Today’s Topics:

• Squidbleed Shows Why Old Proxy Code Still Belongs in the Threat Model
• FortiBleed Shows Why Firewall Credentials Are Now Perimeter Risk
• How can Netizen help?

Squidbleed Shows Why Old Proxy Code Still Belongs in the Threat Model

Squidbleed is the kind of vulnerability that looks small in code and much larger in an environment diagram. Tracked as CVE-2026-47729, the flaw is an out-of-bounds read in Squid’s FTP gateway that can leak fragments of proxy memory back to a client. In the worst case, that memory may contain another user’s cleartext HTTP request, including an Authorization header, bearer token, API key, session cookie, or other credential material that was never meant to leave the proxy process.

The bug is being compared to Heartbleed for a reason. This is not remote code execution. It does not give an attacker shell access, modify traffic, or knock the service offline. It reads memory past the intended boundary and returns data that should have stayed inside the process. That makes the vulnerability easier to underrate if teams focus only on exploit categories, yet memory disclosure against a shared proxy can still be a direct path to account takeover. If a leaked header contains a valid token, the attacker does not need to exploit the victim’s endpoint. They can simply reuse what the proxy exposed.

The threat model is narrow, but realistic. Squid describes the attacker as a trusted client, meaning someone already permitted to send traffic through the proxy. That matters in environments where Squid is used as a shared forward proxy for schools, enterprises, guest networks, public Wi-Fi, managed networks, or filtering gateways. The attacker does not need to be an external internet host hitting Squid from the outside. They need access as a proxy user, a Squid instance with FTP gateway functionality available, and an FTP server they control or can influence.

That limitation is also what makes the bug easy to miss during risk scoring. CVSS places it in the moderate range with network attack vector, low attack complexity, low privileges required, no user interaction, high confidentiality impact, and no integrity or availability impact. On paper, that looks contained. In practice, a shared proxy is a collection point for other people’s requests. A confidentiality-only vulnerability in that position can still expose high-value secrets.

The exposed traffic is also bounded. Standard HTTPS traffic sent through an HTTP CONNECT tunnel remains opaque to Squid, so Squidbleed does not magically decrypt the modern web. The most direct exposure is cleartext HTTP. The risk expands in deployments where Squid is configured to terminate or inspect TLS, such as SSL Bump environments, since the proxy can then see decrypted request contents before forwarding them upstream. Legacy internal applications, captive portals, old appliances, device management pages, and operational tools are the kinds of places where cleartext HTTP still tends to survive longer than security teams expect.

The root cause sits in Squid’s FTP directory-listing parser. FTP directory listings are messy, old, and inconsistent across server implementations, so Squid contains parsing logic meant to turn FTP listings into something usable for clients. The vulnerable behavior traces back to compatibility handling introduced in 1997 for NetWare-style listings, where extra whitespace could appear between a timestamp and a filename.

The parser advances a pointer after a parsed timestamp and then skips whitespace before treating the next bytes as the filename. The edge case appears when a crafted FTP listing line ends right after the timestamp and provides no filename at all. At that point, the pointer lands on the string terminator. The relevant C library behavior is the catch: strchr can match the terminating null byte in a string. If code asks whether that terminator appears inside the whitespace string, it can get a positive result. The parser then advances past the end of the intended buffer and keeps reading until it finds a byte that stops the scan.

That is where an old parser bug turns into a data exposure issue. Squid reuses memory buffers, and reused heap memory may still contain data from prior transactions. If a buffer recently held part of a different user’s HTTP request, a crafted FTP listing can overwrite only a small portion of that buffer and cause Squid to return the remaining stale bytes as if they were part of an FTP filename. The attacker sees the data in the generated FTP directory response.

Calif.io’s demonstration showed an Authorization header leaking from another client using the same proxy. That is the security impact in one line: a user who is allowed to use the proxy may be able to trigger a malformed FTP response and receive secrets from unrelated traffic handled by the same Squid process.

The fix itself is small. Squid patched the FTP gateway parsing logic by checking for the null terminator before using the character membership test that caused the over-read. The official advisory lists Squid versions older than 7.6 as affected, with Squid 4.x, 5.x, 6.x, and 7.x through 7.5 vulnerable. Squid versions older than 3.5.28 were not tested and should be treated as vulnerable. Operators using vendor-packaged builds should rely on distribution advisories and backported package fixes rather than only checking the upstream version string.

That distinction matters. Enterprise Linux distributions often backport security patches into older package versions. An environment may still show a Squid 5.x or 6.x package and be patched, or it may show a seemingly familiar package version that still lacks the fix. Ubuntu, for example, lists fixed Squid packages for supported releases such as 22.04 LTS and 24.04 LTS. Debian’s tracker shows fixed status for some releases and vulnerable status for others. The right validation step is to confirm the vendor package status or inspect whether the FtpGateway.cc guard is present.

The better mitigation, where operations allow it, is to disable FTP through Squid entirely. FTP is a legacy protocol with little place in most modern browser-driven networks. Chrome removed FTP URL support years ago, and many organizations have little legitimate need for proxy-mediated FTP access. Squid’s own advisory provides a workaround that denies FTP traffic through the proxy, with an optional allowlist for trusted FTP destinations. In many networks, the safer answer is no allowlist at all.

Blocking outbound TCP port 21 from the proxy can also reduce practical exploitability, but it should be treated as a compensating control rather than the full fix. A proxy policy change inside squid.conf is more direct, and a patched package removes the parser bug itself. Organizations should also review whether Squid is performing TLS interception, whether cleartext HTTP remains in use internally, and whether proxy users are segmented by trust level. A guest network user and a corporate endpoint should not be sharing sensitive proxy memory in the same risk bucket.

Detection is not straightforward. A successful attempt may look like FTP traffic through Squid to an attacker-controlled server, followed by abnormal directory listing responses. Security teams can review Squid access logs for unexpected ftp:// requests, outbound connections to untrusted FTP servers, and spikes of repeated FTP listing activity from a single proxy client. Network controls can flag outbound FTP from proxy infrastructure, especially in environments that do not use FTP operationally. Still, the absence of obvious logs should not be treated as proof of safety. Memory disclosure vulnerabilities rarely leave clean, high-confidence forensic markers.

The incident response question is less about wiping systems and more about credential exposure. If an organization confirms exploitability or suspicious FTP traffic through a vulnerable Squid instance, it should identify which applications and internal services still sent cleartext HTTP through that proxy. Tokens, API keys, basic authentication headers, session cookies, and service credentials exposed over HTTP should be rotated. Legacy internal applications that still rely on cleartext authentication deserve extra attention, as they are exactly the kind of systems that turn a moderate proxy bug into a real identity problem.

Squidbleed also says something broader about aging internet infrastructure. The vulnerable logic survived for nearly three decades in a mature, widely deployed open-source proxy. It sat in compatibility code for an old FTP listing format tied to platforms most modern defenders will never touch. That is not an indictment of Squid alone. It is a reminder that mature software often carries protocol support, parser logic, and compatibility branches that outlive their original use case by decades.

The AI angle is real, but it should not be exaggerated. Calif.io credited Anthropic’s Claude Mythos Preview with surfacing the strchr behavior quickly during research into Squid’s FTP state machine. That does not mean AI agents are suddenly replacing security engineering. It means they are becoming useful at finding weird interactions between old parser code, language semantics, and forgotten protocol features. For defenders, the lesson is practical: AI-assisted review may be most valuable in the code nobody wants to audit by hand anymore.

FortiBleed Shows Why Firewall Credentials Are Now Perimeter Risk

FortiBleed is not being treated as a new Fortinet zero-day, and that may be the most useful detail in the story. The campaign is larger than a single vulnerability bulletin. It is a credential problem at perimeter scale, involving internet-facing FortiGate firewalls and SSL VPN gateways where valid logins, old password hashes, weak account hygiene, and exposed management paths appear to have converged into a large verified access dataset.

CISA issued guidance after reports that malicious actors were using compromised credentials against Fortinet devices across government and private-sector networks. The public numbers vary by source and date. CISA referenced leaked credentials tied to about 74,000 Fortinet devices. SOCRadar later reported 86,644 compromised FortiGate devices, more than 80,000 unique IPs, 22,405 domains, and exposure across 194 countries. Arctic Wolf placed the confirmed range between 30,000 and 75,000 devices in its June analysis, citing differences in dataset validation and source reporting. The exact count matters less than the operating model: the actors were not guessing at a few exposed VPN portals. They were building a verified inventory of working perimeter credentials.

Fortinet has pushed back on the idea that FortiBleed is tied to a new product flaw. In its June 19 PSIRT post, the company said the activity appears to involve reused credentials from prior incidents and brute-force activity against devices with weak password hygiene and no MFA. Fortinet also said it was not related to any current incident or advisory. That distinction is technically meaningful. It also should not make defenders comfortable. A valid firewall login obtained through credential reuse can be just as operationally useful as access gained through an exploit chain.

The risk starts with what FortiGate devices are. These appliances often sit at the boundary between the public internet and internal networks. They terminate VPN access, enforce firewall policy, route traffic, hold certificates, connect to identity providers, and often integrate with Active Directory, LDAP, RADIUS, TACACS+, SAML, or other authentication systems. Administrative access to that control plane gives an attacker far more than a login screen. It can provide network topology, user access paths, VPN visibility, configuration data, and a starting point for lateral movement.

SOCRadar described FortiBleed as an automated operation built in two stages. The first stage tests curated username and password combinations against internet-facing Fortinet endpoints. The second stage reportedly uses successful access to collect more credentials from traffic passing through the device, feeding those credentials back into the same access operation. Dutch NCSC also warned that researchers had seen attackers collect packet captures from Fortinet systems in several cases, creating the possibility that more authentication material was exposed after initial firewall access.

That is what makes this different from a normal credential stuffing story. The firewall is not just the target. Once compromised, it can become a collection point. A compromised SSL VPN or firewall appliance may expose user names, VPN sessions, internal addressing, authentication integrations, service accounts, and administrative behavior. If the appliance is tied into directory services, the downstream risk moves into identity infrastructure. Fortinet’s own guidance says that if AD or LDAP integration is configured, that account should be treated as compromised and monitored for use elsewhere.

The older credential storage behavior adds another layer. Fortinet’s technical guidance says FortiOS 7.2.11, 7.4.8, and 7.6.1 introduced PBKDF2 for administrator password storage, replacing SHA-256-based storage. The migration is conditional. After an upgrade from an older version, administrator passwords can remain stored as SHA-256 hashes until the corresponding administrator logs in after the upgrade. Fortinet also notes that older SHA-256 values may remain in a hidden old-password setting for backward compatibility, visible in configuration backups taken by a super admin account.

That matters for two reasons. First, SHA-256 is fast. Fast hashing is bad for password storage when an attacker can obtain hashes and work offline with GPU cracking rigs. Second, many organizations treat firmware upgrades as complete once the version number changes. In this case, the version number alone may not remove the weaker stored credential material. Admin logins, password resets, and Fortinet’s weaker-encryption lockout setting may still be needed to move accounts away from legacy hash exposure.

This is why “patch and move on” is too narrow here. Updating FortiOS is part of the response, but FortiBleed is about credential state, session state, configuration state, and exposure state. A firewall can be on a newer train and still carry old credential baggage. A password can be complex and still be compromised if it was reused, leaked, harvested from an earlier incident, or cracked from a stored hash. An admin interface can be patched and still risky if it remains reachable from the public internet.

The account patterns reported by SOCRadar point to basic but damaging failures. Generic admin accounts and Fortinet system-style accounts accounted for a large share of the exposed credentials. Organization-specific accounts also made up a significant portion of the dataset, which suggests the campaign reached beyond factory naming conventions and default behavior. This is a familiar perimeter problem: predictable account names reduce attacker cost, password reuse extends breach life, and exposed management interfaces let attackers test access at internet scale.

For attackers, a valid FortiGate credential can be more valuable than a workstation foothold. It may allow rule changes, VPN account creation, configuration export, traffic capture, route manipulation, certificate inspection, logging changes, and stealthy access maintenance. A firewall is also a trust anchor in many environments. Security tools often assume it is enforcing policy correctly. If an attacker controls or modifies that enforcement point, detections inside the network may see only the later stages of an intrusion.

That is the defensive lesson. FortiBleed should be treated as an identity incident and a perimeter device incident at the same time. Ending active SSL VPN and administrative sessions is the containment step that breaks live access. Password resets address known and unknown credential exposure. MFA limits replay. PBKDF2 migration reduces the value of stolen configuration hashes. Management access restrictions reduce the number of systems attackers can test. Log review determines whether the appliance was just exposed or actually used as a pivot.

The log review should be wide. Firewall and VPN logs can show unexpected administrator access, unfamiliar source IPs, strange login times, failed sprays, successful logins after long dormancy, new local users, password resets, policy changes, route changes, certificate changes, and configuration exports. Domain controller and identity logs can show lateral movement after the perimeter event, such as unusual use of LDAP bind accounts, new privileged accounts, VPN users authenticating from rare geographies, or service accounts appearing outside their normal pattern. Configuration comparison against a known-good backup can catch subtle persistence that normal event review may miss.

The response also needs to cover more than human administrator passwords. Local Fortinet administrators, VPN users, API accounts, service accounts, LDAP and RADIUS bind accounts, TACACS+ secrets, SAML-related credentials, shared accounts, and any reused credentials on adjacent edge devices should be rotated where exposure is plausible. If packet capture or traffic inspection occurred, downstream application credentials may also need review. Treating this as a single admin password reset can leave the real blast radius untouched.

Management exposure is another core issue. Fortinet recommends trusted hosts as a baseline, local-in policy as a stronger control, and removal of internet administration as the preferred end state. That hierarchy is correct. Internet-facing firewall administration creates a public test surface for credential abuse. Even with MFA, every exposed login endpoint becomes an opportunity for enumeration, spraying, social engineering follow-up, and future vulnerability exploitation. Admin access should be reachable through controlled management networks, jump hosts, VPN paths with strong MFA, and explicit source restrictions.

This incident also fits a broader pattern. Perimeter appliances have become high-value identity targets, not just vulnerability targets. Attackers do not always need a new exploit if they can reuse credentials from an old one. They do not need malware on an endpoint if a firewall hands them remote access. They do not need to decrypt the whole network if the gateway already sees enough traffic to collect the next set of secrets. FortiBleed shows how yesterday’s breach data, today’s exposed management interface, and legacy password storage can combine into a current intrusion path.

The name makes the campaign sound like a single wound. The real problem is more structural. Many organizations still operate perimeter devices as static infrastructure, patched on a schedule and checked during audits, rather than as identity-bearing systems that need continuous credential rotation, configuration drift review, management-plane isolation, and telemetry. A firewall is not just a box that filters traffic. It is a privileged identity system with routes, secrets, sessions, and trust relationships attached to it.

For Fortinet customers, the near-term answer is clear: terminate sessions, rotate credentials, confirm MFA, upgrade to supported FortiOS branches, force PBKDF2 migration, remove legacy hashes, review logs, compare configurations, and restrict management access. For any environment with signs of unauthorized configuration changes, unexpected accounts, suspicious VPN activity, or packet capture use, treat the appliance as compromised and investigate internal movement from that point forward.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

Today’s Topics:

• INTERPOL Warns Cybercrime Is Surging Across Asia-Pacific as Phishing, Ransomware, and AI Scams Scale Up
• The Gentlemen Ransomware Shows How Former Affiliates Are Building Faster, Leaner RaaS Operations
• How can Netizen help?

INTERPOL Warns Cybercrime Is Surging Across Asia-Pacific as Phishing, Ransomware, and AI Scams Scale Up

Cybercrime is rising sharply across Asia and the South Pacific, with phishing, ransomware, banking malware, information stealers, deepfakes, and AI-assisted fraud placing new pressure on governments, businesses, and law enforcement agencies across the region. A new INTERPOL assessment says the threat environment has been shaped by fast digital adoption, wider internet access, organized criminal networks, uneven cybersecurity maturity, and the growing use of artificial intelligence in online crime.

According to INTERPOL’s 2025/2026 Asia and South Pacific Cyberthreat Assessment Report, phishing is now the most widespread and financially damaging form of cybercrime reported across the region. A third of countries covered in the assessment recorded more than 10,000 phishing cases between January 2024 and March 2025. More than half of INTERPOL member countries also reported that cybercrime made up at least 30% of all nationally recorded crime.

The numbers point to a broader shift in how cybercrime is operating. Phishing is no longer limited to low-effort credential theft emails or generic lures. Criminal groups are combining social engineering, fake login pages, malware delivery, business impersonation, and AI-generated content to reach more victims at scale. In many cases, phishing now serves as the entry point for broader fraud, account takeover, ransomware deployment, or data theft.

Ransomware also remains a major threat across the Asia-Pacific region. INTERPOL estimated that more than 135,000 ransomware-related attacks affected the region in 2024, with real estate, manufacturing, and financial services among the most heavily impacted sectors. These industries are attractive targets due to their operational reliance on digital systems, high-value data, financial exposure, and limited tolerance for downtime.

Ransomware groups are also increasing pressure during extortion by using victims’ regulatory and legal obligations against them. Rather than relying only on encryption, attackers may steal data, threaten public leaks, contact customers, reference compliance requirements, or use breach disclosure timelines to force faster payment decisions. This makes ransomware a legal, financial, operational, and reputational crisis, not just a technical incident.

INTERPOL also warned that AI-enabled scams are becoming more common, especially in impersonation and fraud campaigns. Deepfake audio, synthetic video, AI-generated personas, and more convincing written messages are being used to impersonate executives, manipulate victims, authorize fraudulent transfers, and support romance or investment scams. These tools reduce the skill required to produce believable social engineering content and allow criminal groups to run higher-volume campaigns with more convincing narratives.

The report also points to the industrialization of cyber-enabled fraud by transnational organized crime groups. Scam centers in Cambodia, Laos, Myanmar, and the Philippines have been linked to large-scale fraud operations that use forced labor to conduct investment scams, romance baiting schemes, and other online fraud. INTERPOL said organized crime groups in Myanmar, Cambodia, and Laos have used deepfakes in romance baiting scams, combining AI personas with social engineering in schemes tied to billions of dollars in regional cybercrime losses.

Malware activity is also expanding. Banking trojans and information stealers ranked as the second most common category of cybercrime in the report, with families such as RedLine, Lumma, LokiBot, Negasteal, and ZBot appearing among the most active threats. These tools are often used to harvest browser-stored credentials, session cookies, cryptocurrency wallet data, system information, and authentication material that can later be sold, reused, or combined with other intrusion activity.

Phishing link engagement in the region also exceeded the global average. INTERPOL reported that 5.5 out of every 1,000 individuals in Asia and the South Pacific clicked phishing links monthly, compared with a global average of 2.9 per 1,000. That higher rate gives attackers more opportunities to harvest credentials, compromise accounts, deliver malware, and move into business email compromise or identity fraud.

Distributed denial-of-service attacks also increased sharply, rising 92% in 2024 compared with the prior year. These attacks can be used to disrupt public services, pressure businesses, distract defenders, or support extortion campaigns. For organizations with weak network resilience or limited incident response capability, DDoS activity can create service outages that damage operations and public trust.

System intrusions remain a major driver of data breaches, accounting for about 80% of all data breach activity in 2024, according to the report. INTERPOL cited misconfigured systems, weak encryption, insecure APIs, and insufficient monitoring as common weaknesses attackers exploit to gain access to target networks. These issues are familiar to defenders, but their impact grows as organizations move more services online and expose more cloud, application, and identity infrastructure to the internet.

The rise in deepfake abuse has also created new risks beyond financial fraud. INTERPOL warned that synthetic media is being used for sexual exploitation, blackmail, and coercion. That threat category shows how AI-enabled cybercrime can cross from enterprise risk into personal harm, placing pressure on law enforcement agencies to respond to both technical abuse and human exploitation.

The regional trend is clear: cybercrime across Asia and the South Pacific is becoming more organized, more automated, and more closely tied to traditional criminal enterprises. Phishing, ransomware, infostealers, deepfakes, and online scams are no longer separate threat categories. They increasingly operate as connected parts of a broader criminal economy, where stolen credentials, synthetic identities, malware access, extortion, and fraud infrastructure support one another.

INTERPOL said law enforcement organizations across the region are scaling joint efforts to disrupt cybercriminal infrastructure, coordinate investigations, share intelligence, train personnel, and strengthen cyber resilience policies. That cooperation will be necessary as criminal groups continue using AI, ransomware-as-a-service, social engineering, and cross-border infrastructure to target victims at scale.

For organizations, the report reinforces the need to treat phishing resistance, ransomware readiness, identity security, endpoint visibility, API hardening, monitoring, incident response planning, and employee training as connected defensive priorities. The threat is no longer limited to isolated scams or opportunistic malware. It is a regional cybercrime ecosystem built to exploit weak controls, human trust, exposed systems, and the growing use of AI in both business and crime.

The Gentlemen Ransomware Shows How Former Affiliates Are Building Faster, Leaner RaaS Operations

The Gentlemen ransomware operation is a case study in how the ransomware-as-a-service economy is changing. The group did not appear as a fully isolated criminal brand with no prior tradecraft behind it. Reporting from PRODAFT, Microsoft, Check Point Research, Huntress, Trend Micro, and other threat intelligence teams indicates that The Gentlemen grew out of earlier affiliate activity tied to established ransomware ecosystems, then moved into its own independent partnership program after disputes, leaks, and instability inside the underground market.

PRODAFT tracks the group as Phantom Mantis and says it was initially known as ArmCorp. The operation has been active since March 2025 and is assessed to be led by a Russian-speaking threat actor tracked as LARVA-368, associated with aliases including hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. Before launching The Gentlemen as a standalone program, the actor is said to have worked with or borrowed from ransomware ecosystems linked to LockBit, Qilin, Medusa, and Embargo. That background matters, since The Gentlemen does not look like a novice operation. It looks like a group built by people who already knew how ransomware crews recruit affiliates, manage panels, negotiate payments, move data, and pressure victims.

The operation’s shift from ArmCorp into The Gentlemen appears to have accelerated in July 2025 after a dispute with Qilin, with LARVA-368 alleging that roughly $48,000 in affiliate commissions had been withheld. That dispute fits a larger pattern in the ransomware market. Since 2023, major crews have been disrupted, exposed, rebranded, or accused of cheating affiliates. LockBit was hit by law enforcement action, ALPHV collapsed after payment controversy, RansomHub disappeared from public view, and several smaller crews splintered into private or semi-private programs. In that climate, experienced affiliates have more incentive to build their own platforms rather than depend on larger brands that may steal commissions, lose infrastructure, or attract too much law enforcement pressure.

The Gentlemen’s growth has been tied closely to that affiliate-first model. Check Point Research reported that the group publicly claimed more than 320 victims by April 2026, with 240 of those claims occurring in the first months of 2026. Halcyon has assessed that the group offered affiliates a 90/10 revenue split, giving affiliates 90 percent of ransom proceeds. That is higher than the 70/30 or 80/20 split common across many RaaS programs, making it a strong recruitment tool for operators who already have access, tradecraft, and victim pipelines.

This is one reason The Gentlemen should be seen as a business-model threat, not just a malware threat. The ransomware itself is dangerous, but the affiliate structure is what allows the operation to scale. Operators provide the locker, infrastructure, support, leak site, and build process. Affiliates bring access, execute intrusions, steal data, deploy ransomware, and negotiate with victims through their own Tox or messaging identifiers. That separation lets the core program support many intrusions without directly conducting each one.

The group’s internal communications, later exposed through leaks affecting its Rocket.Chat environment, gave researchers an unusually clear view into how the operation functioned. PRODAFT said it identified 34 registered users in the group’s Rocket.Chat instance between May 2025 and April 2026. Check Point Research reported that leaked material included conversations about initial access, edge appliance exploitation, affiliate roles, shared tools, backend systems, victim handling, and ransom negotiations. The leak also exposed accounts connected to the administrator, who reportedly managed infrastructure, built lockers, handled the RaaS panel, and oversaw payouts.

The internal structure shows a division of labor that resembles a criminal services platform. One role, referred to as The Gentlemen Data, appears focused on data exfiltration support, helping move stolen information from affiliate-controlled cloud storage into The Gentlemen infrastructure for publication on the group’s leak site. LARVA-368 and related support channels appear to have helped affiliates with encryption, intrusion troubleshooting, and security-tool bypasses. Support moved through Tox, SimpleX Chat, Ricochet Refresh, and other messaging platforms after the Rocket.Chat leaks damaged the group’s internal trust.

The affiliate panel also reflects the maturity of the operation. PRODAFT reported that prospective affiliates needed to provide at least 1 GB of exfiltrated victim data before gaining access to the panel, a vetting method also seen in other ransomware crews trying to keep researchers and law enforcement out. The panel reportedly allowed affiliates to configure targets, build ransomware packages, download lockers, manage users, and track victim states. That kind of infrastructure lowers friction for affiliates and helps standardize attacks across different operators.

The ransomware payload is built for broad enterprise coverage. Reporting indicates that The Gentlemen supports Windows, Linux, ESXi, older Windows systems, and LVM environments. Microsoft tracks the operators as Storm-2697 and described the Windows encryptor as a Go-based ransomware family obfuscated with Garble. Microsoft also reported that the ransomware can use self-propagation logic, turning a single-host encryptor into malware that attempts to spread across reachable systems once enabled by the operator. That feature raises the risk of domain-wide impact after initial access, particularly in flat networks with weak segmentation and overprivileged accounts.

The ransomware’s options show a focus on speed, reach, and recovery disruption. Analysts have reported features for local encryption, network share encryption, delayed execution, selective scope, self-deletion, free-space wiping, GPO-based deployment, and propagation using credential material. ESXi support gives the group a path to affect virtualization infrastructure, where encrypting hosts or datastores can impact many workloads at once. LVM support extends the reach against Linux storage configurations and block-device targets. This cross-platform coverage reflects how modern ransomware crews build for mixed enterprise environments rather than single endpoint classes.

Incident reporting from Huntress and Trend Micro also shows that affiliates deploying The Gentlemen have used common enterprise intrusion tradecraft before encryption. Observed activity has included scheduled task abuse, Windows scripting, log clearing, Defender tampering, antivirus exclusions, remote access tooling such as AnyDesk, Group Policy manipulation, privileged account compromise, encrypted file transfer, and legitimate driver abuse. These techniques are not new on their own. The risk comes from how they are packaged into a repeatable affiliate workflow backed by a growing RaaS program.

Initial access patterns also match broader ransomware trends. Researchers have pointed to exposed edge devices, VPN appliances, firewall infrastructure, stolen credentials, and public-facing services as common entry paths. Check Point’s analysis of an affiliate-linked incident involving SystemBC found more than 1,570 victims connected to the relevant command-and-control server, with signs that many were corporate or organizational environments. SystemBC is often used in human-operated ransomware intrusions to create proxy access, support tunneling, and enable later payload delivery.

The Gentlemen’s use of AI, as described by PRODAFT, adds another layer to the story. LARVA-368 reportedly used AI to assist with ransomware and tool development, maintenance, and post-exploitation procedures. That does not mean AI created the operation by itself. The more realistic concern is that AI can reduce development time, help operators troubleshoot code, generate scripts, translate instructions, maintain panels, and produce procedural guidance for affiliates. For groups already familiar with ransomware operations, AI can act as a force multiplier across coding, documentation, support, and attack planning.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

Today’s Topics:

• Self-Replicating AI Worm Shows Malware Can Reason Its Way Through a Network
• U.S. Order Pulling Anthropic’s Fable 5 and Mythos 5 Turns AI Cyber Capability Into a National Security Fight
• How can Netizen help?

Self-Replicating AI Worm Shows Malware Can Reason Its Way Through a Network

University of Toronto researchers have demonstrated a proof-of-concept AI worm that changes one of the oldest assumptions in worm defense: that the malware arrives with a fixed exploit path. In a preprint posted to arXiv on June 2, a team from the University of Toronto, the Vector Institute, the University of Cambridge, and ServiceNow described an AI-driven worm that used a locally hosted open-weight large language model to inspect systems, plan attacks, gain elevated access, and copy itself across a network without human direction.

The research does not describe malware released into the wild. The worm was tested inside an isolated virtual environment, and the authors withheld operational details from the public paper. Still, the results are a warning about where autonomous offensive tooling is heading. This prototype did not rely on OpenAI, Anthropic, Google, or another commercial model provider. It used a local model running on a single GPU, which means provider-side controls such as account suspension, rate limits, refusals, and API revocation would not stop the core mechanism.

Traditional worms are usually constrained by the exploit logic built into them before deployment. They scan for systems matching a known condition, run a known payload, and spread if that specific path works. Patch the vulnerability, block the traffic pattern, or remove the exposed service, and the worm’s propagation path can collapse.

The Toronto prototype works differently. It uses the model as an attack engine. The worm identifies what is exposed on a target, reasons about the likely weakness, generates or adapts an attack plan, attempts exploitation, troubleshoots failures, and then stages a replica if access is obtained. The attack path is not fixed at build time. It is produced during execution.

The researchers tested the worm across 15 independent runs inside a deliberately vulnerable 33-host network named FakeCorp. The network included Ubuntu, Debian, Alpine Linux, Rocky Linux, CentOS Stream, Windows Server 2008 R2, Windows Server 2019, Windows Server 2022, and IoT-style devices. Each host was seeded with at least one realistic vulnerability or weakness drawn from sources such as the CISA Known Exploited Vulnerabilities catalog, OWASP Top 10 categories, and MITRE ATT&CK techniques.

Across seven days of autonomous operation per run, the worm identified an average of 31.3 vulnerabilities, gained elevated access on 23.1 hosts, and launched independent replicas on 20.4 hosts. In percentage terms, it obtained elevated access on 73.8% of the network and replicated to 61.8%. The worm reached up to seven generations of self-replication, with a mean of 5.1 generations.

The result is significant less for the raw success rate than for the operating model. The test network was intentionally vulnerable and did not include active endpoint defense, antivirus, or firewall enforcement. The authors make that limitation clear. The experiment measured whether an autonomous agent could reason across a mixed network, adapt to different host types, and sustain propagation, not whether it could defeat a mature production security program.

Even with those limits, the mechanics are difficult to ignore. The worm did not need a universal exploit. It could use one route on a Linux host, another on a Windows system, and another against a web application or exposed service. In one run, the propagation tree crossed multiple generations and operating systems, showing how the model could treat each host as a separate problem rather than a copy of the previous target.

The paper also undercuts the idea that model training cutoffs create a stable defensive boundary. The worm successfully exploited test hosts configured with three vulnerabilities disclosed after the model’s training period: the Marimo pre-authentication RCE tracked as CVE-2026-39987, the Linux kernel Copy Fail privilege escalation tracked as CVE-2026-31431, and the Dirty Frag Linux kernel privilege-escalation chain tracked through CVE-2026-43284 and CVE-2026-43500. The agent did this by ingesting public advisory information at runtime and converting it into working attack logic inside the lab environment.

That finding connects directly to real-world exploitation timelines. Sysdig reported that CVE-2026-39987 in Marimo was exploited within 9 hours and 41 minutes of public disclosure, before public proof-of-concept code was available. In a later investigation, Sysdig also documented an intrusion where an attacker used an LLM agent during post-exploitation after compromising an internet-facing Marimo instance. The observed attack moved from initial access to internal database exfiltration in under an hour.

The broader pattern is not limited to one research paper. Google Threat Intelligence Group reported in May that it had identified what it assessed with high confidence as a zero-day exploit developed with AI assistance, intended for a planned mass exploitation event. Google also reported malware families using AI-linked techniques for dynamic modification, decoy logic, and autonomous command generation. Anthropic reported in November 2025 that it disrupted a cyber-espionage campaign attributed with high confidence to a China-linked state-sponsored group, where Claude Code allegedly handled most of the intrusion workflow across reconnaissance, exploitation, credential harvesting, lateral movement, and exfiltration.

The Toronto work pushes that trend into worm propagation. Earlier AI worm research, such as Morris II, focused on adversarial self-replicating prompts spreading through GenAI applications and retrieval-augmented generation systems. In that model, the AI application is the propagation medium. In the Toronto prototype, the LLM is not the victim ecosystem. It is the reasoning layer driving attacks against ordinary network infrastructure.

The compute model is part of the concern. The worm was built around the idea that compromised machines can supply reach, compute, or both. GPU-equipped hosts can become inference nodes for other infected machines that lack the resources to run the model locally. In a poorly segmented network, a compromised AI workstation, research server, rendering box, or machine learning node could become more than another endpoint. It could become a local reasoning hub for autonomous activity.

That changes the containment problem. Blocking outbound calls to commercial AI services would not address a worm using local open-weight inference. Revoking API keys would not matter if the model is already running on victim-controlled compute. Provider-side safety controls can still reduce abuse of hosted systems, but they are not a complete answer for malware that brings its own model or steals the compute needed to run one.

The prototype also showed signs that defenders should start thinking beyond static indicators. The authors reported that individual exploitation attempts succeeded 44% of the time, with many failures tied to malformed payload syntax rather than poor strategy. That weakness may shrink as code-generation models improve. They also observed the agent establishing persistence in two trajectories through mechanisms that were not part of the intended experiment, including service registration and scheduled task behavior. The researchers removed those mechanisms when they appeared, but the behavior shows how goal-directed agents can infer operational steps that were not explicitly coded into the harness.

For defenders, the immediate lesson is not that every network now faces a fully autonomous AI worm. The lab environment was favorable to the attacker, and the implementation has not been publicly released. The lesson is that vulnerability management, segmentation, credential hygiene, and telemetry need to account for malware that can adapt during execution.

GPU-capable systems deserve closer treatment in enterprise threat models. They are no longer just expensive workstations or infrastructure for AI teams. In an autonomous intrusion scenario, they can provide the compute needed for local reasoning. These systems should be segmented, monitored for unusual inference workloads, and restricted from broad lateral reach.

Published advisories also need to be treated as near-term weaponization material. The Marimo exploitation window showed that attackers can move from advisory text to working intrusion activity within hours. The Toronto worm’s ability to use newer advisory information inside the test environment reinforces the same point. Patch prioritization can no longer rely only on severity scores and monthly cycles. Internet exposure, exploitability, compensating controls, and credential access paths need to drive response.

Credential reuse remains one of the fastest propagation paths. An adaptive worm does not need a novel exploit for every host if harvested credentials, exposed keys, or weak service accounts let it move laterally. Any host that is compromised or credibly suspected should trigger credential rotation for secrets reachable from that system, including cloud keys, SSH keys, service tokens, database credentials, and local admin material.

Detection programs also need behavioral logic for autonomous agents. Useful signals may include unusual process trees launching scanning tools, automated SSH key injection, repeated failed payload generation across multiple hosts, unexpected package installation followed by agent startup, nonstandard local inference activity, unexplained GPU utilization, and clusters of command execution that look like machine-speed troubleshooting rather than human terminal use.

The central issue is not that AI creates a new category of vulnerability from nothing. It compresses the time between discovery, interpretation, exploitation, and propagation. A worm that can read advisories, test paths, recover from errors, and copy itself does not need attackers to manually script every step. It turns public vulnerability knowledge into operational movement.

The research is still a controlled demonstration, but the direction is clear. The next meaningful shift in worm behavior may not come from a single devastating exploit. It may come from malware that can decide which exploit, weakness, credential, misconfiguration, or exposed service makes sense next.

U.S. Order Pulling Anthropic’s Fable 5 and Mythos 5 Turns AI Cyber Capability Into a National Security Fight

Anthropic took its most advanced AI models offline after the U.S. government ordered the company to suspend access to Claude Fable 5 and Claude Mythos 5 for foreign nationals, a sudden intervention that turned a model-safety dispute into one of the clearest examples yet of AI capability being treated like a controlled national security asset.

The company said it received the directive at 5:21 p.m. Eastern time on June 12. The order applied to foreign nationals inside and outside the United States, including Anthropic employees. Anthropic said the practical effect was that it had to disable Fable 5 and Mythos 5 for all customers to comply, though access to the company’s other Claude models was not affected.

The shutdown came only days after Anthropic launched Fable 5 as its first broadly available Mythos-class model. Fable 5 was the public-facing version, built on the same underlying model family as Mythos 5 but wrapped in stricter safety controls. Mythos 5, by comparison, was reserved for a smaller group of vetted cyber defenders and critical infrastructure partners through Anthropic’s trusted-access programs, with certain cybersecurity safeguards lifted for authorized defensive work.

That distinction is at the center of the dispute. Anthropic’s own launch materials described Mythos-class systems as more capable than its Opus models, with strong performance across software engineering, cyber tasks, scientific work, and long-running agentic workflows. The company said Fable 5 used classifiers and fallback behavior to block high-risk cybersecurity requests, including attack planning, exploit development, and defense evasion. For many cyber-related prompts, Fable 5 was supposed to route the user to a less capable model or refuse the request.

The government’s concern appears to have focused on whether those protections could be bypassed. Anthropic said officials told the company they were aware of a potential method for jailbreaking Fable 5. According to Anthropic, the method it reviewed involved asking the model to inspect a specific codebase and fix software flaws, producing a small number of known and relatively minor vulnerabilities. The company argued that the demonstrated capability was not unique to Fable 5 and could be reproduced with other publicly available models.

That argument has not ended the controversy. Reuters reported that U.S. officials saw a risk that the models could be diverted to military intelligence use in adversarial countries, including China and Russia. Semafor separately reported that the decision was linked to fears that a China-linked group may have accessed the models. The Wall Street Journal and other outlets reported that Amazon security researchers raised concerns after using prompts that allegedly led Fable 5 to return information that could aid cyberattacks, and that Amazon CEO Andy Jassy discussed those concerns with the White House.

David Sacks, a senior White House AI adviser, publicly argued that a trusted partner of both Anthropic and the U.S. government had found a jailbreak that Anthropic refused to fix before the government moved. Anthropic rejected the idea that the reported issue justified recalling a commercial model deployed at scale, saying it had not received technical evidence of a broad jailbreak and that no universal jailbreak had been demonstrated against Fable 5.

The fight is not just about one model. It is about how governments, AI labs, cloud providers, and defenders draw the line between legitimate security work and offensive capability. Anthropic’s own red-team research had already raised the stakes. Days before the shutdown, the company published findings showing that Mythos Preview could turn recently disclosed vulnerabilities into working exploits far faster than traditional patch cycles assume.

In Anthropic’s N-day testing, Mythos Preview produced working exploits against Firefox vulnerabilities and full privilege-escalation chains against Windows kernel vulnerabilities. The company said the model generated its first Windows proof of concept in 31 minutes and produced multiple full exploit chains for a few thousand dollars in API credits. Anthropic’s conclusion was blunt: the old assumption that attackers need expert-weeks to weaponize patches is breaking down.

That context makes the government’s reaction easier to parse. A model that can compress exploit development from weeks into hours changes the risk calculation around public advisories, patch diffing, and delayed remediation. The same capability can help defenders validate fixes, understand exploitability, and prioritize patches. It can also help attackers move faster against organizations still sitting inside the patch gap.

Fable 5 was supposed to solve that tension through safeguards. Mythos 5 was supposed to limit the highest-risk cyber capabilities to vetted users. The government’s order suggests officials were not satisfied that Anthropic’s controls, monitoring, and access restrictions were enough, at least once the alleged jailbreak and foreign-access concerns entered the picture.

Cybersecurity leaders have pushed back. A group led by former Facebook security chief Alex Stamos argued that restricting Fable 5 harms defenders more than attackers, since comparable capabilities are available through other frontier models and open models. Their position is that security teams need access to the same level of automation attackers are beginning to use, especially for exploit validation, code review, patch triage, and defensive research.

That is the operational dilemma. If frontier cyber models are locked down too tightly, authorized defenders lose speed. If they are released too broadly, offensive users may gain a cheaper route to exploit development. If access is limited by nationality rather than risk, companies with global teams can lose the ability to run their own products. Anthropic said the directive was broad enough to include foreign-national employees, which made selective compliance difficult and forced the wider shutdown.

The case also puts cloud and supply-chain politics in the middle of AI security. Amazon is both a major Anthropic investor and a cloud partner. Its reported role in raising concerns to the White House has drawn attention to how much influence large infrastructure providers may have over the future of model deployment. A security finding from a partner can become a regulatory event if it reaches government officials at the right moment.

For enterprises, the most immediate lesson is that AI access is becoming a dependency risk. Organizations building workflows around frontier models may have to plan for sudden policy-driven outages, regional restrictions, nationality-based controls, or trusted-access gates. That matters for software development, SOC workflows, vulnerability management, secure code review, incident response, and any business process tied to model-specific performance.

The case also signals that AI governance is moving from voluntary safety frameworks into hard national security controls. Frontier models are being evaluated less like ordinary SaaS products and more like dual-use infrastructure. Cyber capability, biological capability, agentic autonomy, data retention, user vetting, export controls, and monitoring are becoming part of the same policy conversation.

For defenders, the issue should not be reduced to whether Fable 5 should or should not have been suspended. The more durable issue is that model-assisted exploit development is now credible enough to trigger emergency government action. That alone should change how security teams think about patch windows, exposure management, and cyber tooling.

Patch Tuesday can no longer be treated as a slow-moving administrative cycle if models can turn public patches into working attack paths within hours. Internet-facing systems need faster triage. Critical vulnerabilities need temporary controls when patching cannot happen immediately. Security teams need better exploitability analysis, stronger asset visibility, and faster validation that mitigations actually work.

At the same time, defenders will need clear, auditable ways to use advanced AI safely. Trusted-access programs, identity-gated cyber models, enterprise monitoring, approved-use scoping, and stronger account security are likely to become standard features for high-capability defensive AI. The question is whether those controls can be precise enough to support real defense without handing the same capability to malicious users.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.