May 11, 2026

Daily Threat Intelligence Report — 2025-07-14

17

IOCs

12

TTPs

10

KQL Queries

Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed across four IPs by Feodotracker, alongside newly surfaced AsyncRAT and AgentTesla malware samples confirmed by MalwareBazaar. CISA has added five critical vulnerabilities to its Known Exploited Vulnerabilities catalogue, including a Palo Alto Networks PAN-OS out-of-bounds write enabling unauthenticated root-level RCE and an Ivanti EPMM authenticated RCE, both requiring immediate patching. Cryptocurrency and social media phishing infrastructure has expanded significantly, with 15 active phishing URLs confirmed by OpenPhish targeting Ledger, Trezor, Exodus, Amazon, and Instagram users. SOC teams should immediately block all five Feodotracker C2 IPs, apply CISA KEV patches on an emergency basis, and deploy the KQL hunting queries provided in this report.

#1

Active QakBot and Emotet C2 Infrastructure Across Multi-Nation Nodes — Imminent Enterprise Compromise Risk

CRITICAL TA505

Feodotracker has confirmed four active QakBot C2 servers (50.16.16.211 — US, 34.204.119.63 — US, 178.62.3.223 — GB, 27.133.154.218 — JP) and one active Emotet C2 server (162.243.103.246 — US) within the last 24 hours. TA505, a prolific financially motivated threat actor historically associated with both QakBot distribution and large-scale Emotet campaigns, leverages this infrastructure for initial payload delivery, credential harvesting, and ransomware pre-positioning. MalwareBazaar has simultaneously confirmed a fresh AgentTesla sample (hash 07b3056794ce85fb607a38d1a0856c3ad7886c2903d0ff7d72a0f172ef8fa7c6) and an AsyncRAT sample (hash 270887cd3939ea9eb91d47ce5eeedd4141cb112501d42844020e496c76384608) tagged as botnet and C2-capable, consistent with TA505's multi-stage payload deployment pattern. The geographic spread of QakBot C2 across US, UK, and Japan nodes indicates an active, high-tempo campaign targeting organisations in multiple jurisdictions simultaneously, and any internal host beaconing to these IPs should be treated as a confirmed compromise requiring immediate incident response.

🔴 Indicators of Compromise

IP 162.243.103.246 Emotet C2 server hosted in the United States — Feodotracker confirmed active within 24 hours

IP 50.16.16.211 QakBot C2 server hosted in the United States — Feodotracker confirmed active within 24 hours

IP 34.204.119.63 QakBot C2 server hosted in the United States — Feodotracker confirmed active within 24 hours

IP 178.62.3.223 QakBot C2 server hosted in Great Britain — Feodotracker confirmed active within 24 hours

IP 27.133.154.218 QakBot C2 server hosted in Japan — Feodotracker confirmed active within 24 hours

HASH 270887cd3939ea9eb91d47ce5eeedd4141cb112501d42844020e496c76384608 AsyncRAT executable — tagged botnet, c2, trojan — MalwareBazaar confirmed

HASH 07b3056794ce85fb607a38d1a0856c3ad7886c2903d0ff7d72a0f172ef8fa7c6 AgentTesla executable — credential stealer — MalwareBazaar confirmed

🟣 MITRE ATT&CK TTPs

T1566.001 Spearphishing Attachment MITRE →

T1071.001 Application Layer Protocol — Web Protocols C2 MITRE →

T1555 Credentials from Password Stores MITRE →

T1021.002 SMB/Windows Admin Shares MITRE →

🟢 Hunt Queries

MDE Hunt for C2 Connections to Confirmed QakBot and Emotet Infrastructure

Detects outbound network connections to all five Feodotracker-confirmed C2 IPs associated with QakBot (4 IPs) and Emotet (1 IP) active within the last 24 hours. Any hit should be treated as a confirmed compromise indicator.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| extend MalwareFamily = case(
    RemoteIP == '162.243.103.246', 'Emotet C2 — US',
    RemoteIP == '50.16.16.211', 'QakBot C2 — US',
    RemoteIP == '34.204.119.63', 'QakBot C2 — US',
    RemoteIP == '178.62.3.223', 'QakBot C2 — GB',
    RemoteIP == '27.133.154.218', 'QakBot C2 — JP',
    'Unknown'
)
| project TimeGenerated, DeviceName, LocalIP, RemoteIP, RemotePort, MalwareFamily, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc

MDE Detect AsyncRAT and AgentTesla Malware Execution by File Hash

Searches for execution events matching the MalwareBazaar-confirmed SHA256 hashes for AsyncRAT and AgentTesla samples observed in the last 24 hours.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '270887cd3939ea9eb91d47ce5eeedd4141cb112501d42844020e496c76384608',
    '07b3056794ce85fb607a38d1a0856c3ad7886c2903d0ff7d72a0f172ef8fa7c6'
)
| extend MalwareSample = case(
    SHA256 == '270887cd3939ea9eb91d47ce5eeedd4141cb112501d42844020e496c76384608', 'AsyncRAT — MalwareBazaar confirmed',
    SHA256 == '07b3056794ce85fb607a38d1a0856c3ad7886c2903d0ff7d72a0f172ef8fa7c6', 'AgentTesla — MalwareBazaar confirmed',
    'Unknown'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, MalwareSample, InitiatingProcessFileName, AccountName, ProcessCommandLine
| order by TimeGenerated desc

MDI Detect Lateral Movement Patterns Consistent with QakBot Post-Exploitation

Hunts for suspicious NTLM authentication bursts from a single account to multiple devices, consistent with QakBot's lateral movement behaviour after credential harvesting from C2 servers 50.16.16.211 and 34.204.119.63.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| summarize LogonCount=count(), DistinctDevices=dcount(DeviceName), DeviceList=make_set(DeviceName, 20) by AccountDisplayName, IPAddress
| where LogonCount > 5 or DistinctDevices > 3
| order by DistinctDevices desc

SENTINEL Detect Network Traffic to All Feodotracker C2 Nodes Across Firewall and Proxy Logs

Broad Sentinel query covering perimeter firewall, proxy, and DNS logs to identify any communication to the five confirmed Feodotracker C2 IPs for QakBot and Emotet. Covers hosts not enrolled in MDE.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| extend MalwareFamily = case(
    DestinationIP == '162.243.103.246', 'Emotet C2 — US',
    DestinationIP == '50.16.16.211', 'QakBot C2 — US',
    DestinationIP == '34.204.119.63', 'QakBot C2 — US',
    DestinationIP == '178.62.3.223', 'QakBot C2 — GB',
    DestinationIP == '27.133.154.218', 'QakBot C2 — JP',
    'Unknown'
)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, MalwareFamily, Activity, DeviceVendor, DeviceProduct, RequestURL
| order by TimeGenerated desc

✅ Recommended Actions

→ IMMEDIATE: Block all five Feodotracker-confirmed C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, next-gen proxy, and SASE/secure web gateway — no exceptions

→ IMMEDIATE: Submit AsyncRAT hash (270887cd3939ea9eb91d47ce5eeedd4141cb112501d42844020e496c76384608) and AgentTesla hash (07b3056794ce85fb607a38d1a0856c3ad7886c2903d0ff7d72a0f172ef8fa7c6) to EDR for immediate blocking and retrospective scan

→ IMMEDIATE: Execute all four KQL hunting queries across MDE, MDI, and Sentinel — any hit constitutes a P1 incident and should trigger your IR playbook

→ SHORT-TERM: Conduct full email gateway retrospective scan for attachments delivering EXE payloads over the past 7 days, correlating with sender domains that communicated with the listed C2 IPs

→ SHORT-TERM: Audit all privileged accounts for anomalous NTLM authentication activity identified by the MDI query — reset credentials for any flagged accounts

→ LONG-TERM: Enrich your SIEM threat intelligence feeds with all five C2 IPs and both malware hashes and configure persistent alerting rules so future contact triggers automatic P1 escalation

#2

Lazarus Group and Kimsuky Infrastructure Updates Detected — Nation-State Tooling Refresh in Progress

HIGH Lazarus Group

GitHub repository stamparm/maltrail recorded active commits updating both apt_lazarus.txt and apt_kimsuky.txt trail files within the last 24 hours, indicating that security researchers have identified new or updated infrastructure, domains, or IPs associated with Lazarus Group (DPRK-linked, attributed to APT38 for financial operations) and Kimsuky (DPRK-linked espionage). Simultaneous updates to hvncrat.txt in the same repository suggest that HVNC RAT — a remote access tool used for covert desktop control without triggering standard VPN or RDP telemetry — is being actively updated in conjunction with nation-state actor tooling, a pattern consistent with Lazarus Group's post-compromise operational tradecraft. The RustyStealer sample confirmed by MalwareBazaar (hash c3a4fc8559ecb13d5d004629fb5a01c0101250c9a27bc151e570dbabdd6967b1), tagged with Backdoor, Kryptik, and Rust, aligns with the recent trend of DPRK-affiliated actors adopting Rust-based tooling for stealth and cross-platform capability. Organisations in financial services, cryptocurrency, defence, and government sectors should treat this intelligence as high-priority given Lazarus Group's documented history of targeting these verticals for both espionage and financial theft.

🔴 Indicators of Compromise

HASH c3a4fc8559ecb13d5d004629fb5a01c0101250c9a27bc151e570dbabdd6967b1 RustyStealer backdoor — Rust-based, tagged Kryptik and Backdoor — consistent with DPRK actor Rust tooling adoption — MalwareBazaar confirmed

HASH ced82528b08a52a9a0aaaffdeda31641897e0973685562506f88674a3da1cf98 Signed executable — potentially abused signed binary for defence evasion — MalwareBazaar confirmed

URL http://vfdksvkfndvkbnksfd-d8f9a7g0dzh9dads.z03.azurefd.net/ Active phishing URL using Azure Front Door CDN infrastructure — consistent with nation-state actors abusing legitimate cloud platforms for credential harvesting — OpenPhish confirmed

🟣 MITRE ATT&CK TTPs

T1195.002 Compromise Software Supply Chain MITRE →

T1071.001 Application Layer Protocol — Web Protocols C2 MITRE →

T1552.001 Credentials In Files MITRE →

T1566.002 Spearphishing Link MITRE →

🟢 Hunt Queries

MDE Detect RustyStealer and Signed Unknown Binary Execution

Searches for execution of the MalwareBazaar-confirmed RustyStealer backdoor and the suspicious signed executable by SHA256 hash. Both samples represent potential Lazarus Group / DPRK tooling based on current maltrail intelligence updates.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    'c3a4fc8559ecb13d5d004629fb5a01c0101250c9a27bc151e570dbabdd6967b1',
    'ced82528b08a52a9a0aaaffdeda31641897e0973685562506f88674a3da1cf98'
)
| extend ThreatLabel = case(
    SHA256 == 'c3a4fc8559ecb13d5d004629fb5a01c0101250c9a27bc151e570dbabdd6967b1', 'RustyStealer — Backdoor/Kryptik — MalwareBazaar',
    SHA256 == 'ced82528b08a52a9a0aaaffdeda31641897e0973685562506f88674a3da1cf98', 'Signed Unknown EXE — Potential Abuse — MalwareBazaar',
    'Unknown'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, ThreatLabel, InitiatingProcessFileName, AccountName, ProcessCommandLine, IsTrustedApp
| order by TimeGenerated desc

MDE Hunt for HVNC RAT Behaviour — Covert Desktop Session Activity

Detects process-level indicators of HVNC RAT activity, including processes establishing network connections without visible window handles and processes injecting into explorer.exe, consistent with HVNC tradecraft linked to Lazarus Group tooling updates in maltrail.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ 'explorer.exe'
| where FileName in~ ('rundll32.exe', 'regsvr32.exe', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'powershell.exe')
| join kind=inner (
    DeviceNetworkEvents
    | where TimeGenerated > ago(24h)
    | where ActionType == 'ConnectionSuccess'
    | where RemoteIPType == 'Public'
) on DeviceId, InitiatingProcessId
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, RemoteIP, RemotePort, AccountName
| order by TimeGenerated desc

SENTINEL Detect Navigation to Azure Front Door Phishing Infrastructure

Identifies proxy and DNS log entries for the OpenPhish-confirmed Azure Front Door phishing URL used for credential harvesting, potentially linked to Kimsuky spearphishing campaigns updated in maltrail today.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has 'vfdksvkfndvkbnksfd-d8f9a7g0dzh9dads.z03.azurefd.net'
    or DestinationHostName has 'vfdksvkfndvkbnksfd-d8f9a7g0dzh9dads.z03.azurefd.net'
| project TimeGenerated, SourceIP, DestinationHostName, RequestURL, DeviceVendor, DeviceProduct, Activity
| order by TimeGenerated desc
| union (
DnsEvents
| where TimeGenerated > ago(24h)
| where Name has 'vfdksvkfndvkbnksfd-d8f9a7g0dzh9dads.z03.azurefd.net'
| project TimeGenerated, ClientIP, Name, IPAddresses, Computer
)

✅ Recommended Actions

→ IMMEDIATE: Block the Azure Front Door phishing URL (vfdksvkfndvkbnksfd-d8f9a7g0dzh9dads.z03.azurefd.net) at DNS and web proxy — alert any user who accessed it in the past 72 hours and initiate credential reset

→ IMMEDIATE: Submit RustyStealer hash (c3a4fc8559ecb13d5d004629fb5a01c0101250c9a27bc151e570dbabdd6967b1) and signed binary hash (ced82528b08a52a9a0aaaffdeda31641897e0973685562506f88674a3da1cf98) to EDR for blocking and retrospective scanning

→ SHORT-TERM: Pull the updated apt_lazarus.txt and apt_kimsuky.txt from stamparm/maltrail (commits da37f386 and 678583da) and ingest any new IOCs into your SIEM and threat intelligence platform

→ SHORT-TERM: Execute the HVNC RAT detection KQL query and investigate all flagged process injection events within the last 7 days, not just 24 hours

→ SHORT-TERM: Review code-signing certificate trust policies in your environment — consider implementing allow-listing for approved certificate thumbprints and alerting on all others

→ LONG-TERM: Implement DNS-layer security to block lookalike and CDN-abuse phishing domains, with particular monitoring for random-string azurefd.net, vercel.app, and github.io subdomains

#3

Five CISA KEV Vulnerabilities Require Emergency Patching — PAN-OS RCE and Ivanti EPMM Pose Critical Risk

MEDIUM Unknown Threat Actor

CISA has added five vulnerabilities to its Known Exploited Vulnerabilities catalogue, all requiring immediate remediation per BOD 22-01: CVE-2026-0300 (Palo Alto Networks PAN-OS unauthenticated root RCE via out-of-bounds write in the User-ID Authentication Portal), CVE-2026-6973 (Ivanti EPMM authenticated RCE), CVE-2026-41940 (WebPros cPanel and WHM authentication bypass enabling full control panel access), CVE-2026-42208 (BerriAI LiteLLM SQL injection enabling database read and write access), and CVE-2026-31431 (Linux Kernel privilege escalation via incorrect resource transfer). The PAN-OS vulnerability (CVE-2026-0300) is particularly severe as it allows unauthenticated attackers to execute arbitrary code with root privileges by sending specially crafted packets to the Captive Portal service on PA-Series and VM-Series firewalls — a direct path to network perimeter compromise. Concurrent phishing infrastructure activity targeting cryptocurrency wallets (Ledger via leddgger--wallet.webflow.io, Trezor via authstart-terezor.github.io, Exodus via update-exodus-helpcentre.vercel.app) confirmed by OpenPhish suggests that threat actors are combining credential harvesting with exploitation of patching gaps to maximise impact on organisations with cryptocurrency holdings or hosting environments using cPanel.

🔴 Indicators of Compromise

URL http://leddgger--wallet.webflow.io/ Ledger cryptocurrency wallet phishing page — OpenPhish confirmed active — targets seed phrase and private key theft

URL http://authstart-terezor.github.io/ Trezor hardware wallet phishing page hosted on GitHub Pages — OpenPhish confirmed active — targets wallet credentials

URL http://www.update-exodus-helpcentre.vercel.app/ Exodus cryptocurrency wallet phishing page hosted on Vercel — OpenPhish confirmed active — fake support/update lure

URL http://61.53.74.66:36279/i Active malware download URL — URLhaus confirmed — likely IoT/botnet payload delivery

URL http://103.72.9.252:51383/Mozi.m Mozi botnet payload download URL — URLhaus confirmed — targets IoT devices and routers

URL http://45.148.120.78/GZOS Active malware download URL — URLhaus confirmed — likely Mirai/botnet variant payload

HASH 9927a2c8f4bbbed72fefdd3c84da12e1e108c1cf7936fe935c5828a3e85cc14f Mirai/Gafgyt ELF botnet sample — MalwareBazaar confirmed — targets Linux-based IoT and server infrastructure

🟣 MITRE ATT&CK TTPs

T1190 Exploit Public-Facing Application MITRE →

T1078 Valid Accounts MITRE →

T1068 Exploitation for Privilege Escalation MITRE →

T1566.002 Spearphishing Link MITRE →

🟢 Hunt Queries

SENTINEL Detect Access to Confirmed Cryptocurrency and Social Media Phishing URLs

Identifies proxy, firewall, and DNS log entries matching all 15 OpenPhish-confirmed phishing URLs, with particular focus on cryptocurrency wallet phishing pages that target Ledger, Trezor, Exodus, and Amazon users. Covers both direct URL access and DNS resolution events.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    'umobu.com.br/xinfini',
    'vfdksvkfndvkbnksfd-d8f9a7g0dzh9dads.z03.azurefd.net',
    '14210.xyz',
    'leddgger--wallet.webflow.io',
    'dongbeilaobo.com/wap',
    'authstart-terezor.github.io',
    'instalgram.vercel.app',
    'amazon-clone-pink-five.vercel.app',
    'update-exodus-helpcentre.vercel.app',
    'instagram-clone-java-full-stack.vercel.app',
    'geminuslogi.godaddysites.com',
    'derviemprendeecuador.vercel.app',
    'files.secured.documents.blobcore.com'
)
| extend PhishingCategory = case(
    RequestURL has 'leddgger', 'Ledger Crypto Wallet Phishing',
    RequestURL has 'trezor', 'Trezor Crypto Wallet Phishing',
    RequestURL has 'exodus', 'Exodus Crypto Wallet Phishing',
    RequestURL has 'amazon', 'Amazon Phishing',
    RequestURL has 'instagram' or RequestURL has 'instalgram', 'Instagram Phishing',
    RequestURL has 'azurefd.net', 'CDN-Abused Phishing',
    RequestURL has 'blobcore.com', 'Credential Harvesting Page',
    'Generic Phishing'
)
| project TimeGenerated, SourceIP, RequestURL, PhishingCategory, DeviceVendor, DeviceProduct, Activity
| order by TimeGenerated desc

MDE Detect Mirai/Gafgyt Botnet ELF Execution and Malware Download Activity

Searches for execution of the MalwareBazaar-confirmed Mirai/Gafgyt ELF sample and network connections to URLhaus-confirmed Mozi and botnet payload download URLs. Targets Linux hosts and network devices accessible from the internet.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 == '9927a2c8f4bbbed72fefdd3c84da12e1e108c1cf7936fe935c5828a3e85cc14f'
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| order by TimeGenerated desc
| union (
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('61.53.74.66', '110.39.235.153', '39.76.57.14', '103.72.9.252', '45.148.120.78')
| extend DownloadContext = case(
    RemoteIP == '61.53.74.66', 'URLhaus malware download — port 36279',
    RemoteIP == '110.39.235.153', 'URLhaus malware download — port 35614',
    RemoteIP == '39.76.57.14', 'URLhaus malware download — port 47455',
    RemoteIP == '103.72.9.252', 'URLhaus Mozi botnet download — port 51383',
    RemoteIP == '45.148.120.78', 'URLhaus botnet payload download — multiple paths',
    'Unknown'
)
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, DownloadContext, InitiatingProcessFileName, ActionType
)

SENTINEL Detect Connections to URLhaus Malware Download Infrastructure

Broad Sentinel query across firewall and proxy logs to detect any communication to the ten URLhaus-confirmed malware download IPs and URLs, including Mozi botnet and general malware download servers. Covers devices not enrolled in MDE such as IoT, OT, and network infrastructure.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('61.53.74.66', '110.39.235.153', '39.76.57.14', '103.72.9.252', '45.148.120.78')
    or RequestURL has_any (
        '61.53.74.66:36279',
        '110.39.235.153:35614',
        '39.76.57.14:47455',
        '103.72.9.252:51383',
        '45.148.120.78/GZOS',
        '45.148.120.78/35t',
        '45.148.120.78/Ob9f',
        '45.148.120.78/PaBc',
        '45.148.120.78/M9s'
    )
| extend ThreatContext = case(
    DestinationIP == '103.72.9.252', 'Mozi Botnet Download Server — URLhaus',
    DestinationIP == '45.148.120.78', 'Multi-payload Botnet Server — URLhaus',
    'Generic Malware Download Server — URLhaus'
)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, ThreatContext, DeviceVendor, DeviceProduct
| order by TimeGenerated desc

✅ Recommended Actions

→ IMMEDIATE: Apply Palo Alto Networks PAN-OS patch for CVE-2026-0300 on all PA-Series and VM-Series firewalls — as interim workaround per CISA KEV guidance, restrict User-ID Authentication Portal to trusted zones only and disable if not required

→ IMMEDIATE: Apply Ivanti EPMM patch for CVE-2026-6973 — audit all EPMM administrator accounts for recent activity and enforce MFA on all admin accounts immediately

→ IMMEDIATE: Apply WebPros cPanel and WHM patch for CVE-2026-41940 — audit all cPanel login events from the past 7 days for unauthorised access sessions

→ IMMEDIATE: Block all ten URLhaus malware download IPs/URLs and all 15 OpenPhish phishing URLs at DNS, proxy, and email gateway — run Sentinel query to identify any prior access within past 7 days

→ SHORT-TERM: Apply Linux Kernel patch for CVE-2026-31431 on all internet-facing and multi-tenant Linux systems — prioritise hosts where Mirai ELF hash (9927a2c8f4bbbed72fefdd3c84da12e1e108c1cf7936fe935c5828a3e85cc14f) was detected

→ SHORT-TERM: Apply BerriAI LiteLLM patch for CVE-2026-42208 — audit proxy database access logs for unauthorised read/write operations and rotate all credentials managed by the LiteLLM proxy

→ LONG-TERM: Implement a vulnerability management SLA that treats CISA KEV additions as P1 with mandatory 24-hour remediation timelines for internet-facing systems and 72-hour for internal systems