CyberNews: 04/07/2026 Edition

Published by Dunateo on 2026-07-04

Today’s roundup

  • NetNut proxy network disrupted, 2 million infected devices cut off
  • ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit
  • North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
  • Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
  • New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
  • New Avalon Malware Framework Packs CrownX Ransomware Capabilities
  • Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds
  • Summary

    A joint operation, including Google, successfully disrupted NetNut, a residential proxy network. This action cut off access to approximately two million compromised Android devices, which included smart TVs and streaming boxes, that NetNut exploited for its operations.

    Researchers have gained insight into an extensive Microsoft 365 phishing toolkit through the exposure of "ARToken," a new Phishing-as-a-Service (PhaaS) platform. ARToken appears to function as an affiliate of the established EvilTokens phishing platform, facilitating credential compromise.

    North Korean threat actors, associated with the "Contagious Interview" campaign, have launched the "PolinRider" operation. This campaign involves the publication of 108 unique malicious packages and web browser extensions across platforms like npm, Packagist, Go, and Google Chrome, actively targeting developers.

    Security firm runZero has revealed seven unpatched vulnerabilities within FatFs, a widely used filesystem library. This library is embedded in the firmware of millions of devices, including security cameras, drones, industrial controllers, and hardware crypto wallets, posing a significant risk due to its pervasive use.

    A newly discovered Linux kernel flaw, identified as Bad Epoll (CVE-2026-46242), allows unprivileged users to achieve root-level control over affected systems. This critical privilege escalation vulnerability impacts Linux desktops, servers, and Android devices, though a fix has now been released.

    Cybersecurity researchers have identified "Avalon," a previously undocumented modular malware framework. Distributed via multi-stage phishing, Avalon integrates capabilities for credential harvesting, lateral movement, remote access, recovery disruption, and the deployment of CrownX ransomware.

    Citizen Lab reported that former Member of the European Parliament, Stelios Kouloglou, was repeatedly infected with NSO Group's Pegasus spyware. The attacks occurred in October 2022 and March 2023, while Kouloglou served on the PEGA Committee, tasked with investigating Pegasus abuses. The initial infection used the PWNYOURHOME zero-click exploit, potentially exposing confidential committee deliberations.

    Want to dig deeper?

    Vulnerabilities

    CVE-2026-46242 High