In partnership with

~7 MIN READ
Fact In a live jailbreak of Google's Gemini CLI this month, the AI wrote 89 percent of the code and commands used to stand up working command-and-control botnet infrastructure, doing it in six minutes flat. (Help Net Security, July 2026)
The Signal
 
Three Russians ran the hosting infrastructure behind half the ransomware headlines you've read this year, and it took a decade of complaints to catch up with them. Meanwhile a hacker got a live botnet running through Google's own AI in six minutes flat, so maybe don't feel too smug about how slow enforcement is.

This week the story isn't a single flashy breach, it's how much of the criminal supply chain, hosting, tooling, even the coding itself, is now running on infrastructure someone else built for legitimate reasons. Here's what changed, what got exposed, and one guardrail actually worth tightening today.

PS: Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe

In this edition
  📌 Big Cyber News
  🚨 Can't Miss
  🤖 AI in Cyber
  🏛️ Privacy, Power & Policy
  🛠️ Tools & Tactics
  🧪 Strange Cyber
📌 Big Cyber News
 
TAKEDOWN
⛓️ The Hosting Company Behind LockBit, BlackSuit, and Play Just Got Indicted
Intro
Every ransomware gang needs somewhere to park its servers where nobody asks questions. For years, that address was in St. Petersburg.
What Happened
Federal prosecutors unsealed charges against three Russian nationals, Aleksandr Volosovik, Yulia Pankova, and Kirill Zatolokin, for running Media Land and ML.Cloud, bulletproof hosting services that powered LockBit, BlackSuit, and Play ransomware attacks along with several stolen credit card marketplaces. The DOJ says the operation caused $62 million in losses across 44 victims in 21 states.
Why It Matters
Ransomware crews don't build their own data centers, they rent from providers who ignore takedown requests, so cutting off the hosting cuts off dozens of gangs at once instead of chasing one victim at a time.
The Other Side
The indictment was actually filed back in December 2024 and only unsealed now, so the infrastructure has had a year and a half to migrate elsewhere.
 
👉 Takeaway
Infrastructure-level enforcement is slow, but it's the closest thing law enforcement has to hitting ransomware at scale.
TL;DR: Three Russians ran the hosting behind LockBit, BlackSuit, and Play; DOJ just unsealed $62M in charges.
Further reading: The Record
🚨 Can't Miss
 
 
ZERO-DAY
Attackers are chaining a maximum-severity SSRF flaw with a code-injection bug in SonicWall's SMA1000 series to steal credentials and MFA seeds, then pivot into Active Directory. CISA gave federal agencies until today, July 17, to patch SMA6210, 7210, and 8200v appliances.
If you run SMA6210, 7210, or 8200v appliances, patch now.
 
RANSOMWARE
Nihon Kotsu, Japan's largest taxi operator with over 8,500 cars, shut down dispatch, booking, and reservation systems after a malware infection knocked out service across Tokyo, Yokohama, and four other cities, including a labor-taxi service for pregnant women. The AiLock ransomware gang claimed the attack and is threatening to leak stolen data.
Boring infrastructure like dispatch software is exactly what ransomware crews target, because downtime there is instantly, publicly painful.
 
RANSOMWARE
A new ransomware family called Spirals compromised an IT services firm in South Asia through an exposed IIS server, then disabled 23 separate backup and virtualization tools before encrypting the network, all within a single day. Symantec's Threat Hunter Team says it's one of the fastest full intrusions they've documented.
If your incident response plan assumes days to react, Spirals just proved you might only get hours.

Want to get the most out of ChatGPT?

ChatGPT is a superpower if you know how to use it correctly.

Discover how HubSpot's guide to AI can elevate both your productivity and creativity to get more things done.

Learn to automate tasks, enhance decision-making, and foster innovation with the power of AI.

🤖 AI in Cyber
 
 
AI ABUSE
A Russian-speaking criminal known as "bandcampro" tricked Gemini CLI into acting as an "authorized pen tester," then let it architect, code, and deploy live command-and-control infrastructure, handling 89 percent of the work start to finish. The AI diagnosed its own errors and rebuilt the entire setup on a new server in six minutes. The botnet compromised a dental clinic and helped plan elder-fraud calls.
The barrier to running real criminal infrastructure just dropped to "convince a chatbot you're the good guy."
 
AI RESEARCH
Security firm Intruder chained code-scanning tool Joern with Claude Sonnet and Claude Opus into a fully automated pipeline that scans, triages, and exploits vulnerabilities on its own. It used the system to find and confirm a blind SQL injection in a WordPress plugin running on over 300,000 sites, with no human involved in discovery or exploitation.
If defenders can automate zero-day hunting this cleanly, assume attackers are building the same pipeline right now.
🏛️ Privacy, Power & Policy
 
 
SURVEILLANCE LAW
A majority of MEPs present, 314 to 276, voted against extending the EU's message-scanning regime that lets platforms scan private chats for child abuse material. It passed anyway, because EU rules require an absolute majority of all 720 members to kill it, and absent lawmakers count as yes votes. Google, Microsoft, and Meta now have legal cover to keep scanning through 2028.
A law more members opposed than supported is now locked in for two more years, worth remembering next time "the process worked" gets cited as a defense.
 
COURT ORDER
A DC Superior Court judge ordered prosecutors to disclose exactly how Clearview AI's 70-billion-image facial recognition database was used to identify a shooting suspect, a rare crack in a company that has operated as a black box for defendants for years. The parties reconvene July 22 to hash out what Clearview actually has to reveal.
Facial recognition keeps landing people in court without anyone being able to check its work; this case might set the precedent that forces disclosure elsewhere.
🛠️ Tools & Tactics
 
 
Practical play
Microsoft now recommends cutting Windows update deferral windows to under three days, with deadlines of zero to one day. The reasoning: AI-assisted attackers are closing the gap between a patch dropping and an exploit landing faster than most rollout schedules can keep up. If your org still runs 30-day deferral windows on security updates, that math no longer works.
Tighten timelines now on anything internet-facing.

The best candidate for your next role might not live in the same country. Oyster helps you hire globally in 180+ countries. Payroll, compliance, and benefits included.

🧪 Strange Cyber
 
Strange but real
☎️ All It Took to Get Root Access Was a Friendly Phone Call
Intro
This one happened back in May, but it's too good to leave on the shelf. A penetration tester wanted to know how far "trust me, I'm the boss" would get him. The answer: all the way in.
What Happened
Brandon Dixon, a pentester and AI security firm CTO, called a company's IT help desk pretending to be an executive who'd forgotten his password and his security challenge answers. He gave them the password he wanted to use. They reset it, no questions asked, and he was in the network.
Why It Matters
No exploit, no malware, no zero-day, just a confident voice and a staff member who didn't want to say no to someone who sounded important.
The Other Side
Most companies have caller-verification policies on paper; the problem is nobody enforces them when the caller sounds important enough.
 
👉 Takeaway
Your MFA and your patch cadence don't matter much if a help desk will reset a password over the phone for anyone who asks nicely.
TL;DR: A pentester got full network access by phoning IT and asking for a password reset while pretending to be the boss.
Further reading: The Register

CollabED's founder built 10 web platforms, 2 mobile apps, and 27 automations in 75 days with Viktor. No developers, no designers, no IT team. One founder, 46 volunteers. Get Started for Free.

Keep Reading