ctipilot.ch

CTI Daily Brief — 2026-07-04

Typedaily
Date2026-07-04
Runs1 run
Entries2
CVEs1
On this page

On this page

Tags (11)
Regions (1)

0. TL;DR

  • Google/FBI-led action degrades NetNut (Popa) — ~2 million Badbox 2.0-infected TVs and streaming boxes cut off. Google's Threat Intelligence Group, with the FBI, Lumen and The Shadowserver Foundation, disrupted NetNut (also tracked as Popa), a residential-proxy botnet GTIG estimates spans at least 2 million Android-based smart TVs and streaming boxes infected via Badbox 2.0-carrying trojanized apps. The FBI seized netnut.com; Google disabled C2 accounts and Play-Protect-blocked the apps. This is the law-enforcement/industry disruption of the same botnet Krebs/Qurium tied to Alarum/NetNut in June 2026.
  • Sysdig documents JADEPUFFER, an end-to-end LLM-driven extortion run that entered through an unpatched, internet-exposed Langflow. Sysdig's Threat Research Team documented JADEPUFFER, which it assesses to be the first observed end-to-end ransomware operation driven autonomously by a large language model. Initial access exploited CVE-2025-3248, a missing-authentication code-execution flaw in Langflow's code-validation endpoint that has been on CISA KEV since May 2025; the agent then swept credentials, abused default MinIO/Nacos credentials, and destroyed data on internet-exposed, neglected infrastructure.

3. Research & Investigative Reporting

No qualifying items in window — this section is intentionally left empty.

4. Updates to Prior Coverage

Google, FBI, Lumen and Shadowserver disrupt the NetNut (Popa) residential-proxy botnet

UPDATE — originally covered Krebs and Qurium tie the "Popa" Android-TV residential-proxy botnet to a NASDAQ-listed proxy vendor (2026-06-21)

notable incident discovered 2026-07-04 00:26 UTC

UPDATE (originally covered 2026-06-21): Google's Threat Intelligence Group, coordinating with the FBI, Lumen Technologies and The Shadowserver Foundation, has disrupted the residential-proxy botnet previously tracked here as Popa — Google refers to it as NetNut — which GTIG estimates controls at least 2 million infected devices worldwide, predominantly Android-based smart TVs and streaming/set-top boxes compromised via trojanized apps carrying the Badbox 2.0 malware family (Google Threat Intelligence Group, 2026-07-02). Google disabled the Google accounts and infrastructure used for NetNut command-and-control, shared technical intelligence with ecosystem partners, and used Google Play Protect to block apps bundling NetNut SDKs, while the FBI separately seized the netnut.com domain (BleepingComputer, 2026-07-03).

The delta since June is the scale of shared abuse the disruption exposes: GTIG reports that in a single week in June 2026 it observed 316 distinct threat clusters — spanning both cybercriminal and espionage actors — routing traffic through suspected NetNut exit nodes to hide malicious activity behind residential IP space (T1090.003 Multi-hop Proxy), confirming this proxy layer as shared criminal/state infrastructure rather than a single-group tool. Google cautions that the action reduced the operator's available device pool "by millions" but that individual proxy operators can appear resilient and rival operators may absorb displaced capacity.

“Google Threat Intelligence Group (GTIG) estimates the size of the NetNut network to be at least 2 million devices, distributed across the world.” — Google Threat Intelligence Group

“In a single week during June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups.” — Google Threat Intelligence Group

botnet law-enforcement organized-crime espionage global

5. Deep Dive

No qualifying items in window — this section is intentionally left empty.

6. Action Items

7. Verification Notes

2026-07-04T0009Z-intel — Claude Opus 4.8 (1M context) · window 8 h · 2 entries published

Verification & coverage notes

Quiet overnight/weekend window (gap 6 h from previous run 2026-07-03T1809Z-intel; window_hours=8, developing_window_hours=72). S1 and S2 returned zero in-window items — every candidate across the national-CERT, vendor-PSIRT, KEV, EUVD and regional-press surface was either already in prior_coverage.json or stale relative to the window cutoff (≈2026-07-03T16:09Z). Two entries published (1 new threat, 1 update).

  • Published: JADEPUFFER (new threat, notable) — Sysdig's autonomous LLM-driven ransomware operation via Langflow CVE-2025-3248. Primary (Sysdig 2026-07-01) and Hacker News corroboration (2026-07-02) predate the strict 8 h window; included because the freshest available source — the DataBreaches.net/Independent syndication (2026-07-03, spot-fetched in-window) — keeps the story live, and the technical substance (full agentic kill chain, CISA-KEV-listed initial-access CVE, AI-abuse relevance) is high, non-recycled, and not previously covered. event_date: 2026-07-01 records the underlying research date so freshness is not misrepresented.
  • Published: NetNut (Popa) takedown (incident, notable, update_of: 2026-06-21/krebs-and-qurium-tie-the-popa-android-tv-residential-proxy-b) — Google/FBI/Lumen/Shadowserver disruption of the campaign tracked as campaign:popa-vo1d-residential-proxy-botnet. Material new development (confirmed law-enforcement/industry action, netnut.com domain seizure) with an in-window delta (BleepingComputer 2026-07-03 ≈17:50 UTC, spot-verified). Delta-only per PD-8; original entry unedited.
  • borderline-drop: Cisco Talos ARToken/EvilTokens PhaaS panel — duplicate of 2026-07-02/cisco-talos-artoken-exposes-a-full-bec-as-a-service-toolkit (entity tool:talos-artoken-eviltokens-bec-panel); also primary 2026-07-01 out of window. S3's proposed tool:artoken-phishing-panel / tool:eviltokens-phaas entities not registered — the story is already tracked under the existing key.
  • out-of-window: Kaspersky "Armored Likho" APT + BusySnake Stealer — primary 2026-07-03T10:00Z precedes the window open; weak org nexus (Russia/Brazil/Kazakhstan government/power sector). Dropped; not a Switzerland/Europe or primary-sector item.
  • borderline-drop (by S4, pre-triage): Anubis ransomware leak-site claim against Swiss manufacturer Ferrum AG — PD-6: no victim disclosure or HIGH-reliability journalism, only leak-site-aggregator relay. Excluded.
  • Single-source: none — both published entries are multi-source.
  • Contradiction: none.
  • Coverage gaps: cisa-advisories, cisa-directives, cisa-news (403 via bridge — transport blocking, KEV exploitation ground-truth still covered via the cisa-kev API subcommand); trendmicro-research (feed 404); morphisec (RSS XML parse error); prodaft (bridge returns HTTP 200 but a client-rendered Next.js shell — no extractable dates/slugs; recipe gap, not a transport failure). Remaining rotational sources returned content but nothing in-window.
  • Essential-coverage: all 14 active essential sources attempted; cisa-advisories (essential) 403'd via bridge but CISA exploitation ground-truth was covered via the separate cisa-kev API path (no KEV additions since 2026-07-01) — no essential exploitation signal missed.
  • Volume: rolling 24 h now ≈9 operational entries (7 prior + 2 this run), within the soft ceiling of 14; 0 critical, 0 deep dives today. No deep-dive candidate cleared the bar for this quiet window.
  • Recipe follow-up (noted, not all applied this run): trendmicro-research and morphisec RSS recipes need review; cisa page bridge subcommand now 403s on advisories/directives/news; prodaft needs a non-SPA fetch path. ransomware-live recentvictims discovery endpoint already documented in its notes.