π¨ Update - Citrix CVE-2026-8451 is now under active exploitation, less than 24 hours after disclosure.
A Frankfurt IP hit sensors for 5 hours, delivering the watchTowr exploit only after a 200 OK response and skipping 404s.
Learn the malformed SAML exploit path works: https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
A Frankfurt IP hit sensors for 5 hours, delivering the watchTowr exploit only after a 200 OK response and skipping 404s.
Learn the malformed SAML exploit path works: https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
π₯7
π Ransomware crews are stacking three ugly paths into enterprise networks.
πΈ Anubis: Citrix Bleed 2
πΈ The Gentlemen: Go backdoor + BYOVD
πΈ VECT/TeamPCP: supply-chain credential theft
How the attack paths connect: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
πΈ Anubis: Citrix Bleed 2
πΈ The Gentlemen: Go backdoor + BYOVD
πΈ VECT/TeamPCP: supply-chain credential theft
How the attack paths connect: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
π₯8π1π€1
π₯ Google disrupted #NetNut, a proxy network spanning at least 2 million home devices.
In one June week, GTIG saw 316 threat clusters using suspected NetNut exit nodes to hide location and guess passwords.
The simple risk: your home IP becomes someone elseβs relay.
Learn more: https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html
In one June week, GTIG saw 316 threat clusters using suspected NetNut exit nodes to hide location and guess passwords.
The simple risk: your home IP becomes someone elseβs relay.
Learn more: https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html
π₯8π4π1
π¨ PamStealer targets Mac users through fake Maccy sites.
A compiled AppleScript stages a Rust stealer that validates the entered login password through PAM, then targets browsers, crypto wallets, iCloud Keychain, and clipboard content.
How the attack chain works: https://thehackernews.com/2026/07/pamstealer-uses-fake-maccy-sites-and.html
A compiled AppleScript stages a Rust stealer that validates the entered login password through PAM, then targets browsers, crypto wallets, iCloud Keychain, and clipboard content.
How the attack chain works: https://thehackernews.com/2026/07/pamstealer-uses-fake-maccy-sites-and.html
β‘6
β οΈ A member of the EU committee investigating spyware abuse was hacked with Pegasus while serving on it.
Citizen Lab says Stelios Kouloglouβs #iPhone was compromised in Oct. 2022 and Mar. 2023, likely via Appleβs HomeKit zero-click exploit.
Attackers could have accessed PEGA documents and deliberations.
Details: https://thehackernews.com/2026/07/european-parliament-member.html
Citizen Lab says Stelios Kouloglouβs #iPhone was compromised in Oct. 2022 and Mar. 2023, likely via Appleβs HomeKit zero-click exploit.
Attackers could have accessed PEGA documents and deliberations.
Details: https://thehackernews.com/2026/07/european-parliament-member.html
π7π2π€2
This media is not supported in your browser
VIEW IN TELEGRAM
#ThreatsDay this week reads like attackers opened the junk drawer of the internet and found everything still plugged in:
π§ exposed AI compute
π§ email privacy gaps
π§© fake browser extensions
π€ meeting bots
π clipboard tricks
π‘οΈ Defender flaws
π fake INTERPOL ransomware
Just an Empire State Building-sized amount of trust left unattended - https://thehackernews.com/2026/07/threatsday-ai-compute-hijacking-apple.html
π§ exposed AI compute
π§ email privacy gaps
π§© fake browser extensions
π€ meeting bots
π clipboard tricks
π‘οΈ Defender flaws
π fake INTERPOL ransomware
Just an Empire State Building-sized amount of trust left unattended - https://thehackernews.com/2026/07/threatsday-ai-compute-hijacking-apple.html
π₯7π€2π1
β οΈ Armored Likho targeted power and government agencies.
Kaspersky says the attacks span Russia, Brazil, and Kazakhstan, using BusySnake Stealer, GitHub-hosted payloads, Go2Tunnel reverse tunneling, and patched CVE-2025-9491 LNK abuse.
How the stealer chain works: https://thehackernews.com/2026/07/armored-likho-targets-government.html
Kaspersky says the attacks span Russia, Brazil, and Kazakhstan, using BusySnake Stealer, GitHub-hosted payloads, Go2Tunnel reverse tunneling, and patched CVE-2025-9491 LNK abuse.
How the stealer chain works: https://thehackernews.com/2026/07/armored-likho-targets-government.html
π₯4π4π€3
π Six malicious npm packages mimicked Rollup polyfill tools.
Experts link them to North Korea-linked actors. They used hidden install-time execution and JSONKeeper fetches to load payloads for remote access and browser, wallet, cloud, SSH, and npm secret theft.
Read: https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html
Experts link them to North Korea-linked actors. They used hidden install-time execution and JSONKeeper fetches to load payloads for remote access and browser, wallet, cloud, SSH, and npm secret theft.
Read: https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html
π₯2
π Avalon turns a PDF-themed .LNK into CrownX ransomware.
Proton Drive β ISO image β MSBuild β ETW tampering β HTTPS payload.
By the ransom note, credentials, C2, and recovery disruption are already in play.
Inside the attack chain: https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html
Proton Drive β ISO image β MSBuild β ETW tampering β HTTPS payload.
By the ransom note, credentials, C2, and recovery disruption are already in play.
Inside the attack chain: https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html
π₯3
This media is not supported in your browser
VIEW IN TELEGRAM
β‘ New "Bad Epoll" (CVE-2026-46242) vulnerability affects #Linux 6.4+ kernels and may reach newer #Android devices.
It can turn a local user into root; the PoC hit 99% reliability and may trigger from Chromeβs renderer sandbox.
π Read how the bug works: https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html
It can turn a local user into root; the PoC hit 99% reliability and may trigger from Chromeβs renderer sandbox.
π Read how the bug works: https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html
π4π±4π€―2
π New UNPATCHED FatFs vulnerabilities hit a filesystem library bundled into potentially MILLIONS of embedded devices.
Malformed USB drives, SD cards, or update files can trigger memory corruption, crashes, leaks, or hangs.
Read details here: https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html
Malformed USB drives, SD cards, or update files can trigger memory corruption, crashes, leaks, or hangs.
Read details here: https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html
π₯5π€―3
β οΈ 108 malicious packages and extensions were published across npm, Packagist, Go, and Chrome.
North Korea-linked PolinRider uses obfuscated JavaScript loaders, VS Code auto-run tasks, and blockchain services to fetch DEV#POPPER RAT and OmniStealer.
Inside the attack chain: https://thehackernews.com/2026/07/north-korean-hackers-publish-108.html
North Korea-linked PolinRider uses obfuscated JavaScript loaders, VS Code auto-run tasks, and blockchain services to fetch DEV#POPPER RAT and OmniStealer.
Inside the attack chain: https://thehackernews.com/2026/07/north-korean-hackers-publish-108.html
π€―8π₯2π2
π A U.S. government entity paid Kairos about $1 million in #Bitcoin.
The payment was made to keep stolen files from being leaked, according to a Ransom-ISAC case study.
This was not a lock-and-key ransomware case. The pressure point was the stolen data itself.
Read the story: https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html
The payment was made to keep stolen files from being leaked, according to a Ransom-ISAC case study.
This was not a lock-and-key ransomware case. The pressure point was the stolen data itself.
Read the story: https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html
π17π₯3