300 Doxxed Accounts, 12K Proxy Machines, 395K Windows Nuked — Corporate Trust Is the New Vulnerability

TL;DR

• DHS subpoenas tech firms to unmask anonymous anti-ICE social media accounts
• Trojanized 7-Zip Installer Distributes Proxyware via Residential Proxy Network
• Lumma Info-Stealer Delivered via Google Groups Social Engineering Campaign

🚨 DHS Doxxes 300 Anti-ICE Accounts With No Warrant — Google, Meta Comply Without Judicial Oversight

300 ANONYMOUS ACCOUNTS DOXXED BY DHS WITHOUT A WARRANT. 🚨 Google, Meta, Reddit, Discord handed over emails, IPs, credit card last-4s… for posting ‘ICE is evil’. No judge. No crime. Just a subpoena and a corporate shrug. You think your ‘private’ DMs are safe? Try telling that to the British student whose data got shipped to ICE because they liked a meme. Who’s next? Your Reddit rant about rent? Your Discord voice chat about unionizing? — What’s your threshold for silence?

Uncle Sam’s newest party trick? Slamming ≈300 admin subpoenas on Google, Meta, Reddit & Discord in under two weeks—no judge, no warrant, just a bureaucratic “please hand over the peasants”. Targets: anyone roasting ICE online. Goodbye anonymity, hello real-world PII buffet.

How does this legal jackhammer work?

• 8 U.S.C. §1225(d) lets DHS lawyers self-issue demands for name, email, phone, IP, card digits, device IDs, the lot.
• Platforms quietly CSV-wrap the data, TLS-ship it to DHS portals; logs auto-purged after 30 days—because “hygiene”.
• No court signs off; only way out is a user-or-ACLU motion to quash. (Spoiler: 2 withdrawn, 4 motions filed, 0 injunctions.)

Impact in a nutshell

• Privacy: ≥150 accounts doxxed → stalking, job-loss, deportation-risk.
• Speech: chilled; even meme lords think twice before @-ing ICE.
• Security ops: DHS claims “officer safety”—yet produces zero metrics proving raids got safer.
• Corporate compliance cost: staff hours, lawyer fees, PR bleach.
• International side-eye: UK student caught in dragnet; extraterritorial reach sans treaty.

What the platforms did (and didn’t)

Observed

• Meta pre-warned ~80% of targets—“We’re snitching… but politely.”
• Google complied first, asked questions later; 28,622 govt requests in Q1 2025 alone (↑15%).

Recommended

• Standardize 14-day user-challenge window industry-wide.
• Require magistrate review for any subpoena touching pure speech—make DHS work for it.

Outlook

• 2026 H1: more subpoenas drop; ACLU litigation backlog balloons.
• 2027: Congress may bolt judicial-approval amendment onto §1225(d); transparency reports finally split “speech” vs “crime” buckets.
• 2028+: If statute tightens, expect ICE to pivot to purchase of commercial data brokers—same poop, different plumbing.

DHS is betting the Constitution can’t hit what the Constitution can’t see. Until courts or Congress call foul, your burner handle is one CSV away from a federal folder. Encrypt, organize, and maybe leave the geotag at home—because “land of the free” just got a paid DLC.

🤖 2TB/Day Proxy Empire: Fake 7-Zip Installer Turns US Homes into Criminal Exit Nodes

12 THOUSAND MACHINES. TURNED INTO FREE PROXIES. 🤖💸 Your ‘7-Zip’ installer? Now a 2TB/day bandwidth pump for criminals. It’s not malware—it’s a service. Hero.exe runs as SYSTEM. Firewall? Opened. DNS? Hiding in Google’s. Your laptop? Now a proxy for credential stuffers. Who pays? YOU. In bandwidth. In liability. In ISP throttling. Downloaded from YouTube? Congrats—you just rented out your CPU. Should companies be fined for letting fake installers live on Reddit? 🤔

Ever felt that hot-staple-gun pain when you realize the “helpful” YouTube guru who taught you to “zip like a pro” actually hot-wired your rig to relay strangers’ sketchy traffic? Congrats—welcome to the Jozeal Network’s latest side-hustle: weaponizing 7-Zip’s good name to shove Hero.exe down 23,000+ U.S. throats since October.

How the Hell Did a File Archiver Become a Proxy Pimp?

1. Fake site (7zip[.]com) clones the real one.
2. Installer drops three lil’ nasties into SysWOW64\hero, registers them as SYSTEM services.
3. netsh punches firewall holes on ports 1000 & 1002—because why knock when you can kick the door in?
4. XOR key 0x70 encrypts C2 chatter; DNS-over-HTTPS hides the phone book.
5. Your CPU + bandwidth are auctioned off for credential-stuffing, phishing, and “premium” web-scraping—at two cents a gig, cheaper than a gum-ball.

Damage Scorecard (Spoiler: You’re the Product)

• Bandwidth: 2 TB/day siphoned from 23.0.0.0/8 alone—enough to stream 800 hours of 4K cat videos.
• Legal: Your IP is now the return address for someone else’s fraud—enjoy the subpoena.
• Performance: 3.4 proxy sessions/hour per host; feel that lag? That’s Hero squatting on your socket like a drunk roommate.
• Reputation: IP-based blocklists tag you as “residential proxy—burn with fire.” Good luck accessing your bank tomorrow.

Corporate/Institutional Response & Gaps

• Observed: AV vendors pushed 12 new IoCs in four months—yet 2 TB still leaks daily.
• Recommended:
  • SHA-256 check every 7-Zip binary against 7-zip.org (takes 3 s—faster than re-imaging).
  • Block hero-sms[.]co & buddies at DNS; no one legit queries “smshero.vip” from a cubicle.
  • Alert on services created in SysWOW64\hero or netsh opening 1000/1002—if your SOC can’t do that, demote the SIEM to a lava lamp.

Timeline of (In)Convenience

• Q1 2026: Takedown notices kill a few C2s; infections plateau at ~30 k hosts.
• Q3 2026: Expect copy-cats bundling Hero into VLC, Notepad++, whatever you trust—because nothing screams “security” like a code-signed Trojan.
• 2027: CA/B Forum tightens signing rules; supply-chain verification moves from “nice” to “audit item.” Until then, keep hashing, keep blocking, keep swearing.

Bottom Line

Your free archiving tool isn’t just zipping files—it’s zipping your network dignity into a cheap proxy sandwich. Bookmark 7-zip.org, verify hashes, and treat random YouTube installers like radioactive dung. Because if you don’t, the next “helpful” tutorial will monetize your misery at two cents a pop—cheaper than your pain, pricier than your pride.

🤯 395K Systems Infected via Google Groups: Lumma Stealer Exploits Trust, Not Bugs—US, UK, Russia Hit Hard

395K Windows boxes nuked in 2 months… by a Google Groups post. 🤯 Attackers didn’t hack your network—they just posted ‘Download {YourCompany} for Win10’ in your team’s group. You clicked. Now your passwords, crypto wallets, and 2FA tokens are on a darkweb eBay. Google’s TLS cert? Perfect. Your IT team’s trust? Exploited. Who’s next? Your HR department? Your CFO’s Gmail? — Why does ‘trusted platform’ still mean ‘open door’?

Google Groups, the beige sweater of collaboration tools, is now the hottest ticket in cyber-crime. Crooks slap “Download {Org}_for_Windows10” into public threads, tuck a goo.gl-shortened link behind it, and—bam—395,000 Windows boxes cough up credentials faster than you can say “free candy.” The bait lands on Drive, the redirect chain ends in an AutoIt blob called CastleLoader, and your browser cookies march out the door in base64 go-bags.

How the sausage is made

• CastleLoader runs only in RAM, re-assembles Lumma stealer from junk-code chunks, schedules a task named “X-Finder,” then phones home every 60 s.
• C2 condos: ninja-browser[.]com, nb-download[.]com, nbdownload[.]space—rotate every 48 h like cheap Airbnb keys.
• Price tag on the dark-web shelf: $2,500 for the premium “we’ll-steal-your-2FA-too” bundle.

What it hurts

• Credentials: 395 k infections → every SSO token, crypto wallet, and saved password becomes a free buffet.
• Incident load: SOC analysts drown in multipart/form-data POST alerts; mean time to boredom ≈ 3 h.
• Reputation: Google links mean users click first, think never—until legal starts asking why customer data is on Telegram.

Corporate response & the holes they left

• Google’s abuse team nukes individual links—then attackers publish five more; whack-a-mole score: mole 5, Google 0.
• Most tenants still allow anonymous Drive preview; zero default policy blocks AutoIt.
• SIEM rules exist… if you remembered to import the IOCs; 70 % of sampled orgs hadn’t (per Feb telemetry).

Outlook—grab your crystal ball

• Next 3 months: expect OneDrive copy-cats; infection pace holds at ~6 k/week.
• 2026 Q4: AI-generated “video update from your CEO” joins ClickFix; success rate projected +22 %.
• 2027: If Google locks down redirects, operators pivot to Dropbox—because trust is cheaper than zero-days.

Bottom line
Lumma turned Google’s goodwill into a free malware CDN; every unblocked Drive link is a potential $2.5 k profit for some hoodie in Minsk. Block AutoIt, rewrite short URLs, and train users to distrust even “official” Google posts—because the only thing worse than spam in your inbox is ransomware on your disk.

In Other News

• Odido Data Breach Exposes 6.2 Million Customers' Personal Data in Netherlands
• Singapore Identifies UNC3886 as Culprit in Multi-Month Telecom Cyber Espionage
• State-Sponsored Actors Use Gemini AI for Reconnaissance, Phishing, and Code Generation
• Russia bans WhatsApp, Telegram, and mandates MAX messaging platform on all devices