TL;DR
Google and FBI seized NetNut residential proxy infrastructure used by millions of compromised devices; Citrix Bleed 2 (CVE-2025-5777) now actively exploited by Anubis ransomware affiliates; ToddyCat malware abuses Google APIs to hijack Gmail accounts via OAuth, targeting corporate email.
Executive Summary
- Google, FBI, and partners disrupted NetNut residential proxy network spanning approximately 2 million home devices, significantly degrading its operational capacity.
- Ransomware operators linked to Anubis are actively exploiting Citrix Bleed 2 vulnerability (CVE-2025-5777) to obtain initial network access, with multiple affiliate groups adapting similar tradecraft.
- Threat actor ToddyCat deployed new Umbrij malware designed to surreptitiously access Gmail accounts through abused Google API OAuth flows, targeting corporate email infrastructure.
- Microsoft 365 accounts are being hijacked through ConsentFix and ClickFix attacks that bypass multi-factor authentication using fake OAuth consent prompts, stealing tokens in seconds.
- Apple is compressing its patch cycles to accelerate security fixes, acknowledging that attackers are leveraging artificial intelligence to reduce time-to-exploitation.
Top Threats Today
1. NetNut Residential Proxy Disruption—Major Infrastructure Takedown
Severity: HIGH Affected: Technology
Google's Threat Intelligence Group, working with the FBI, Lumen, and other partners, has significantly degraded NetNut, one of the largest residential proxy networks [1]. The operation reduced the network's pool of usable devices—the network previously spanned approximately 2 million home devices—by seizing hundreds of associated domains [2]. The FBI stated this week that it worked with industry partners to seize the infrastructure operated by publicly-traded Israeli firm Alarum Technologies ⚠[2]. Residential proxy networks are commonly abused for advertising fraud, account takeovers, and mass data-scraping operations . ⚠
Sources:[1] The Hacker News[2] Krebs on Security
Recommended Action
- Monitor network traffic for outbound connections to seized NetNut domains; block any remaining infrastructure indicators using updated threat feeds.
- Audit logs for any suspicious proxy usage or unexpected external relay traffic patterns from internal devices.
- Review home-network security posture if consumer devices are connected to corporate VPNs or have access to enterprise resources.
2. Citrix Bleed 2 (CVE-2025-5777) Actively Exploited by Ransomware Affiliates
Severity: HIGH Affected: Technology
Threat actors associated with the Anubis ransomware operation have been observed exploiting Citrix Bleed 2 (CVE-2025-5777) to obtain initial access to victim networks [1]. Common patterns across multiple ransomware affiliates show use of legitimate Remote Management tools and supply chain credentials following initial exploitation [1].
Sources:[1] The Hacker News
Recommended Action
- Prioritize patching of Citrix NetScaler appliances against CVE-2025-5777; identify and inventory all exposed instances.
- Monitor Citrix systems for anomalous API calls and memory-disclosure attempts via HTTP responses.
- Implement network segmentation to isolate Citrix appliances from lateral-movement pathways.
- Review access logs for unusual remote management tool activity post-breach.
3. ToddyCat Umbrij Malware Hijacks Gmail via Google API OAuth Abuse
Severity: HIGH Affected: Technology
Threat actor ToddyCat has deployed a new malware variant called Umbrij designed to gain surreptitious access to victim email accounts through abused Google API OAuth flows [1]. The campaign focused on corporate email communications hosted on Gmail, with the malware obtaining access to email correspondence through legitimate API channels [1].
Sources:[1] The Hacker News
Recommended Action
- Audit Gmail API access and connected third-party applications; revoke any suspicious OAuth tokens or unrecognized app authorizations.
- Enable advanced Gmail security controls including Security Checkup and suspicious activity alerts.
- Monitor Google API activity logs for unusual token generation or API calls from unfamiliar locations.
- Deploy email gateway filtering for common ToddyCat delivery mechanisms (reconnaissance phishing, supply-chain lures).
4. ConsentFix and ClickFix: Microsoft 365 OAuth Bypass Attacks
Severity: HIGH Affected: Technology
ConsentFix and ClickFix attack campaigns are stealing Microsoft 365 tokens in seconds using fake OAuth consent prompts and manipulation of legitimate OAuth flows [1]. These attacks bypass multi-factor authentication by abusing the OAuth permission-request interface [1].
Sources:[1] BleepingComputer
Recommended Action
- Enforce Conditional Access policies in Azure AD to restrict OAuth app consent and require admin approval for high-risk permissions.
- Disable user consent for third-party applications where possible; require admin review.
- Monitor Azure AD sign-in logs for OAuth consent events from unfamiliar applications or IP addresses.
- Educate end users on the appearance of legitimate vs. fraudulent OAuth consent prompts.
5. Apple Accelerates Patch Cadence in Response to AI-Driven Exploitation
Severity: MEDIUM Affected: Technology
Apple is reversing its traditional patch policy by compressing patching cycles, citing attackers' use of artificial intelligence to reduce time-to-exploitation [1]. This shift reflects industry-wide pressure to accelerate security updates as adversaries leverage AI for faster vulnerability research and weaponization [1].
Sources:[1] Dark Reading
Recommended Action
- Expect more frequent Apple security updates; adjust patching windows to accommodate compressed release schedules.
- Monitor Apple security advisories closely and prioritize deployment of patches addressing active exploitation.
- Review device-management policies to enable rapid deployment of out-of-cycle security updates.
Today's Action Checklist
- ☐ URGENT: Patch or isolate all Citrix NetScaler appliances vulnerable to CVE-2025-5777; confirm patches deployed across production environment.
- ☐ URGENT: Audit Gmail API permissions and connected OAuth applications; revoke any unrecognized or suspicious authorizations.
- ☐ Review Microsoft 365 Conditional Access policies; restrict OAuth consent to admin-approved applications.
- ☐ Block residual NetNut proxy infrastructure domains and monitor outbound traffic to previously seized IP ranges.
- ☐ Prepare accelerated Apple patching procedures to accommodate compressed security release cycles; test deployment workflows.