Weekly Cybersecurity Roundup: Dormant Code, Record Patches, and AI on Both Sides of Security
AI Appreciation Day arrived alongside a reminder that scale does not always require automation. Dutch and Belgian police disrupted an investment fraud network staffed by more than 700 people across around 20 call centers.
Attackers are testing everything from dormant capabilities and active exploitation to trusted features. Defenders are also finding and fixing vulnerabilities at record scale, with Microsoft addressing at least 570 security flaws in July and attributing it to AI-assisted discovery.
Google and Microsoft Remove ModHeader Extension After Dormant Data Collector Is Discovered
Google and Microsoft removed ModHeader from their browser extension stores after researchers identified a dormant data-collection mechanism embedded in the genuine, signed version of the developer tool. The extension had about 1.6 million combined Chrome and Edge installations before Microsoft removed it on July 3, followed by Google. Although an empty allowlist prevented the collector from operating and no evidence indicates that browsing data was captured or transmitted, its endpoint, encryption key, scheduling, storage, and collection components were already present. Researchers said the mechanism could have been activated through an extension update without requesting additional permissions, while separate telemetry transmitted the product name, browser type, and version information during installation, updates, and removal.
LabubaRAT Poses as NVIDIA Software to Establish Remote Windows Access
Blackpoint Cyber’s Adversary Pursuit Group (APG) discovered LabubaRAT, a new Windows remote access trojan disguised as NVIDIA software. Once executed, it collects information about the computer and installed security products before connecting to its operator. Attackers can then run commands, transfer or delete files, capture screenshots, execute scripts, and use the infected PC to relay network traffic. The malware can communicate through HTTPS, WebView2, or DNS tunneling and can restart automatically when the user signs in. Its configurable design allows the same file to be reused with different servers and victim groups.
Two Exploited Zero-Days Lead Microsoft’s Record July Patch Tuesday
Microsoft’s July Patch Tuesday addressed at least 570 security flaws, including nearly 60 rated critical and more than 250 involving privilege escalation. Three qualified as zero-days, with vulnerabilities in Active Directory Federation Services and SharePoint already being exploited, while a publicly disclosed BitLocker bypass had not been observed in attacks. The release also resolved a critical Microsoft Copilot flaw that could allow remote code execution through crafted prompts triggered by a malicious website. Microsoft linked the growing volume of security fixes to AI-assisted vulnerability discovery.
Dutch and Belgian Police Disrupt 700-Person Investment Fraud Network
Dutch police, working closely with Belgian police, investigated an international investment fraud organization that allegedly operated around 20 call centers with more than 700 people posing as financial advisers. The suspected 46-year-old organizer was arrested at an airport in Poland on May 26 at the Dutch police’s request and later extradited to the Netherlands. Five further suspects were detained in July during coordinated operations in Cyprus, Belgium, and Athens. Police estimate that the network collected over €100 million monthly by cultivating victims’ trust and directing them to fraudulent investment platforms.
Study Finds Trackers Active on 73% of U.S. Healthcare Websites Despite Privacy Opt-Out Signal
A study by Piwik PRO and Verified Data scanned 59 websites operated by major U.S. hospitals and clinics. Advertising or marketing trackers remained active on 73% of the sites even when browsers transmitted a Global Privacy Control signal, which tells website operators that users do not want their personal data sold or shared. Researchers also found marketing cookies on 69% of the sites and identified 75 tracking technologies, including Meta Pixel, Google Analytics, Microsoft Advertising, and session replay tools. Some tracking appeared capable of operating without cookies, meaning standard cookie blocking may not prevent data collection. The study did not determine whether protected health information was transmitted.
AI Helped Build an IoT Botnet but Also Left It Riddled With Errors
Palo Alto Networks’ Unit 42 revealed TuxBot v3, previously undocumented malware designed to infect routers and other internet-connected devices and use them in DDoS attacks. A large language model helped produce much of its code but also left behind safety warnings, confused notes, and technical mistakes. Even with those errors, researchers found that around 70% of the botnet worked, including its ability to scan devices, remain installed, receive commands, and launch attacks. TuxBot supports 17 types of device processors and tries 1,496 username and password combinations to break into vulnerable equipment. Its command server has been active since March 2026, and newer samples found in April suggest that improved versions may exist.
New Spirals Ransomware Deployed Across South Asian IT Firm in Under 24 Hours
A previously unseen ransomware called Spirals was used against an unnamed IT services company in South Asia on June 16 and 17. The attackers entered through a public-facing Microsoft web server and installed a malicious remote-access script. Within hours, they created hidden access routes, stole login credentials, disabled security software, and moved to other systems. Less than a day after the initial breach, they pushed the ransomware on servers and workstations after stopping backup, database, and virtualization services that could obstruct encryption. The ransom note gave the victim six days to pay before stolen data would be published, but researchers have identified only one victim so far and do not know who operates the malware.
Cyberstalkers Abuse Chrome Sync to Copy Browsing History and Saved Passwords
Cybercriminals are misusing Google Chrome’s synchronization feature on phones and computers to monitor people. Someone with a few minutes of access to an unlocked device can sign in to Chrome with a Google account they control and enable synchronization. Browsing history and passwords subsequently saved in Chrome may then be copied to that account and viewed remotely without installing spyware. The victim may receive no clear warning because the new account and its security alerts belong to the stalker. Users can check which account appears in Chrome settings, remove anything unfamiliar, and change important passwords, while the researchers urged Google to introduce clearer notifications whenever synchronization is activated.
When Technology Plays Both Sides of Cybersecurity
Impersonation, cyberespionage, and surveillance remained visible throughout the week. Cyberstalkers turned everyday technology into a surveillance tool, with victims receiving little warning, while trackers on healthcare websites remained active despite users signaling that they did not want their data sold or shared.
With AI accelerating vulnerability discovery for defenders while assisting botnet development for threat actors, its expanding role makes the future direction of the cybersecurity landscape difficult to predict.






