Weekly Security Recap: Proxy Botnets, Browser Ransomware, AI Tricks, and Fake PoC Malware

This week’s security roundup centered on a familiar theme: attackers and defenders alike are exploiting everyday trust points. From consumer devices being used as proxy infrastructure to researchers b...

This week’s security roundup centered on a familiar theme: attackers and defenders alike are exploiting everyday trust points. From consumer devices being used as proxy infrastructure to researchers being lured by fake exploit code, the latest incidents show how quickly ordinary software and services can be turned into attack surfaces.

Proxy network disrupted

Google, working with the FBI, Lumen and other partners, moved against the NetNut residential proxy network, also tracked as Popa. The operation built on earlier action against IPIDEA and included disabling Google accounts and services used for malware command-and-control, updating Play Protect, and removing apps tied to NetNut SDKs. Google estimates the network reached at least 2 million devices worldwide. The infrastructure reportedly relied on SDKs embedded in home devices such as smart TVs and streaming boxes, giving attackers a way to hide traffic behind residential connections.

Usernames arrive on WhatsApp, raising abuse concerns

WhatsApp began global reservations for usernames, a privacy-focused change meant to reduce reliance on phone numbers for identity. The feature is optional and expected to roll out more broadly later this year. However, it has also raised concerns in India and elsewhere that impersonation could become easier, especially if lookalike usernames are claimed before legitimate organizations can reserve them.

Fake PoC repositories deliver malware

Security researchers looking for newly published proof-of-concept exploits on GitHub have been targeted with malicious Python packages that quietly install a trojan called ChocoPoC. The visible PoC appears harmless, but a dependency named skytext is used to pull in the payload. Once executed, the malware can steal browser data, collect local files and system information, and run commands or Python code on the infected machine.

Other notable activity

  • A 19-year-old suspect linked to Scattered Spider was extradited from Finland to the United States to face fraud, conspiracy, and computer intrusion charges.
  • A Brazilian banking trojan known as Ousaban is using fake PDF lures to target users in Spain and Portugal.
  • Researchers also described AI-generated browser ransomware that combines legitimate Chromium file-access features into a working attack concept, though they have not seen it used in the wild.

On the vulnerability side, the week also brought a fresh batch of high-priority CVEs across widely used products, reinforcing the need for rapid patching and tight exposure management.