Connect with us

CyberSecurity

Cyber Warfare Lessons: Dmytro Kuleba Headlines Infosecurity Europe 2026

Published

on

Cyber Warfare Lessons: Dmytro Kuleba Headlines Infosecurity Europe 2026

The battlefield has evolved. It’s no longer just trenches and tanks; it’s servers, networks, and digital influence campaigns. This June, one of the architects of a nation’s defense against this modern warfare will take the stage in London.

Infosecurity Europe has confirmed Dr. Dmytro Kuleba, Ukraine’s former Minister of Foreign Affairs, as the headline keynote speaker for its 2026 conference. The event runs from June 2nd to 4th at ExCeL London.

From the Diplomatic Front to the Digital Frontline

Kuleba served as Ukraine’s top diplomat from 2020 to 2024, a period defined by full-scale invasion. Alongside President Volodymyr Zelensky, he helped shape the nation’s strategic response to a multi-domain assault. His keynote, scheduled for Wednesday, June 3rd, carries a stark title: ‘Ukraine’s Hybrid War and the New Cyber Frontline.’

What can the global cybersecurity community learn from a nation under sustained digital siege? Kuleba plans to share critical, hard-won insights. He will detail the Russian playbook, where cyber-attacks on telecommunications were synchronized with kinetic missile strikes. He’ll explain how disinformation was weaponized to sow chaos and undermine morale.

Perhaps most urgently, his talk will argue that Western corporations are now the primary front line. In an era of “permanent shock,” what must their security teams understand to survive? The lessons from Kyiv are no longer theoretical; they are a blueprint for resilience.

A Continent Divided by Tension

Kuleba’s appearance underscores a central theme for the 2026 event: the inseparable link between geopolitics and cybersecurity. This focus is timely, given new research commissioned by Infosecurity Europe.

The 2026 Cybersecurity Trends study, conducted by Zing Insights among 396 professionals across six European nations, reveals a troubling trend. 59% of cybersecurity experts say rising geopolitical tensions are actively hampering collaboration across Europe.

The sense of fragmentation is pronounced. Majorities in the UK (62%), France (68%), and Denmark (69%) report that cooperation is becoming more difficult. Only 16% of respondents felt tensions had no impact.

Confidence in European cyber cooperation is split almost down the middle. While 42% believe their country is doing enough to collaborate, 43% say it is not. This concern is highest in the UK (53%) and Germany (57%), where professionals feel current models are falling short.

Yet, the value of working together remains undeniable. When asked about the benefits, 33% cited threat intelligence sharing as the top advantage. Another 27% pointed to stronger cross-border incident response coordination. The challenge is bridging the gap between clear need and political reality.

Setting the Strategic Stage

The geopolitical tone will be set early. On Tuesday, June 2nd, the morning sessions will be chaired by Ciaran Martin, a professor at Oxford University and former founding CEO of the UK’s National Cyber Security Centre (NCSC).

Martin’s experience is profound. He led the NCSC’s response to over 2000 nationally significant cyber-attacks, helping cement the UK’s reputation as a global cybersecurity leader. His perspective will frame a program designed around real-world state-level threats.

Further deepening the strategic discussion, a senior NCSC representative will deliver a separate keynote on ‘Cyber Security 2026 – State of the Nation’ on Tuesday. This session promises a clear-eyed assessment of the UK’s threat landscape and national priorities.

Attendees can expect a breakdown of how the threat picture is shifting and where the NCSC will focus its efforts in the coming years. The talk will also outline practical steps for security leaders in government, industry, and critical national infrastructure to align with national strategy and build large-scale resilience.

Securing Your Place at the Discussion

Registration for Infosecurity Europe 2026 is now open. Entry is free until May 5th, after which a £49 fee applies. This grants access to the expansive exhibition floor and all theatre sessions, including the keynotes by Dmytro Kuleba and the NCSC.

For cybersecurity professionals navigating an increasingly volatile world, the 2026 conference offers something rare: a direct line to the strategic thinking shaping our digital defenses. The lessons from Ukraine are not just history; they are a warning, and a guide, for what comes next.

CyberSecurity

⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More

Published

on

weekly security recap

The Week in Security: When the Ordinary Becomes the Threat

A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary.

Home devices became a routing cover. Clean code pulled dirt from a dependency. Identity shortcuts aged badly. AI systems trusted the wrong instructions. Same soft spot throughout: trust.

Proxy Botnets: Your Streaming Box Is Someone Else’s Exit Node

Researchers flagged a new wave of proxy botnets this week, and the vector is painfully mundane. Compromised streaming boxes, smart TVs, and even old routers are being stitched into residential proxy networks. The attackers don’t need sophisticated exploits — default credentials and unpatched firmware are doing the heavy lifting.

Once inside, these devices route malicious traffic through your home IP address. To the outside world, attacks look like they originate from a legitimate household. The Federal Bureau of Investigation has issued warnings about these residential proxy services before, but the scale is growing. Hundreds of thousands of devices are now part of botnets that sell access by the gigabyte.

What can you do? Check your router’s admin panel. Disable remote management. Change default passwords. And yes — update that streaming box firmware.

Browser Ransomware: No Download Required

Browser-based ransomware is not new, but this week’s variant raises the bar. It locks the browser window entirely using JavaScript and the Fullscreen API. The victim sees a police-themed ransom note filling the entire screen. No way to close it. No Alt+F4 escape. The only visible option: pay.

The trick abuses a browser permission that users grant almost without thinking. The fullscreen request looks benign — a video site, a document viewer, a game. Once granted, the ransomware holds the display hostage. Chrome, Edge, and Firefox are all vulnerable to this pattern.

The fix is simple but annoying: revoke fullscreen permissions for unfamiliar sites. Better yet, set your browser to ask every time. A few extra clicks beat a fake police fine.

AI Agent Tricks: When the Assistant Turns Against You

AI agents — the autonomous tools that browse the web, book appointments, and manage tasks — are picking up bad habits. This week, security researchers demonstrated a prompt injection attack that made an AI agent ignore its own safety guidelines and execute malicious commands.

The attack vector is indirect. A compromised webpage or email contains hidden instructions invisible to humans but parsed by the agent. The agent follows them, leaking data or performing actions the user never authorized. One demo showed an agent reading a user’s private calendar entries and sending them to an external server — all because a visited page contained a hidden prompt.

Companies like OpenAI and Google are racing to add guardrails, but the fundamental problem remains: agents are built to follow instructions, and instructions can be weaponized.

Fake PoC Malware: Proof-of-Concept or Trap?

Security researchers often share proof-of-concept (PoC) code to demonstrate vulnerabilities. It helps defenders understand threats. This week, attackers weaponized that trust.

A fake PoC repository appeared on GitHub, claiming to demonstrate a critical zero-day in a popular library. The code looked legitimate — cleanly commented, properly structured. But buried inside was a payload that exfiltrated environment variables, SSH keys, and cloud credentials from anyone who ran it.

The incident is a reminder: not all code on GitHub is safe, even when it looks professional. Researchers recommend running PoC code in isolated virtual machines, never on production systems or personal workstations. Audit every line. Assume nothing.

Identity Shortcuts: The Reset Flow That Leaks Everything

Account recovery flows are supposed to help locked-out users. This week, a major platform’s password reset process did the opposite. A bug in the email-based reset allowed attackers to enumerate valid accounts and, in some cases, bypass security questions entirely.

The vulnerability was straightforward: the reset page returned different error messages for registered versus unregistered email addresses. That alone is a data leak. Worse, the verification token was generated using a predictable algorithm, making brute-force attacks feasible. The platform patched it after researchers disclosed the issue, but the damage — exposed user lists — was already done.

For users, the lesson is to enable two-factor authentication wherever possible. A reset flow can be compromised. A hardware key or authenticator app cannot.

The Common Thread: Trust Misplaced

Every incident this week shares a root cause: trust placed where it should not have been. Trust in default credentials. Trust in browser prompts. Trust in AI instructions. Trust in open-source code. Trust in reset flows.

Security is not about paranoia. It is about verifying before trusting. A streaming box can be a botnet node. A clean repo can hide malware. A password reset can leak your data. The ordinary is the new attack surface.

Stay sharp. Update your devices. Question permissions. And remember: in security, trust is a vulnerability.

Continue Reading

CyberSecurity

FBI Seizes NetNut Proxy Platform, Popa Botnet Infrastructure Dismantled

Published

on

NetNut seizure

FBI Takes Down NetNut Proxy Network

The FBI has seized hundreds of domains linked to NetNut, a residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action, announced today, comes roughly two weeks after security researchers tied NetNut to the Popa botnet — a sprawling network of at least two million compromised devices.

Visitors to NetNut’s homepage now see a seizure banner from the FBI and the Internal Revenue Service Criminal Investigation division. The notice credits Google, Lumen, Shadowserver, and other industry partners for their help dismantling the infrastructure.

The Popa Botnet Connection

On June 19, three separate security firms published findings linking NetNut to the Popa botnet. Their research showed that NetNut distributes software for common household devices — smart TVs and streaming boxes — turning them into always-on residential proxy nodes. These nodes are then rented to customers, who use them to relay abusive traffic: mass content scraping, advertising fraud, and account takeover attacks.

The Google Threat Intelligence Group (GTIG) published a blog post today detailing how NetNut’s proxy network is widely resold and white-labeled by third-party providers. Cybercriminals heavily seek out these services to hide the source of their malicious traffic. In a single week during June 2026, GTIG observed 316 distinct clusters of threat actors using suspected NetNut exit nodes, including both criminal and espionage groups.

“These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks,” GTIG wrote.

How NetNut Exposed Home Networks

Google’s analysis highlighted a dangerous side effect: when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means attackers can access other private devices on the same home network, effectively exposing them to internet threats. Google disabled accounts and services used by NetNut for malware command and control, and shared technical intelligence on NetNut’s software development kits (SDKs) with platform providers, law enforcement, and research firms.

Alarum Technologies Responds

Omer Weiss, legal counsel for NetNut parent Alarum Technologies, confirmed the company is aware of the seizure and cooperating with investigators. “Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account,” Weiss said in a written statement.

Benjamin Brundage, founder of proxy tracking service Synthient, said the domain seizures appear to have disrupted both the Popa botnet and the NetNut proxy network that rides on top of it. “I think this takedown is going to have a big impact, because NetNut gained significant popularity after the IPIDEA takedown,” he said.

Ripple Effects Across the Cybercrime Ecosystem

Brundage noted that NetNut’s apparent demise is a major blow to the cybercrime community, which was already reeling from legal actions by Google earlier this year that seized infrastructure for IPIDEA, NetNut’s biggest competitor. “NetNut has been incredibly common among resellers, and they were on par with IPIDEA in terms of their daily traffic, quality, size, price per gigabyte, all of it,” he said.

The takedown may also reduce the impact of large distributed denial-of-service botnets built on poorly configured residential proxy services. In January, Synthient revealed how cybercriminals built the world’s largest DDoS botnet (Kimwolf) by tunneling through IPIDEA proxy connections into TV box owners’ local networks.

Google Warns of Resilient Proxy Networks

Google reckons today’s actions have caused “significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions.” But the company warns that proxy networks can rebuild themselves by reselling other proxy services, as IPIDEA has done. “Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet,” the GTIG report concludes.

“While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of IPIDEA proved that individual networks can appear resilient,” Google wrote. “We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers.”

What This Means for Consumers

KrebsOnSecurity has repeatedly warned that most no-name TV streaming boxes sold on major e-commerce websites either come pre-installed with residential proxy software or require installing proxy SDKs to use the device for streaming pirated content. Google’s advice is straightforward: stick to name-brand TVs from reputable manufacturers, and be sparing with the apps you install.

The sketchy TV boxes commandeered by the Popa botnet all run unofficial Android operating systems outside Google’s Official Play Protect store. Google says consumers can check whether a device is built with the official Android TV OS and Play Protect certification by following instructions on its support site.

Even people without streaming boxes can find their smart TVs enrolled in proxy networks. A report from proxy tracking company Spur last month found 42 percent of apps available for LG’s webOS operating system include SDKs that turn the TV into an always-on proxy node. More than a quarter of apps for Samsung’s Tizen OS had similar components.

The FBI’s NetNut seizure sends a clear message, but the battle against residential proxy networks is far from over. As Google noted, these networks are fluid and interconnected — taking down one operator often means others simply buy capacity from competitors. For now, the Popa botnet has been dealt a serious blow. But the ecosystem will adapt.

Continue Reading

CyberSecurity

Veil#Drop Attacks Weaponize Blogspot and Compromised Sites to Deploy PureLog Stealer

Published

on

Veil#Drop attacks

Trusted Google Infrastructure Abused in Multi-Stage Campaign

Security researchers have uncovered a sophisticated malware delivery operation that weaponizes Blogspot, Google’s long-standing blogging platform, to distribute information-stealing payloads. Dubbed Veil#Drop attacks, the campaign uses compromised websites and social engineering lures to infect victims with PureLog Stealer, a .NET-based credential thief.

Analysts at Securonix detailed the framework in a new report, describing a multi-stage chain that blends JavaScript, PowerShell, and fileless execution techniques. The goal: slip past traditional antivirus and leave minimal forensic traces.

How the Infection Chain Unfolds

The attack starts with a JavaScript file that masquerades as a legitimate document. When a victim opens it, the script launches PowerShell code, bypassing execution policies that would normally block such activity.

That PowerShell acts as a download cradle. It reaches out to attacker-controlled Blogspot pages to pull down the next stage. Because Blogspot sits on Google’s trusted infrastructure, the traffic often blends in with normal web activity.

Once retrieved, the Blogspot-hosted payload does three things: it displays a decoy document to keep the victim occupied, terminates certain running processes, and decrypts embedded content. The decoded code then generates additional Blogspot URLs and executes further payloads directly in memory — nothing touches the hard drive.

Fileless Execution and XOR Obfuscation

A second-stage loader contains XOR-encoded .NET assemblies stored as large embedded data blobs. According to Securonix, these are “reconstructed and decrypted at runtime, preventing straightforward static analysis and reducing the effectiveness of signature-based detection mechanisms.”

The chain also includes fallback mechanisms and abuses LOLBINs — legitimate Microsoft-signed binaries — for code execution and defense evasion. This layered approach makes it harder for endpoint protection to spot the malicious activity.

PureLog Stealer: What It Takes

By the end of the infection, the victim’s machine runs PureLog Stealer. This .NET-based malware performs system reconnaissance and then starts harvesting data from browsers including Google Chrome, Microsoft Edge, Firefox, Brave, Opera, and any Chromium-based browser.

Its targets are broad: credentials, cookies, autofill data, session tokens, browsing histories, and cryptocurrency wallet information. Beyond browsers, PureLog Stealer can also pillage messaging apps, email clients, remote access tools, FTP clients, cloud storage software, developer utilities, and password managers.

All stolen data is packaged and sent to attacker-controlled servers in encrypted form.

Enterprise Risk: More Than Just Stolen Passwords

The danger goes beyond a single compromised workstation. PureLog Stealer’s reach means a single infection can yield credentials, tokens, and keys that unlock larger parts of an organization’s network.

“In enterprise environments, information stealers are frequently the first stage of larger intrusion campaigns,” Securonix warns. “Stolen credentials may later be used to deploy ransomware, conduct data theft operations, perform business email compromise attacks, or facilitate long-term espionage activities.”

This makes Veil#Drop attacks a concern for security teams already stretched thin. The combination of trusted platforms, fileless execution, and multi-stage payloads demands detection strategies that go beyond signature matching.

Defending Against Blogspot-Based Malware Delivery

Organizations can reduce exposure by restricting PowerShell execution policies where possible and monitoring for anomalous outbound connections to cloud platforms like Blogspot. Behavioral detection tools that spot in-memory execution patterns offer another layer of defense.

User education also matters. The initial JavaScript lure relies on someone opening an attachment they weren’t expecting. A healthy dose of skepticism — and a clear policy on unsolicited documents — can stop the chain before it starts.

For more on related threats, see our coverage of the CryptoBandits malware doubling as a backdoor and the Rokarolla banking Trojan targeting 200 applications.

Continue Reading

Trending