Citrix Bleed 2 Exploited, NetNut Disrupted, Government Breaches Surge

Events tracked
187
Critical exposure
45

Summary

Today's threat landscape is defined by the convergence of high-volume, low-sophistication defacement activity with targeted, high-impact data breaches against government and education sectors. The operational tempo is elevated, with over 45 alleged data exposure events, many targeting public sector entities in Asia and Latin America. Defenders should prioritize patching for the newly exploited Citrix Bleed 2 vulnerability and reassess exposure to residential proxy networks following Google's takedown of NetNut, as these are enabling ransomware and credential theft at scale.

Today's developments

Active exploitation of Citrix Bleed 2 is underway. Industry researchers from Unit 42 and SecurityWeek report that threat actors associated with the Anubis ransomware operation are actively exploiting CVE-2025-5777 (Citrix Bleed 2) for initial access. Public proof-of-concept code is being used to retrieve arbitrary memory content from vulnerable NetScaler appliances. Separately, the FortiBleed campaign has been linked to INC and Lynx ransomware attacks, indicating that credential harvesting from edge devices remains a primary vector for major ransomware operations. These developments underscore the critical need for immediate patching of internet-facing Citrix and Fortinet appliances.

Google disrupted a major residential proxy network. In coordination with the FBI and Lumen, Google's Threat Intelligence Group (GTIG) significantly degraded the NetNut (also known as Popa) residential proxy network, which controlled an estimated 2 million home devices. Google reports that in a single week, 316 distinct threat clusters used NetNut exit nodes, including cybercriminal and espionage groups. This action builds on the January 2026 disruption of the IPIDEA network and highlights the persistent risk of consumer devices being co-opted for malicious traffic routing.

A wave of alleged government and education data breaches emerged today. Multiple actors claimed to have compromised public sector databases across several countries. Notable incidents include:

  • Sri Lanka: Actor Sensitive2025 allegedly breached the Department of Agriculture.
  • Indonesia: Multiple actors targeted government entities. Mr. Hanz Xploit claimed a sale of data from Sijamkesda Bertuah Pekanbaru, while actor /Mr.K4nib4l alleged a sale of a South Kalimantan provincial government database. KEDIRISECTEAM claimed a breach of Kominfo, the Ministry of Communication and Informatics. Additionally, actor KillerRabbit alleged a leak of data from the Indonesian State Palace.
  • Mexico: Multiple education and government entities were targeted. Actor azraelzer0d4y claimed a breach of Educación Continua (Marca UNACH), and DBHunter alleged a breach of the Secretary of Education of the State of Durango. Actor derm0nix claimed a breach of Portal del Empleo Chalco.
  • Azerbaijan: Actor 0cx00iq claimed a breach of the Azerbaijani National Security Agency.
  • Panama: Actor s1ethx7z claimed a breach of Caja de Seguro Social (CSS), a major healthcare provider.
  • Poland: Actor azraelzer0d4y claimed a leak of data from Akademia Wychowania Fizycznego w Krakowie (University of Physical Education in Krakow).
  • France: Actor pwn2dd claimed a breach of Nantes Université.

Additional notable alleged breaches include actor Worldleaks claiming breaches of Service IT (Brazil) and Treet Corp (Pakistan), actor mosad claiming a leak of US Government records and a sale of SECRET//NOFORN reports, and actor thegoatedshi claiming a breach of Coinbase (US). Actor douanier1337 claimed a breach of Discord (US), and actor Iron Atlas New Generation claimed a breach of Pastebin (UK).

A new malware strain targets Gmail via OAuth. Researchers at Kaspersky reported that the ToddyCat-linked threat actor is using a new malware called Umbrij to gain access to corporate Gmail correspondence via the Google API, abusing OAuth tokens. This highlights a shift toward targeting cloud-based email through API access rather than traditional credential theft.

Threat landscape signals

The data reveals a pronounced concentration of activity targeting government administration and education sectors, with Indonesia and Mexico being particularly targeted today. The volume of alleged breaches against public sector entities suggests these are seen as soft targets with high-value, persistent data. The dominance of low-sophistication defacement actors (BABAYO EROR SYSTEM, Neura Self Cyber Team) alongside more targeted breach actors indicates a bifurcated threat landscape where noise and signal coexist. Defenders should not dismiss defacement activity as mere nuisance; it often precedes or accompanies more serious intrusions.

The simultaneous exploitation of Citrix Bleed 2 and the FortiBleed campaign reinforces a critical pattern: edge devices are the new perimeter battleground. Ransomware groups are systematically weaponizing vulnerabilities in VPNs, firewalls, and load balancers for initial access. The disruption of NetNut, while significant, is a tactical win in an ongoing campaign against residential proxy networks. Organizations should expect proxy operators to adapt by buying capacity from competitors, and should continue to monitor for traffic originating from known residential proxy IP ranges.

All incidents are reported as alleged claims by threat actors and have not been independently verified by GrayscaleInsight.

Threat intelligence is reported for security awareness purposes only and does not constitute endorsement of any actor, group, or activity.

Recent editions