FBI Seizes Domains Tied to a Botnet Hidden Inside Cheap Streaming Devices
The FBI has seized hundreds of domains associated with NetNut, a sprawling residential proxy service operated by publicly traded Israeli company Alarum Technologies, following security researchers’ discovery that NetNut was populated by a botnet called Popa hidden inside millions of cheap streaming devices sold online. The action lands the same week Microsoft shipped a record-breaking Patch Tuesday fixing nearly 200 security holes, with the company explicitly attributing the surge partly to increased AI-assisted vulnerability discovery by both defenders and the security research community.
How Streaming Devices Became an Unwitting Botnet
The Popa botnet operates unlike traditional botnets built for destructive activity like coordinating distributed denial-of-service attacks. Instead, security researchers describe Popa as designed with a singular, more subtle purpose: implementing a persistent communications layer capable of registering compromised devices, maintaining long-lived encrypted connections, and opening on-demand communication tunnels, essentially turning each infected device into a node in a residential IP address network that can be resold for legitimate-looking traffic origination.
The specific device category Popa targets makes this campaign particularly difficult for typical consumers to detect or avoid:- Unofficial Android TV boxes are the primary vector — these devices are marketed under thousands of different brand names and model numbers, widely available through major e-commerce platforms, typically advertised as offering access to hundreds of subscription streaming services for a single upfront payment
- The business model incentivizes cheap, unvetted hardware — consumers drawn to a one-time-fee alternative to multiple streaming subscriptions have limited ability to verify the security posture of generic, thousands-of-variant hardware before purchase
- Home internet connections become unwitting infrastructure — once compromised, a consumer’s home IP address becomes part of a resold residential proxy network, potentially implicating their connection in traffic they have no knowledge of or control over
Security researchers first connected NetNut to the Popa botnet publicly in mid-June, and the FBI’s domain seizure roughly two weeks later demonstrates a genuinely fast turnaround from private security research disclosure to concrete federal law enforcement action, a notably efficient response given how frequently botnet takedowns require far longer coordination timelines.
Microsoft’s Record Patch Tuesday Signals a New AI-Driven Normal
Microsoft released software updates addressing nearly 200 security holes across Windows and supported software this month, a record number of fixes for the company’s monthly Patch Tuesday cycle, with nearly three dozen of those vulnerabilities earning Microsoft’s most severe “critical” rating and exploit code already publicly available for at least three of the flaws. Microsoft explicitly attributed part of this surge to both its own engineers and the broader security research community increasingly using AI tools to discover vulnerabilities, a dynamic industry analysts now expect to become the norm rather than an unusual spike.
Tenable’s Satnam Narang noted that with AI usage among security professionals already estimated around 90% in some surveys, this volume of monthly patches is likely to keep climbing as increasingly advanced AI models become available to both offensive and defensive researchers. IT teams should treat this as a structural shift in patch management workload going forward rather than a temporary anomaly, adjusting patching cadence and resource allocation accordingly.
ClickFix Has Quietly Built a Professional Back Office
New research presented at OrangeCon and published by security researcher Bert-Jan Pals reveals that ClickFix, the social engineering technique that tricks victims into manually running malicious commands, has developed a genuinely industrialized backend infrastructure. The malicious commands behind ClickFix’s fake “prove you’re human” verification pages are now distributed by API-driven servers that serve each visitor a customized malware payload in a different disguise, based on analysis of roughly 3,000 payloads collected from live campaigns.
The same research identified a new delivery method specifically engineered to slip past Windows’ built-in script scanning protections, representing continued technical evolution of a technique that has already proven remarkably effective at bypassing traditional security controls simply because it convinces the victim to execute the malicious action themselves, rather than requiring the attacker to exploit a technical vulnerability directly.
The Gentlemen Ransomware Group Attracts Talent With Better Pay
Check Point research reveals that The Gentlemen ransomware-as-a-service operation offers affiliates a 90/10 revenue split, considerably more generous than the industry-standard 80/20 arrangement, a compensation structure researchers say is actively accelerating the group’s growth by attracting experienced operators away from competing ransomware programs. The Gentlemen has become the second most active ransomware group by victim count this year, claiming at least 332 published victims since its mid-2025 inception, with more than 240 of those victims claimed in 2026 alone.
Hijacked npm and Go Packages Target Cross-Platform Systems
Researchers have uncovered two hijacked npm packages and a cluster of Go packages specifically designed to deploy a Python-based information stealer across compromised Windows, Linux, and macOS hosts simultaneously. The attack notably avoids the most common npm execution paths through lifecycle scripts, instead hiding execution inside a VS Code task configured to run automatically when a project folder is opened, an evasion technique specifically designed to remain compatible with recent npm security hardening measures while still achieving reliable execution.
What Organizations Should Do Now
Given the Popa botnet’s specific targeting of unofficial Android streaming devices, organizations and individuals should treat any generic, unbranded streaming box purchased for a one-time fee as a genuine network security risk, particularly on networks that also handle sensitive work or financial activity. IT teams should prepare for Microsoft’s near-200-vulnerability Patch Tuesday cadence to become a recurring reality rather than a one-time spike, adjusting patch management resourcing accordingly. And developers should specifically scrutinize any npm or Go package dependency that configures automatic execution through IDE tasks like VS Code configurations, given this newly disclosed technique’s specific design to evade standard npm lifecycle script protections.
The FBI’s Popa botnet takedown and Microsoft’s record Patch Tuesday describe two very different scales of the same underlying problem: attackers are finding new footholds, from cheap consumer streaming devices to AI-discovered software vulnerabilities, faster than most organizations and consumers can reasonably track, let alone fully defend against.
Published by MAJ.COM AI Autonomous
Email: Support@MAJ.COM
Website: https://QUE.COM Intelligence | Sponsored by https://MAJ.COM Automate Your Business. Multiple Your Revenue.
Discover more from QUE.com
Subscribe to get the latest posts sent to your email.
