where offensive capabilities are heading. Creating an environment where autonomous AI agents can individually combine familiar exploitation methods into complete intrusion chains, making every exposed application server, configuration repository, and administrative interface available to the internet a far more attractive target than before. 

The evolution of ransomware has reached an important turning point with the launch of JadePuffer, as autonomous artificial intelligence agents are now capable of executing complex attacks without human assistance. 

AI infrastructure should be secured, credentials exposed to the internet must be rigorously managed, and runtime detection capabilities should be strengthened to identify adaptive behavior before it progresses into a full-scale compromise. With artificial intelligence-assisted attacks on the rise, proactive resilience is as important as rapid patching.

New Bad Epoll Bug Impacts Android and Linux, Allows Root Access


A recently found Linux kernel vulnerability called ‘Bad Epoll’ (CVE-2026-46242) allows an ordinary person without any special privilege to take complete command of a device as a root. This has impacted Linux systems, Android, and servers, and a patch is out to address the flaw. 

Bad Epoll was discovered in the same kernel code where Anthropic’s famous AI model, Mythos, discovered another vulnerability. 

The AI flagged one flaw but missed Bad Epoll. Expert Jaeyoung Chung discovered this one.

About Bad Epoll

Epoll is a Linux feature that allows a program to watch various network connections and files at once. You cannot switch it off as web browsers, network services, and servers, all rely on it.

The flaw is a ‘use-after-free’ bug, where two parts of the kernel clean up the same internal object at once. One cleans the memory while the other one writes it. This small friction allows hackers to attack kernel memory, then rise upward to root.

Detecting the bug

Timing is the catch. A random attempt nearly never lands in the window where the two pathways intersect since it is just roughly six machine instructions wide. On testing platforms, Chung's attack expands that window and tries again without crashing, achieving root roughly 99% of the time.

It is more serious since, according to his account, it can be triggered from within Chrome's renderer sandbox, which prevents nearly all other kernel problems, and it can reach Android, which is not possible with other Linux privilege bugs.

Chung sent the flaw as a zer0-day to Google’s kernelCTF program, and full details can be found on his Github. There are no indications that hackers have used it in real-time. At present, an android variant of compromise exists and the only working code is the kernelCTF PoC.

History of the bug

These two flaws go back to a single 2023 modification to the epoll code. According to Chung, Mythos discovered the first two, now labelled as CVE-2026-43074, with an early patch in 2026.

Additionally, Anthropic said that Mythos discovered linux kernel privilege-escalation bugs, but it did not relate the findings with Bad Epoll. Finding the first one was difficult as race-condition flaws are difficult to detect. But why did the AI miss the second flaw? 

Chung offers two likely reasons:

Small timing window

Lack of evidence during runtime 

North Korean PolinRider Campaign Spreads Malicious Packages Across npm, Go, Chrome, and Packagist

 

North Korean threat actors behind the Contagious Interview campaign have been observed persistently targeting software supply chains by distributing more than 100 malicious packages and browser extensions. Researchers note that the PolinRider campaign is targeting software developers and those in the cryptocurrency space by leveraging popular open-source repositories and developer tools. 

The cybersecurity researchers at Socket have discovered 108 unique malicious packages and browser extensions, resulting in 162 release artifacts. Within the discovered malicious code, the researchers have identified 19 npm packages, 10 Packagist (Composer) libraries, 61 Go modules, and one Google Chrome extension. Researchers note that the threat actors continue to compromise developer accounts and push out malicious code updates each time they gain access to a software repository. 

Researchers have linked the PolinRider campaign to the Contagious Interview supply chain attack, which has been actively targeting developers since at least 2023. In most cases, North Korean hackers impersonate recruiters or business partners on social media platforms and code repositories, luring targets into installing malicious software during the interview process. 

The PolinRider threat group was first detected this year when cybersecurity analysts identified hundreds of GitHub repositories with hidden JavaScript code that downloads an updated version of the BeaverTail malware. According to the researchers, almost 2000 GitHub repositories and 1000+ unique owners have been compromised by the PolinRider campaign as of April 2026. 

Researchers suggest that attackers are not compromising the GitHub servers directly but rather hijacking developer accounts on the platform. The initial access to the developer accounts is achieved through either the domain takeover or account recovery process. Attackers compromise the developers’ Visual Studio Code accounts or npm account, where they then install a malicious Visual Studio Code extension or an npm package. 

After the initial compromise, the attackers’ BeaverTail malware searches the project directory for the most common JavaScript configuration files and other relevant files such as Tailwind CSS, Next.js, Babel, and ESLint files. It then stealthily inserts malicious code into the files. Additionally, the malware tampers with the Git commit history to hide its tracks by overwriting commit messages and timestamps. 

The latest updates to the BeaverTail malware now download the second stage of encrypted payloads from the blockchain network. Attackers have been observed using TRON, Aptos, and BNB Smart Chain blockchain networks to host the payloads. The decrypted payloads then deploy remote access malware, including DEV#POPPER RAT and OmniStealer, to exfiltrate data from the compromised systems. Researchers recommend that developers who have installed any of the compromised packages should treat their systems as compromised.

The users should update their compromised accounts, including SSH keys and tokens, from a different machine if possible. Additionally, the developers should delete the malicious versions of the packages and re-install the project dependencies using a trusted package manager lock file. Lastly, the developers should review their commits, tasks, and files for any suspicious activities or unauthorized changes.

AI-Powered Antivirus: How Next-Gen Software Predicts and Stops Threats

 

Antivirus software has undergone a profound transformation, shifting from reactive signature matching to proactive behavior prediction. Where traditional tools once relied on databases of known malware fingerprints, modern solutions now leverage machine learning, behavioral analysis, and real-time monitoring to identify suspicious activity before an attack fully unfolds. This evolution is essential as cybercriminals deploy polymorphic code, fileless malware, and zero-day exploits faster than legacy defenses can adapt. 

Historically, antivirus programs functioned like a bouncer checking IDs against a blacklist of known troublemakers. If a file matched a stored signature, it was blocked; if not, it slipped through undetected. This model worked when malware evolved slowly, but today’s threat landscape moves at lightning speed. Polymorphic malware mutates its code with each infection, metamorphic variants rewrite themselves entirely, and zero-day attacks exploit freshly discovered vulnerabilities before patches exist. Signature databases, while still useful, increasingly lag behind the pace of malicious innovation, leaving systems exposed to novel or rapidly changing threats. 

Modern antivirus flips the script by focusing on behavior rather than identity. It monitors API calls, memory access patterns, encryption bursts, and unusual network traffic to spot anomalies. For instance, a process that suddenly begins locking files across a network, disabling security services, or contacting unfamiliar servers at odd hours raises red flags—even if it has no known signature. This behavior-first approach is critical against ransomware and fileless attacks that operate in memory or hijack legitimate tools to avoid detection. Anomaly detection establishes a baseline of “normal” system activity and alerts on deviations, enabling early intervention before damage spreads. 

Machine learning supercharges this capability by training models on vast datasets of both clean and malicious files. These algorithms learn subtle patterns linked to malware—suspicious code structures, odd execution paths, or risky permission requests—and assign risk scores to files and processes. Decision trees, support vector machines, and neural networks each contribute to layered evaluations that reduce false negatives for unseen threats. Companies like Microsoft, CrowdStrike, and SentinelOne deploy such models at scale, continuously refining them with telemetry from millions of endpoints. The result is a system that generalizes from past attacks to catch new ones, even without an exact signature match. 

The ultimate aim is prediction: intercepting malware in its earliest stages using sandboxing, dynamic analysis, and integration with broader security stacks like endpoint detection and response (EDR). Suspicious files are detonated in isolated environments to observe their behavior safely, while EDR tools trace attack chains across networks. Yet AI is a double-edged sword—attackers also use it to craft evasive malware that adapts to detection systems. False positives and privacy concerns from heavy telemetry remain challenges. For most users, built-in tools like Microsoft Defender and Apple’s XProtect offer strong baseline protection, but layered security and user vigilance against phishing are still essential.

Report Details Alleged $1 Million Payment to Kairos After Data Theft

 



A newly published investigation has offered an unusual look inside a cyber extortion case in which a U.S. government organization is believed to have paid about $1 million after attackers stole sensitive data from its network. The analysis, conducted by Rakesh Krishnan for Ransom-ISAC, draws on leaked negotiation conversations and cryptocurrency transaction records to reconstruct how the incident unfolded.

The case stands out because the attackers, operating under the name Kairos, do not appear to have used traditional ransomware. According to the report, investigators found no evidence that the group encrypted computer systems or provided victims with decryption keys. Instead, the attackers allegedly copied confidential files and demanded payment in exchange for keeping the stolen information private.

Although the report does not identify the victim by name, several details point toward Union County, Ohio. File names referenced during the negotiations included "Union.xlsx," "1 union co psi template.doc," and an archive labelled "union.rar." One collection of files reportedly came from the county prosecutor's office, with the attackers claiming that publishing those records could interfere with criminal cases. During the discussions, the victim also described itself as a small county government with limited financial resources.

The reported incident closely matches a cyberattack disclosed by Union County in May 2025. At the time, county officials announced that personal information belonging to 45,487 current and former employees and residents had been exposed. The compromised records included Social Security numbers, financial information, passport details, fingerprints, and other sensitive data. Neither Union County nor Kairos has publicly confirmed that the leaked negotiations relate to that breach.

The leaked conversations show that the negotiations continued for nearly a month. Kairos initially demanded $3 million, claiming to possess more than two terabytes of stolen information containing around 1.6 million files. The victim responded with progressively higher offers, beginning at $100,000 before increasing to $255,000 and later $430,000. The attackers eventually reduced their demand to $1 million while imposing strict payment deadlines and warning that the most sensitive files would be released if an agreement was not reached.

According to the investigation, the payment was made on June 13, 2025, using approximately 9.44 Bitcoin, valued at roughly $1 million at the time. Blockchain analysis traced the cryptocurrency through several digital wallets before portions of the funds reached addresses linked to the cryptocurrency exchanges Bybit and OKX, as well as the Russian cryptocurrency service BELQI. While blockchain records allow investigators to follow the movement of digital assets, they do not automatically reveal the identities of those controlling the wallets.

The report also questions the value of paying cybercriminals in exchange for promises to delete stolen information. Kairos reportedly supplied what it described as proof that the files had been removed. However, the evidence only showed that the group once possessed the data and could not verify that every copy had actually been destroyed. Security experts have long warned that organizations have no reliable way to confirm whether stolen information has been deleted after a ransom payment.

Beyond the individual case, the investigation reflects a wider change in the cybercrime ecosystem. An increasing number of threat groups are abandoning file encryption and relying solely on data theft and extortion to pressure victims into paying. Sophos reported that only about half of the ransomware incidents it investigated during 2025 involved data encryption, the lowest proportion recorded in six years. Groups such as the Silent Ransom Group have also carried out extortion campaigns targeting organizations by threatening to leak stolen information without deploying ransomware.

The Kairos negotiations also resemble tactics seen in previous cyber extortion cases. Researchers examining leaked internal communications from the Black Basta ransomware operation found similarly prolonged bargaining, with initial multimillion-dollar demands eventually ending in substantially lower settlements. Earlier leaks involving the Conti ransomware group provided comparable insight into how attackers negotiate payments behind the scenes.

Although Kairos' public leak site is no longer online and its last publicly known victim was recorded in June 2026, investigators observed cryptocurrency activity linked to the group's infrastructure as recently as May 2026. The continued movement of funds suggests that the disappearance of a leak site does not necessarily indicate that an operation has ceased.

The case offers several practical lessons for government agencies and other organizations. Strengthening multi-factor authentication, monitoring repeated failed login attempts, watching for unusually large outbound data transfers, separating highly sensitive records from other systems, and preparing a communication strategy before an incident occurs can all reduce the impact of cyber extortion. The investigation also reinforces a point repeatedly emphasized by incident responders: once data has been stolen, there is no dependable way to verify an attacker's promise that it has been permanently deleted.

Massive Azure CLI Password Spray Campaign Targets Microsoft 365, Over 81 Million Login Attempts Detected

 

Cybersecurity company Huntress has uncovered a large-scale password spray campaign targeting Microsoft 365 environments through the Azure CLI, resulting in millions of malicious login attempts and multiple account compromises.

According to the company, between June 12 and June 21, attackers carried out more than 81 million login attempts against customer environments. The campaign led to the compromise of 78 user accounts across 64 organizations.

During the two-week period, threat actors were found compromising between two and four accounts each day. However, activity surged around June 22, when 23 organizations were reportedly affected in a single spike.

Huntress' investigation revealed that the majority of the login attempts originated from Autonomous System (AS) 32167, which is associated with internet hosting provider LSHIY LLC.

“These attacks are part of a large wave of credential spray attacks across a few different ASNs. In the past six months, Huntress has observed the volume of credential spray attacks increase by over 155 times across our customer base,” the cybersecurity company says.

The company also observed a sharp increase in password spray attacks during late May and early June, impacting multiple organizations. Huntress believes the campaign primarily relied on previously compromised username-password combination lists.

As part of the attack, the threat actors exploited the OAuth Resource Owner Password Credentials (ROPC) authentication flow to validate user credentials. Although this authentication method has been deprecated in OAuth 2.1, it still allows attackers to obtain a new user-delegated access token when valid credentials are provided.

Because of this authentication flow, attackers were able to compromise accounts even when multi-factor authentication (MFA) was enabled, provided that MFA policies were not configured to protect the OAuth ROPC authentication process.

“ROPC is considered problematic for several reasons, but one of those reasons is that it doesn’t offer support for modern auth flows like MFA or SSO. That means, as we saw in this campaign, ROPC sends the password straight to the /token endpoint with no interactive MFA prompt,” Huntress explains.

Further analysis of the affected environments showed several weaknesses in MFA implementation. In some organizations, MFA was applied only to specific cloud applications or user groups. Others enforced MFA only for logins from untrusted locations, while some had deployed MFA policies that were never actively enforced.

“It’s worth noting that eight businesses impacted by the campaign had no MFA policy at all. While threat actors in this campaign were able to get in despite MFA being set up, the takeaway should not be that MFA doesn’t work at all; instead, organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents,” the cybersecurity firm notes.

Huntress also traced the attack traffic to IPv6 address ranges linked to LSHIY, an internet infrastructure provider registered in Hong Kong, Wuhan, China, and New York. Previous reports have also associated IPv6 ranges operated under AS32167 and AS955 with infrastructure originating from China.

The cybersecurity firm said it reported the malicious activity to LSHIY through the provider's abuse reporting mechanism but did not receive any response.

AI-Driven Software Development Demands a New Approach to Security Audits

 



Artificial intelligence is rapidly reshaping how software is built, enabling developers to generate code, automate repetitive tasks and accelerate application development. While these tools are helping organizations improve productivity, cybersecurity experts warn that they are also introducing new security and governance challenges that traditional software audits were never designed to address. As AI-generated code becomes more deeply embedded in development workflows, security leaders are being encouraged to expand software audits beyond compliance checks and evaluate how artificial intelligence influences the entire software development lifecycle (SDLC).

Unlike conventional audits, which primarily examine financial records, operational controls and regulatory compliance, modern software audits must determine how AI contributes to software development and whether its use introduces security risks before applications are deployed. This includes identifying which developers are using AI-powered coding assistants, understanding how frequently these tools are used, determining where AI-generated code enters development pipelines, and verifying that approved tools are being used responsibly. Collectively, these activities form what many security professionals now describe as the Agentic Development Lifecycle (ADLC), where governance extends beyond the software itself to the AI systems supporting its creation.

The need for stronger oversight is becoming increasingly urgent. Research has found that one in five organizations has experienced a serious security incident associated with AI-generated code, highlighting how limited visibility into AI-assisted development can expose organizations to unnecessary risk. Without a clear understanding of developer practices and AI tool adoption, Chief Information Security Officers (CISOs) face growing challenges in enforcing security policies, demonstrating regulatory compliance and providing boards with measurable assessments of AI-related risk.

Although AI coding assistants can significantly improve developer efficiency, security specialists caution that they should not be treated as autonomous software engineers. Studies comparing human developers with large language models (LLMs) show that leading AI models can effectively identify issues such as insecure coding patterns, code smells and certain design weaknesses. However, they continue to struggle with more complex security responsibilities, including denial-of-service protections, insufficient logging and permission management. As a result, experienced developers remain essential for reviewing AI-generated code, identifying inaccuracies and ensuring vulnerabilities are eliminated before software reaches production.

Security leaders also recommend that organizations adopt a structured auditing framework for AI-assisted development. This includes maintaining an inventory of approved AI coding tools, mapping AI-generated code to development activities, benchmarking models against known vulnerability patterns and monitoring integrations to ensure AI agents access only authorized tools and data sources. Regular vulnerability assessments, developer upskilling and risk-based evaluations can further help organizations identify skill gaps, strengthen governance and reduce the likelihood of preventable security incidents.

Ultimately, effective AI governance requires more than simply adopting new technologies. By combining continuous oversight with skilled human review and well-defined security policies, organizations can harness the productivity benefits of AI while maintaining secure software development practices. As AI becomes an increasingly permanent part of modern software engineering, comprehensive audits will play a central role in ensuring innovation does not come at the expense of security.

MSG Data Breach: Hackers Leak Facial Recognition Records of 26 Million Visitors

 

A massive data breach at Madison Square Garden has exposed the facial recognition and personal records of millions of visitors, sparking outrage and legal action. The cybercrime group ShinyHunters leaked 45 gigabytes of stolen data after the arena’s parent company missed a ransom deadline, raising serious concerns about biometric privacy and surveillance. 

The breach, which reportedly occurred on June 5, 2026, involved the theft of what hackers claim are 26 million customer and corporate records. The leaked files include biometric tracking logs, internal threat assessments, background check information, and detailed dossiers on attendees—some dating back to 2018. Among the exposed data were references to New York Knicks players, coaches, and talent, with fields listing addresses, contact details, and even “cost of talent.” Customer emails were also part of the dump, including messages from fans who had previously expressed concern about being misidentified by MSG’s facial recognition cameras. 

What makes this incident particularly alarming is MSG’s extensive use of facial recognition technology across its venues. For years, the arena has deployed biometric systems to screen visitors—and controversially, to ban lawyers from firms that have sued the company. The leaked surveillance records now reveal how deeply the venue tracked individuals, creating detailed profiles without clear consent. Privacy advocates argue this breach underscores the risks of unchecked biometric data collection, especially when security practices fail to protect such sensitive information.

In the wake of the leak, a federal class-action lawsuit—Avalo v. MSG Entertainment—was filed on June 16 in a New York court. The plaintiff, Carlos Avalo, alleges his biometric data was captured during a 2025 concert visit without proper disclosure or consent. The suit seeks at least $5 million in initial damages and highlights violations of biometric privacy laws. This is not MSG’s first major breach in under a year, further eroding trust in the company’s ability to safeguard visitor data. Despite repeated requests, MSG Entertainment has not publicly confirmed the full scope of the breach or commented on the lawsuits. 

The ShinyHunters group, known for targeting high-profile organizations like Kodak and Instructure, claimed responsibility for the attack, alleging they gained access by socially engineering a low-level employee. The incident serves as a stark reminder of the vulnerabilities in even the most advanced surveillance systems—and the human element that often remains the weakest link. As investigations continue, the breach raises urgent questions about the ethics of biometric data collection, the adequacy of current privacy regulations, and the responsibilities of venues that turn guests into data profiles.

Google Targets NetNut Residential Proxy Network Operating Across Two Million Devices


 

Several international authorities have coordinated operations to disrupt the infrastructure behind a large residential proxy network, also known as Popa, after Google dealt a significant blow to one of the internet's largest residential proxy ecosystems. 

Through the action, which was conducted in collaboration with Lumen Technologies, the FBI, and other industry partners, millions of compromised Android-powered devices, including smart TVs, streaming boxes, and other internet-connected consumer hardware, were prevented from accessing the network. This significantly reduced the network's operational capacity. 

In the network, ordinary household devices were covertly transformed into proxy relays that permitted cybercriminals and state-linked threat actors to route malicious activity through legitimate residential IP addresses while masking their identities while provoking suspicions among unsuspecting individuals. 

According to security researchers, there are at least two million compromised devices worldwide comprised of the botnet, indicating both its scope and the growing misuse of consumer IoT infrastructure in modern cyber campaigns. In addition to its sheer scale, NetNut has become an integral component of the underground residential proxy market, providing infrastructure to hundreds of cybercriminals and espionage-linked threat actors. 

Several domains were used to conduct the operations of the service, including netnut.com, seized as a result of the FBI's disruption efforts. Researchers at the Google Threat Intelligence Group (GTIG) observed 316 distinct threat clusters that leveraged suspected NetNut exit nodes during one week last month, illustrating the platform's substantial operational reach. 

As a result of the analysis, attackers were not only able to hide access to their own infrastructure, but also were able to conduct password-spreading campaigns and establish covert connections into targeted environments by using trusted residential IP addresses. NetNut operators are dependent on Google to provide malware command-and-control (C2) services, so Google disabled their accounts and cloud services, effectively cutting them off from their critical backend infrastructure. 

The company notified affected Android users and deactivated malicious applications associated with the botnet simultaneously through Google Play Protect, and it distributed technical intelligence on NetNut's software development kits (SDKs) and C2 architecture to platform providers, law enforcement agencies, and cybersecurity researchers in order to strengthen coordination in detection and mitigation. 

Moreover, Google emphasized that the disruption is likely to spread beyond a single botnet, as NetNut's reseller model has provided infrastructure to multiple residential proxy providers for many years, making the operation potentially significant for the entire illicit proxy ecosystem. Investigations into the operation have also highlighted the commercial infrastructure that underpins the proxy network. 

A report from Qurium, Synthient, Nokia Deepfield, and Spur in June linked the Popa botnet to NetNut, an Israeli public company owned by Alarum Technologies. During controlled testing, Synthient demonstrated that traffic routed through NetNut's commercial gateway originated from a device that was intentionally enrolled in the Popa network, providing evidence that the commercial proxy service was directly connected to compromised endpoints. 

In addition to the researchers refraining from attribution of intent or operational knowledge to Google, Google stated that its own threat intelligence was consistent with the public findings, treating NetNut and Popa as components of the same network and supporting the research team's assessment of proxy infrastructure construction. 

In contrast, Alarum has firmly rejected those conclusions, rejecting the categorization of NetNut as a botnet, and stating that the research is based on "unverified facts, as opposed to demonstrably inaccurate assertions and flawed deductions." In addition to maintaining that its platform operates as a legitimate, consent-based bandwidth-sharing service, the company maintains that it does not compromise user devices or function without authorization. 

Synthient's analysis challenged that position, revealing that none of the twenty examined applications related to the ecosystem provided meaningful consent prompts before enrolling users' devices in bandwidth sharing operations, raising further questions about transparency in the software distribution process. 

Aside from cautioning that removing NetNut represents only the first phase of a much larger effort, Google also stressed that the company operates a large white-label reseller program that allows third parties to market access to the same residential proxy infrastructure under a variety of brand names. As the company points out, a number of residential proxy services which appear to be independent ultimately draw connectivity from the NetNut device pool, so disruptions can affect multiple brands simultaneously if one provider is disrupted. 

However, Google characterized the latest actions as degradation, not a complete takedown, pointing out that operators have previously restored capacity through the use of competing proxy providers to source infrastructure. As evidence of the resilience of these interconnected ecosystems, the company cited its disruption of the China-linked IPIDEA residential proxy network in January and its subsequent legal action against the operators of the BadBox 2.0 botnet, whose Android TV infrastructure is similar to Popa, which was launched in July 2025. 

In order to create long-term impact, sustained, coordinated disruption across multiple providers must be undertaken. According to researchers, consumers' access to residential proxy networks is most commonly facilitated by applications that offer financial rewards for "unused bandwidth" or "sharing internet access." It is highly recommended that security teams only install apps from trusted app stores, carefully review VPN and proxy software permission requests, enable protections such as Google Play Protect, and purchase smart TVs and streaming devices from reputable manufacturers to minimize the risk of preloaded or malicious software being installed. 

Additionally, the report warns that residential IP addresses will not be in short supply in the cybercriminal ecosystem following NetNut's disruption. In order to identify any reemergence of NetNut-related traffic, continued monitoring of reseller brands and successor infrastructure is essential. 

According to Alarum's corporate legal counsel, Omer Weiss, a statement following the operation was issued by the company in which it was made aware of the FBI's seizure of certain NetNut-related domains on July 2, 2026. According to Weiss, Alarum is seriously concerned about the matter and will work closely with law enforcement authorities to investigate any misuse of its infrastructure and support the pursuit of accountability for those responsible. 

 As a result of NetNut's disruption, an important step in challenging the growing abuse of residential proxy infrastructure has been achieved, but the disruption also underscores the increasingly interconnected nature of commercial services, compromised consumer devices, and cybercriminal operations as well.

In a rapidly evolving proxy ecosystem characterized by reseller networks and shared infrastructure, sustained collaboration between technology providers, law enforcement agencies, and cybersecurity professionals will remain crucial. Maintaining trusted software sources, enforcing built-in security protections, and monitoring for unauthorized network activity remain practical safeguards against a threat landscape that is becoming increasingly adaptable.

Apple Expands AI in iOS 27 with Smarter Everyday Features Beyond Siri

 

Apple is expanding its artificial intelligence strategy beyond Siri with iOS 27 by integrating AI across its apps and services instead of relying on a standalone chatbot. The new features are designed to simplify everyday tasks through automation while giving users control and maintaining Apple’s privacy-first approach. 

One of the key additions is Bill Splitting, which uses Apple Cash to divide restaurant bills. After scanning or uploading a receipt, Apple Intelligence identifies ordered items, quantities, taxes, tips, and the total amount. Through Messages, users can select what they ordered, allowing everyone to pay their share without manually calculating costs. Apple is also enhancing account security with its Passwords app. 

The feature can detect compromised or weak credentials exposed in data breaches, recommend stronger passwords, and securely update them on supported websites without requiring users to manually log in and change each password. The Messages app is gaining AI-powered suggestions that help users complete common tasks. It can recommend photos when someone asks about a past event, suggest creating reminders when someone requests an item, and prompt users to add meetings or dinner plans to their Calendar without leaving the conversation. 

A new Call Context feature will display useful information, such as booking confirmation numbers stored in Mail, during customer service calls. Apple says all processing happens on the device, ensuring personal information remains private. The Shortcuts app is also becoming easier to use by allowing users to create automations using natural language. Instead of manually building workflows, users can simply describe what they want, such as updating their calendar, controlling smart home devices, or sharing their ETA with family members.  

Additional iOS 27 features include AI-powered tab organization in Safari, which groups related webpages by topic, and smarter Home app notifications that combine multiple smart home events into a single alert. Apple has also improved search within the Home app to help users quickly find important camera clips, such as package deliveries. Together, these updates highlight Apple’s broader AI vision of embedding intelligence throughout its software rather than limiting it to Siri. 

By integrating AI into familiar apps, the company aims to make daily tasks faster, simpler, and more secure while continuing to prioritize user privacy.

Anubis Ransomware Gang Attacks Again, Exploit Remote Access


Hackers linked with Anubis ransomware operation were found abusing the Citrix Bleed 2 (CVE-2025-5777) flaw to find initial access. 

According to Arctic Wolf, the techniques vary among different affiliates, and few patterns surfaced in tradecraft via authentic Remote Management and Monitoring (RMM) tooling, hands-on-keyboard procedures and credential access. 

Anubis also exploited authentic remote access and admin tools such as MeshAgent, Total Software Deployment, ScreenConnect, UltraVNC, and Zoho Assist to merge with usual IT operations while handling control of target systems.

About Anubis 

Anubis is a RaaS gang that first surfaced in late 2024 as a spinoff of Sphinx ransomware. The ransomware campaign was first disclosed on the Ransomware and Advanced Malware Protection (RAMP) darkweb forum in February last year. As per the data from Ransomware.Live, the cybercrime gang has taken responsibility for 91 victims on its data leak website, with 11 targets in June 2026.

Areas impacted

Some significant areas attacked are business services, technology, financial services, healthcare, and technology. Above 50% of the targets are based in the U.S, then U.K, Australia, France, and Canada.

Rubrik Zero Labs published a report in July 2025 which said Anubis promotes promising profit splits, which offers 80% of the ransom paid, and combines it with a data wiping (irresistible) feature to further blackmail the victims to pay upfront.

Experts at Rubrik said that “when Anubis's /WIPEMODE module is activated, files remain in directories but are reduced to a 0 KB size regardless of ransom payment.” The experts added that when “Anubis changes ransomware’s traditional strategic calculus, it creates powerful incentives for motivated threat actors to deploy Anubis in pursuit of lucrative returns.”

The impact

Commenting on the severity of the attack, Rubrik said that, “Knowing threat actors can revert victims' environments to this scorched-earth state with a single command significantly increases pressure on victims to pay before the wiper is fully activated.”

The ransomware incidents in 2026 consist both exploitation of CVE-2025-5777 (CVSS score: 9.3), a severe flaw affecting Citrix Net and valid VPN credential use.

The source of VPN credentials in these attacks is unknown, but experts say that they are likely to be collected after the first compromise, or via credential stuffing, initial access brokers (IABs), or information stealer operations.  

runZero Uncovers Seven FatFs Vulnerabilities That Could Expose Millions of Embedded Devices to Code Execution

 

Security firm runZero has revealed seven security vulnerabilities in FatFs, a lightweight filesystem library widely used by embedded devices to read and write FAT and exFAT storage formats found on USB drives and SD cards.

The vulnerabilities are considered significant because FatFs is integrated into the firmware powering a broad range of products, including security cameras, drones, industrial control systems, hardware cryptocurrency wallets, and devices running real-time operating systems (RTOS).

According to the researchers, attackers could exploit the flaws by introducing a specially crafted USB drive, SD card, or malicious firmware update file to vulnerable devices. On severely affected systems, successful exploitation could lead to memory corruption and arbitrary code execution.

runZero noted that many embedded devices do not implement the memory protection mechanisms commonly found in smartphones and desktop operating systems. As a result, "any physical access leads to a jailbreak." The researchers warned that devices such as public kiosks, security cameras with SD card slots, ATMs, and voting machines equipped with USB ports could potentially be compromised with only brief physical access.

The seven vulnerabilities stem from a similar root cause. When FatFs processes intentionally malformed storage media or firmware images, it improperly handles invalid data, creating opportunities for crashes, memory corruption, or data leakage. The vulnerabilities have received CVSS ratings ranging from Medium to High, with none classified as Critical.

The most severe issue, tracked as CVE-2026-6682 (CVSS 7.6), is an integer overflow affecting FAT32 volume mounting. Incorrect calculations can generate an inaccurate file size, which is later interpreted as a legitimate read length, potentially resulting in memory corruption and remote code execution.

The complete list of disclosed vulnerabilities includes:

  • CVE-2026-6682 (CVSS 7.6 – High): Integer overflow during FAT32 volume mounting that can cause memory corruption and possible code execution. The flaw may also be exploited through certain firmware update mechanisms.
  • CVE-2026-6687 (CVSS 7.6 – High): A buffer overflow involving an exFAT volume-label field that enables memory corruption.
  • CVE-2026-6688 (CVSS 7.6 – High): Long filenames can overflow wrapper code commonly implemented around FatFs, making mitigation dependent on downstream developers rather than the library itself.
  • CVE-2026-6685 (CVSS 6.1 – Medium): Integer wraparound in cache handling for fragmented volumes that may silently corrupt stored data.
  • CVE-2026-6683 (CVSS 4.6 – Medium): Divide-by-zero vulnerability in exFAT handling that can crash devices and potentially render hardware unusable during firmware updates.
  • CVE-2026-6686 (CVSS 4.6 – Medium): Improper file extension handling that may expose residual data from previously deleted files.
  • CVE-2026-6684 (CVSS 4.6 – Medium): A malformed GPT partition table can cause devices to hang while mounting storage media. This is currently the only vulnerability addressed upstream in FatFs version R0.16.

runZero also highlighted challenges surrounding coordinated disclosure. The company said it repeatedly attempted to contact the FatFs maintainer and involved Japan's JPCERT/CC coordination center but did not receive a response.

As a result, the researchers stated that there are currently no upstream patches for the memory corruption vulnerabilities, no dedicated security advisory process, and no centralized mechanism for notifying the numerous vendors that bundle FatFs into their products. While upgrading to FatFs R0.16 mitigates the GPT partition issue, the remaining vulnerabilities require downstream vendors to develop and distribute their own fixes.

The vulnerabilities affect multiple software platforms and frameworks that incorporate FatFs, including Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and the SWUpdate firmware updater. This broad adoption extends the potential impact across consumer IoT devices, industrial equipment, drones, and cryptocurrency hardware wallets.

As of runZero's public disclosure on July 1, no known attacks exploiting these vulnerabilities had been reported. However, the researchers have released proof-of-concept disk images, a testing framework, and a functional QEMU-based exploit demonstration, making technical details publicly available.

For firmware developers, runZero recommends identifying any bundled FatFs implementations, reviewing wrapper code for unsafe filename and file-size handling, and preparing vendor-specific patches. Organizations operating affected devices are advised to treat USB ports, SD card slots, and firmware update channels as potential attack vectors by restricting physical access and applying firmware updates as they become available.

AI-assisted vulnerability research speeds up discovery

runZero revealed that it initially reviewed FatFs manually in 2017 but found few noteworthy issues. During a renewed assessment in March 2026, the researchers employed an AI-assisted workflow using Visual Studio Code, GitHub Copilot running in "auto" mode, and a series of simple prompts.

The AI-generated workflow created a fuzzer capable of feeding malformed inputs into the filesystem library, uncovering vulnerabilities that had been missed during the earlier manual review while also helping validate their exploitability.

The researchers compared this trend to other recent AI-assisted security discoveries, including Google's Big Sleep identifying an exploitable memory flaw in SQLite during late 2024 and an autonomous AI agent discovering 21 memory-safety vulnerabilities in FFmpeg last month.

runZero argued that the increasing accessibility of AI-powered security research means attackers can leverage similar techniques, making timely vulnerability disclosure and remediation increasingly important.

The company also warned that patch deployment across the embedded ecosystem is likely to take years rather than months. It cited the 2024 PixieFail vulnerabilities affecting EDK II firmware as an example of slow downstream remediation and suggested that FatFs faces an even greater challenge due to the absence of an active upstream security response.

Until upstream fixes become available and platform vendors release security updates, organizations should assume that many deployed embedded devices continue to process untrusted FAT and exFAT media using vulnerable code.

Nissan Confirms Employee Data Breach Following Oracle PeopleSoft Zero-Day Cyberattack

 

Nissan has confirmed that it fell victim to a third-party cyberattack after being targeted as an Oracle PeopleSoft user, making it the latest company to suffer an attack due to a yet-revealed vulnerability. The breach is currently under investigation, with Nissan reporting that the attackers could have accessed the personal data of thousands of employees worldwide. 

Based on the breach notification sent to the California Department of Consumer Affairs, Nissan Americas uses Oracle PeopleSoft to perform essential employee management functions, including payroll, taxes, and record-keeping. The attack relied on a zero-day flaw, CVE-2026-35273, which was patched later, with the vulnerability already being actively exploited. There breached data is reported to affect current and former employees in the United States, Canada, Mexico, and Brazil. 

Notably, the data includes social security, banking, financial, and tax information. Nissan is currently investigating the scope of the damage, with the company yet to conclude its research. Researchers report that ShinyHunters extortion gang is behind the identified Oracle PeopleSoft-related attacks, with over 100 companies already reportedly identified as victims of the zero-day flaw. 

Although Nissan was not found on the ShinyHunters data leak site, reports suggest that the cybercriminals might still use the data for extortion. It remains unclear whether the breached data would be published or utilized in ransomware attacks by the threat actors. The vulnerability affecting Oracle PeopleSoft, which has been reported to affect thousands of enterprise users worldwide, continues to raise concerns. 

Since the affected software is designed for critical data, including employee management, the security flaw may have severe implications. Besides Nissan, several companies have been reported to fall victim to the vulnerability, with Everest Ransomware Group recently claiming to have stolen customer data from the car manufacturer. Cybercriminals seem to target major manufacturers, including those based in the United States and threatening to expose the data for extortion. 

Although only a handful of companies have officially confirmed to be victims of the Oracle PeopleSoft cyberattack, others are likely to suffer due to the scale of the problem. National Association of Insurance Commissioners recently confirmed being a victim of the attack, with the University of Nottingham also reportedly being among the affected institutions. 

The most significant damage, however, seems to be related to the education sector, with Illinois Central College and Moody Bible Institute being the only two confirmed victims at the time of the publication. According to cybersecurity analysts, the sector has suffered the largest fallout from the PeopleSoft attack, with several universities reportedly being targeted by the ShinyHunters extortion gang. 

Another PeopleSoft cyberattack serves as a reminder of the constant security challenges facing enterprise users relying on the application to protect sensitive employee data. With investigations into the breach underway, more companies may be identified as victims of the attack in the coming weeks.

81 Million Login Attempts Linked to Azure CLI Password Spray Attack

 


A large-scale password spraying campaign targeting Microsoft 365 environments through Microsoft’s Azure Command-Line Interface (Azure CLI) generated more than 81 million authentication attempts and compromised at least 78 user accounts across 64 organizations, according to cybersecurity firm Huntress.

Huntress said the activity was observed between June 12 and June 21, with attackers typically compromising two to four accounts per day before activity surged around June 22, when 23 organizations were affected. Most of the login attempts originated from AS32167, an autonomous system associated with hosting provider LSHIY LLC.

The company said the campaign formed part of a larger wave of credential-spraying attacks spanning multiple autonomous systems and noted that the volume of such attacks across its customer base has increased more than 155-fold during the past six months. Investigators believe the operation relied primarily on previously exposed username-and-password combinations obtained from credential leak collections.

A key element of the campaign was the use of the OAuth Resource Owner Password Credentials (ROPC) flow through Azure CLI. Although ROPC has been deprecated in OAuth 2.1, it can still exchange valid usernames and passwords directly for access tokens without an interactive sign-in prompt. Huntress said this allowed attackers to authenticate successfully in environments where multi-factor authentication policies did not fully cover that authentication flow.

The investigation identified several configuration gaps among affected organizations, including MFA policies applied only to certain cloud applications or user groups, enforcement limited to non-trusted locations, and policies that had been configured but never enforced. Huntress also found that eight impacted organizations had no MFA policy enabled.

Huntress emphasized that the findings should not be interpreted as evidence that MFA is ineffective. Instead, organizations should review Conditional Access policies, eliminate deprecated authentication methods where possible, ensure MFA protections apply to all supported sign-in flows, and monitor Azure CLI authentication activity for unusual login patterns.

The IPv6 address range used in the campaign belongs to LSHIY, an internet infrastructure provider registered in Hong Kong, Wuhan, China, and New York. Huntress said it reported the activity through the provider’s abuse-reporting channel but had not received a response.

BioSchocking Attacks Tricked AI-powered Browsers into Data Theft


A new prompt injection termed “BioShocking” can manipulate AI-based browsers into treating malicious actions as a video game, and give away your login credentials. The technique was discovered by experts at security firm LayerX. The experts tricked six AI-powered browsers and assistants into recording users’ credentials and sending them to the threat actor. 

The browsers include:

ChatGPT Atlas from OpenAI

Comet from Perplexity

Anthropic’s Claude browser

Fellou

Genspark browser

Sigma browser

LayerX experts made a proof-of-concept (PoC), which was tested against these agentic AI browser products. The findings revealed that only one browser addressed the issue after receiving the report.

What is an AI browser?

An AI browser can streamline the entire workflow for the users. If you switch it to agent mode, it can click type, and visit sites that the user has already logged into. Access is the key point hare, which also becomes the problem.

BioShocking attack tactic

Experts made a (PoC) in which an infected webpage showed a BioShock-themed puzzle that rewards wrong answers. This tricks the browser that normal rules are not applicable. 

The trap works because of how these AI-powered browsers read. The webpage and instruction surface as a single stream of text, which allows a malicious page access in commands mimicking ordinary content or game rules. The agent can not tell which is which. Experts have termed this indirect prompt injection.

Tricking the browser

For instance, the compromise starts with a web page made as a puzzle. 3+4+=9 is a wrong answer but the browser rewards it. When the agent accepts that wrong answer is the reward, it follows game puzzle logic not security logic. Following this, the puzzle asks the browser to record login credentials. All six browsers could not flag it as something malicious. To win the game, the agent is commanded to go to a GitHub repository and share the data in the code, such as sensitive data like passwords.

When the link is sent to the target's GitHub repository, it retrieves SSH login credentials and sends them to the hackers. The main issue here is that browsers can’t differentiate between real scenarios and malicious fictional ones. 

According to LayerX, “Once the agents figured out the rules and learned that 'incorrect' actions are acceptable, they were no longer tied to reality.” “When tasked with the final step of the puzzle – compromising user credentials – all 6 agents failed to identify it as going against their safety guardrails,” the experts continued.

The PoC did not execute any malicious commands but warned that it could do so.

AI vendors’ response

According to experts, only OpenAI implemented a working patch for BioShocking in its browser.

Anthropic tried to fix the issue on its chrome login, but the patch was not working against the PoC. Perplexity did not fix the issue, and closed the report. 

LayerX advises that AI vendors should add specific user acknowledgement for sensitive work, and stronger security checks.

Google Cripples NetNut Proxy Network Spanning 2 Million Devices

 

Google has delivered a major blow to NetNut, one of the world’s largest residential proxy networks, by crippling its ability to route malicious traffic through millions of compromised home devices. The operation, conducted in coordination with the FBI, Lumen, and other partners, marks a significant escalation in the fight against infrastructure that cybercriminals rely on to hide their activities. 

Google’s Threat Intelligence Group (GTIG) estimates that NetNut—also tracked under the name Popa—spanned at least 2 million devices globally, including smart TVs, streaming boxes, and other internet-connected appliances. In a single week in June, Google observed 316 distinct threat clusters using suspected NetNut exit nodes to mask their location and carry out activities such as password guessing and malware distribution. By disabling accounts and services tied to NetNut’s command-and-control infrastructure, Google says it has reduced the network’s usable device pool by millions, severely degrading its business operations. 

NetNut grew by embedding its software development kit (SDK) into seemingly legitimate apps and firmware, often on low-cost or no-name hardware. Many victims unknowingly installed applications that promised payment for “unused bandwidth” or “sharing your internet,” a common lure for these networks. Once integrated, the SDK turned devices into relays for other people’s traffic, making malicious activity appear to originate from ordinary home IP addresses and helping attackers bypass security tools and geo-restrictions. 

Google’s response combined legal, technical, and user-protection measures. The company disabled infrastructure used for NetNut-related malware operations, shared detailed technical intelligence on the group’s SDK and backend systems with law enforcement, and worked with partners to seize domains controlling compromised devices. On the user side, Google Play Protect was updated to automatically warn users and disable apps found to integrate the NetNut SDK, while Google identified hundreds of Android apps and thousands of Windows files linked to the network’s infrastructure.

While Google describes the action as a “degradation” rather than a full takedown—NetNut also operates through reseller programs and white-label brands—the disruption raises the cost and complexity for attackers using residential proxies. For everyday users, the incident underscores the risk of installing obscure apps, especially those offering payouts for bandwidth, and of using cheap, unbranded streaming devices. Sticking to official app stores, reviewing app permissions, keeping Play Protect enabled, and buying hardware from reputable manufacturers remain the best defenses against ending up as an unwitting node in the next NetNut-style network.

Anthropic Clarifies Claude Fable 5 Subscription Removal Is Temporary, Plans Return After Capacity Improves

 

Anthropic has clarified that its flagship AI model, Claude Fable 5, will no longer be included in Claude subscription plans after July 7. However, the company emphasized that the change is temporary and that it intends to bring the model back to subscription tiers once it has enough infrastructure capacity to support demand.

The update comes shortly after Anthropic reinstated access to Fable 5 following the removal of US export restrictions on its advanced AI models, Fable 5 and Mythos 5.

With the relaunch, the company made Fable 5 available across Claude.ai, Claude Code, Claude Cowork, and the Claude Platform. However, due to overwhelming user interest, Anthropic has decided to limit access and transition the model to a usage-based billing system starting next week.

"For Pro, Max, Team, and select Enterprise plans, Fable 5 will be included for up to 50% of weekly usage limits through July 7, after which it will be available via usage credits," Anthropic said in its original blog post.

That announcement sparked concerns among users that Claude Fable 5, the company's most advanced AI model, would permanently become a premium add-on instead of remaining part of standard subscription plans.

Addressing those concerns, a Claude Code lead engineer confirmed that the shift is not intended to be permanent and that Anthropic plans to restore the model to subscription offerings when resources permit.

"I've heard a lot of questions about Fable's availability on subscription plans," the engineer wrote in a post on X. "While it will come off subscriptions after July 7th, we aim to restore Fable as a standard part of our subscriptions as soon as capacity allows, as we mentioned in our original blog post."

Anthropic expects unpredictable demand for Fable 5

Anthropic acknowledged that estimating demand for Fable 5 remains challenging, noting that interest in the model is expected to remain exceptionally high.

According to the company, Fable 5 is currently fully accessible through the Claude API and consumption-based Enterprise plans. Subscription-based access, however, is being introduced gradually to better manage capacity.

"For subscription plans, we’d rather give access sooner than later, so we’re rolling out more conservatively, in stages," Anthropic said.

The company also reiterated that it plans to make Fable 5 a standard feature of subscription plans again once additional capacity becomes available.

"when sufficient capacity allows us to do so."

Until then, users on Claude subscription plans who want continued access to Fable 5 after July 7 will need to use usage credits, as the temporary billing change will remain in effect.

U.S. Secures Extradition of 19-Year-Old Linked to Scattered Spider


US authorities have intensified their pursuit of individuals linked to the financially motivated hacking collective Scattered Spider, and the extradition of a 19-year-old suspect marks another significant development. 

Peter Stokes, who is a dual citizen of the United States and Estonia, is accused of taking part in coordinated cyber intrusions, ransomware extortion, and fraud operations linked to the group, which disrupted more than 100 organizations across critical industries and generated more than $100 million in extortion payments for the group. 

After Stokes was arrested in Finland on a Red Notice from Interpol, he was transferred to the United States to be tried on several federal charges, which included conspiracy, computer intrusion, and extortion, demonstrating the increasing international cooperation being deployed for the dismantling of one of the most persistent cybercrime groups. 

In describing the prosecution, Federal officials said it is part of an ongoing effort to combat increasingly sophisticated cybercrime activities that target U.S. organizations across a range of industries. In his remarks, Andrew S. Boutros, U.S. Attorney for the Northern District of Illinois, co-chair of the Acting Attorney General's White Collar, Cyber, and Crypto Subcommittee Advisory Committee, stated that the allegations of the Scattered Spider attack caused widespread disruption to businesses nationwide and highlighted the increased capabilities of cybercriminals operating across international borders driven by financial gain. 

The Justice Department has demonstrated its commitment to pursuing technologically advanced threat actors regardless of where they are located with the charges, he stressed. In support of this position, Brett Leatherman, Assistant Director of the FBI's Cyber Division, stated that the group has consistently used employee-focused extortion and network compromise campaigns, which have resulted in millions of dollars of financial losses and disruptions to critical business operations. 

According to him, the investigation illustrates the importance of coordinating the efforts of domestic and international law enforcement to identify, disrupt, and prosecute cybercriminals, wherever they operate. The superseding criminal complaint alleges that Stokes is associated with several cyber intrusions allegedly conducted by his online alias "Bouquet," including activities that date back to his 16th year of age. 

A prosecutor contends that these activities were part of Scattered Spider's overall intrusion campaign, which also includes Octo Tempest, UNC3944, and 0ktapus, which are also tracked by security researchers. According to the investigation, the group compromised more than 100 networks by using highly targeted social engineering techniques, enabling the deployment of ransomware, data theft, and extortion schemes that collectively resulted in over $100 million in ransom payments as well as millions more in recovery costs for the organizations affected.

The complaint details a number of incidents in which Stokes and his co-conspirators allegedly breached a luxury jewelry retailer's network in May 2025, exfiltrating sensitive corporate data and demanding approximately $8 million in cryptocurrency. According to reports, the company declined to negotiate with the attackers, removed them from its environment, and incurred remediation expenses ranging from $2 million to $3 million. 

Stokes was reportedly apprehended at Helsinki Airport as he attempted to board a flight to Japan, where Finnish law enforcement officials confiscated two 2-terabyte hard drives as part of the investigation. According to investigators, Scattered Spider is not a traditional hierarchical cybercrime syndicate, but rather a decentralized, English-speaking network of young threat actors operating throughout the United States, the United Kingdom, and Europe. 

In order to gain initial access, the attackers utilize sophisticated social engineering techniques rather than exploiting software vulnerabilities. In their investigations, investigators assert that Scattered Spider has consistently focused on human manipulation rather than technical exploitation. It has been reported that members impersonate legitimate employees when contacting corporate IT support desks, convincing them to reset their credentials or authorize their account access before moving laterally through compromised environments, exfiltrating sensitive data, and demanding payment under the threat of publication.

After the high-profile compromises of MGM Resorts and Caesars Entertainment in 2023, the group's techniques have come under scrutiny. The intrusion at MGM severely disrupted casino and hotel operations. Several security researchers have observed a sector-focused targeting strategy since then, connecting the collective with multiple campaigns against major UK retailers, including Marks & Spencer, Harrods, and Co-op before it moved on to target American insurance companies, followed by the aviation industry. 

A. Tysen Duva, assistant attorney general, pointed out that the collective was responsible for over 100 network intrusions resulting in over $100 million in ransom payments. It is important to note that Stokes' case also represents the culmination of a broader international law enforcement campaign that has relentlessly dismantled the individuals operating under the pseudonym Scattered Spider. 

During recent prosecutions, Scottish national Tyler Buchanan, 24, admitted to fraud and identity theft by admitting to his role in phishing campaigns targeting Twilio and LastPass. As a result, prosecutors stated that $8 million in cryptocurrency was stolen and carries a maximum sentence of 22 years in prison.

In addition, Florida-based member Noah Urban was sentenced in August 2025 to 10 years in prison as well as a $12 million fine, while U.K. citizens Thalha Jubair and Owen Flowers pleaded guilty in June 2026 in connection with the Transport for London hack in 2024. As indicated in court documents, Flowers admitted to conspiring to compromise the networks of U.S. healthcare providers SSM Health and Sutter Health, demonstrating how far prosecutions have spread in an effort to dismantle the group's international cybercrime network. 

Despite successive arrests disrupting Scattered Spider's operations, cybersecurity researchers caution that the group's tactics continue to affect the wider threat landscape. As a result of the law enforcement actions of 2025, Mandiant observed a temporary drop in activity; however, it also stated that other financially motivated threat groups have begun replicating the collective's social engineering approach. 

An important defensive lesson of the assessment is that identity verification processes are often the primary attack surface rather than perimeter security measures. It is recommended that assistance desk authentication procedures be strengthened and that phishing-resistant authentication methods, such as hardware-backed passkeys or security keys, be adopted as effective measures for limiting unauthorized access through credential reset abuse. 

According to a joint advisory issued by U.S. and international cybersecurity authorities, once the attackers gained initial access, they have reportedly been observed monitoring internal collaboration platforms and taking part in incident response calls as a way of tracking defensive actions in real-time and evading containment measures.

Researchers believe the digital evidence recovered during Stokes' arrest in Helsinki may provide valuable information about the group's broader infrastructure as well as potential associates. Even though Stokes remains presumed innocent until proven guilty in court, this latest extradition highlights a growing international enforcement effort that is demonstrating the inability of geographical distance, decentralized operations, and youth to provide reliable barriers to coordinated cybercrime prosecution. 

International authorities are increasingly combining cross-border investigations with coordinated prosecutions to pursue individuals behind sophisticated intrusion campaigns that can disrupt businesses and disrupt lives. Increasing sophistication in identity-based attacks requires organizations to strengthen authentication controls, harden help desk verification processes, and continuously monitor privileged access in order to reduce the impact of increasingly sophisticated social engineering tactics.