This week in cybersecurity has highlighted several critical incidents, including the disruption of a major proxy network, the introduction of AI-generated ransomware, and the targeting of users through malicious repositories.
Disruption of NetNut Proxy Network
Google, in collaboration with the U.S. Federal Bureau of Investigation (FBI) and Lumen, has successfully disrupted the NetNut residential proxy network, also known as Popa. This action builds on the earlier takedown of IPIDEA in January 2026. Google reported that it disabled accounts and services associated with NetNut that were used for malware command-and-control (C2) operations. The network is estimated to comprise at least 2 million devices globally, primarily consisting of smart home devices like streaming boxes and smart TVs.
NetNut’s strategy involved pre-installing malware on devices or embedding hidden proxy code within applications, allowing malicious actors to route traffic through these devices, thereby masking their activities.
AI-Generated Ransomware in Browsers
A new form of ransomware, generated using an AI model called DeepSeek, has emerged, exploiting the File System Access API found in Chromium-based browsers. This malware operates entirely within the browser environment on various operating systems, including Windows, macOS, and Android. While this technique represents a novel approach to ransomware deployment, there is currently no evidence that it has been used in real-world attacks.
Experts from Check Point noted that this development signifies a shift in cyber attack methodologies, showcasing how AI can autonomously create viable attack techniques based on legitimate platform features.
ChocoPoC RAT Targets Security Researchers
Security researchers have fallen victim to a new threat known as ChocoPoC, which targets those searching for Python-based proof-of-concept (PoC) repositories on GitHub. These repositories, while appearing legitimate, contain dependencies that deliver the malware. ChocoPoC is a sophisticated trojan capable of extracting sensitive data, including passwords and browsing history, from multiple web browsers.
This incident underscores the risks associated with relying on unverified code, particularly in the security research community.
Ousaban Banking Trojan and Other Threats
A new Brazilian banking trojan named Ousaban has been detected, specifically targeting users in Spain and Portugal. The trojan uses fake PDF documents to lure victims into downloading a malicious executable file that captures sensitive information, including screenshots and keystrokes, when they visit banking websites.
In addition, a 19-year-old suspect linked to the Scattered Spider hacking group has been extradited to the U.S. to face charges related to a ransomware attack on a luxury jewelry retailer, which resulted in significant financial losses.
As the cybersecurity landscape continues to evolve, these incidents highlight the importance of vigilance and the need for robust security measures to protect against emerging threats.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.








