← Back to Briefings
DAILY BRIEFING · JULY 3, 2026 · #105

NetNut seized; Citrix Bleed 2 exploited; ToddyCat hijacks Gmail via OAuth

📅 July 3, 2026🤖 AI-Generated Analysis5 min read
Severity High
IndustriesTechnology
How to read this briefing
Verified facts — NVD & CISA KEV Partially verified — awaiting NVD enrichment AI analysis — synthesis, verify before acting [1]Inline citations — click any [N] to view the source
How our verification pipeline works →
Actionable · Partially verified
CVE in source articles · NVD enrichment pending
CVECVSSVendor · ProductExploitationRefs
CVE-2025-5777awaiting NVDCitrix Bleed 2 (Citrix NetScaler) In the wild In CISA KEVNVD →
These CVEs are real (their IDs appear in source articles) but NVD has not yet finished enrichment. Vendor/product/CVSS will appear here automatically once NVD catches up.
Contextual · AI analysis Synthesized from 10 feeds · verify before acting

TL;DR

Google and FBI seized NetNut residential proxy infrastructure used by millions of compromised devices; Citrix Bleed 2 (CVE-2025-5777) now actively exploited by Anubis ransomware affiliates; ToddyCat malware abuses Google APIs to hijack Gmail accounts via OAuth, targeting corporate email.

THREAT LEVEL: HIGH – Multiple active exploitation campaigns targeting residential proxy infrastructure, enterprise email systems, and Citrix appliances require immediate defensive monitoring and patching.

Executive Summary

Top Threats Today

1. NetNut Residential Proxy Disruption—Major Infrastructure Takedown

Severity: HIGH   Affected: Technology

Google's Threat Intelligence Group, working with the FBI, Lumen, and other partners, has significantly degraded NetNut, one of the largest residential proxy networks [1]. The operation reduced the network's pool of usable devices—the network previously spanned approximately 2 million home devices—by seizing hundreds of associated domains [2]. The FBI stated this week that it worked with industry partners to seize the infrastructure operated by publicly-traded Israeli firm Alarum Technologies [2]. Residential proxy networks are commonly abused for advertising fraud, account takeovers, and mass data-scraping operations .
Sources:[1] The Hacker News[2] Krebs on Security

Recommended Action

  • Monitor network traffic for outbound connections to seized NetNut domains; block any remaining infrastructure indicators using updated threat feeds.
  • Audit logs for any suspicious proxy usage or unexpected external relay traffic patterns from internal devices.
  • Review home-network security posture if consumer devices are connected to corporate VPNs or have access to enterprise resources.

2. Citrix Bleed 2 (CVE-2025-5777) Actively Exploited by Ransomware Affiliates

Severity: HIGH   Affected: Technology

Threat actors associated with the Anubis ransomware operation have been observed exploiting Citrix Bleed 2 (CVE-2025-5777) to obtain initial access to victim networks [1]. Common patterns across multiple ransomware affiliates show use of legitimate Remote Management tools and supply chain credentials following initial exploitation [1].
Sources:[1] The Hacker News

Recommended Action

  • Prioritize patching of Citrix NetScaler appliances against CVE-2025-5777; identify and inventory all exposed instances.
  • Monitor Citrix systems for anomalous API calls and memory-disclosure attempts via HTTP responses.
  • Implement network segmentation to isolate Citrix appliances from lateral-movement pathways.
  • Review access logs for unusual remote management tool activity post-breach.

3. ToddyCat Umbrij Malware Hijacks Gmail via Google API OAuth Abuse

Severity: HIGH   Affected: Technology

Threat actor ToddyCat has deployed a new malware variant called Umbrij designed to gain surreptitious access to victim email accounts through abused Google API OAuth flows [1]. The campaign focused on corporate email communications hosted on Gmail, with the malware obtaining access to email correspondence through legitimate API channels [1].
Sources:[1] The Hacker News

Recommended Action

  • Audit Gmail API access and connected third-party applications; revoke any suspicious OAuth tokens or unrecognized app authorizations.
  • Enable advanced Gmail security controls including Security Checkup and suspicious activity alerts.
  • Monitor Google API activity logs for unusual token generation or API calls from unfamiliar locations.
  • Deploy email gateway filtering for common ToddyCat delivery mechanisms (reconnaissance phishing, supply-chain lures).

4. ConsentFix and ClickFix: Microsoft 365 OAuth Bypass Attacks

Severity: HIGH   Affected: Technology

ConsentFix and ClickFix attack campaigns are stealing Microsoft 365 tokens in seconds using fake OAuth consent prompts and manipulation of legitimate OAuth flows [1]. These attacks bypass multi-factor authentication by abusing the OAuth permission-request interface [1].
Sources:[1] BleepingComputer

Recommended Action

  • Enforce Conditional Access policies in Azure AD to restrict OAuth app consent and require admin approval for high-risk permissions.
  • Disable user consent for third-party applications where possible; require admin review.
  • Monitor Azure AD sign-in logs for OAuth consent events from unfamiliar applications or IP addresses.
  • Educate end users on the appearance of legitimate vs. fraudulent OAuth consent prompts.

5. Apple Accelerates Patch Cadence in Response to AI-Driven Exploitation

Severity: MEDIUM   Affected: Technology

Apple is reversing its traditional patch policy by compressing patching cycles, citing attackers' use of artificial intelligence to reduce time-to-exploitation [1]. This shift reflects industry-wide pressure to accelerate security updates as adversaries leverage AI for faster vulnerability research and weaponization [1].
Sources:[1] Dark Reading

Recommended Action

  • Expect more frequent Apple security updates; adjust patching windows to accommodate compressed release schedules.
  • Monitor Apple security advisories closely and prioritize deployment of patches addressing active exploitation.
  • Review device-management policies to enable rapid deployment of out-of-cycle security updates.

Today's Action Checklist

🤖 This briefing was compiled by defend.network using AI-powered analysis of multiple cybersecurity sources including CISA advisories, vendor security bulletins, and threat intelligence feeds. Always verify critical intelligence through official vendor channels before taking action.

Get Tomorrow’s Briefing in Your Inbox

Subscribe free and never miss a daily threat briefing.