Daily Threat Intelligence Report โ 2026-07-11
Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker, with four QakBot C2 servers and one Emotet C2 server actively beaconing across US, UK, and Japanese IP ranges. Concurrently, CISA has added five critical vulnerabilities to its Known Exploited Vulnerabilities catalog โ including a Palo Alto Networks PAN-OS out-of-bounds write enabling unauthenticated RCE and an Ivanti EPMM RCE flaw โ demanding immediate patch prioritization. AlienVault OTX pulses reveal emerging threats including AI supply chain attacks poisoning Hugging Face and ClawHub platforms with over 575 malicious models, and a ransomware chain involving EtherRAT leveraging Ethereum blockchain for C2 evasion. SOC teams should immediately block all five Feodotracker C2 IPs, prioritize patching CVE-2026-0300 and CVE-2026-6973, and hunt for AsyncRAT and AgentTesla samples confirmed in MalwareBazaar today.
Active QakBot and Emotet C2 Infrastructure Beaconing โ Multi-Region Campaign with Confirmed Malware Delivery
CRITICAL TA505Feodotracker has confirmed five active C2 servers operational within the last 24 hours: four serving QakBot (50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) and one serving Emotet (162.243.103.246), spanning US, UK, and Japanese infrastructure. TA505, a prolific financially motivated threat actor historically linked to Emotet and QakBot distribution, leverages this infrastructure for initial access brokering, credential harvesting, and ransomware pre-positioning. MalwareBazaar simultaneously confirmed active AgentTesla (hash: 8a27732f805c8cb6a4f37443ed728cd5239dffb6e3e12d02aa7e698b5fc3f23c) and AsyncRAT (hash: 9ec0777164bfb8981553f9beec161e092b05ffea560ef90d0d5333797eade5c2) samples in the wild, both consistent with TA505's second-stage payload deployment tradecraft. URLhaus has also flagged 10 active malware download URLs serving bin.sh and generic payloads, indicating active dropper infrastructure supporting this campaign. Organizations should treat any outbound connection to these five C2 IPs as a confirmed compromise indicator requiring immediate containment.
CISA KEV: Five Critical Vulnerabilities Under Active Exploitation โ Palo Alto PAN-OS, Ivanti EPMM, Linux Kernel, cPanel and LiteLLM
HIGH Unknown Threat ActorCISA has added five vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation. The most critical is CVE-2026-0300 affecting Palo Alto Networks PAN-OS, where an unauthenticated attacker can achieve root-level RCE on PA-Series and VM-Series firewalls via an out-of-bounds write in the User-ID Authentication Portal โ representing a perimeter compromise risk that could provide direct network access to threat actors. CVE-2026-6973 in Ivanti Endpoint Manager Mobile allows an authenticated administrator to achieve RCE, a technique consistent with APT29 and Lazarus Group tradecraft of targeting mobile device management infrastructure to intercept credentials and pivot to enterprise networks. CVE-2026-41940 in WebPros cPanel and WHM introduces an authentication bypass enabling unauthenticated access to web hosting control panels, posing significant risk to shared hosting environments and managed service providers. CVE-2026-31431 in the Linux Kernel enables privilege escalation via incorrect resource transfer, while CVE-2026-42208 in BerriAI LiteLLM exposes a SQL injection vulnerability in AI proxy infrastructure โ particularly relevant given today's AlienVault OTX intelligence on active AI platform supply chain attacks.
AI Supply Chain and Fake Application Lure Campaigns โ EtherRAT, Vidar Stealer, and LuaJIT Infostealers Targeting Developers and Gamers
MEDIUM TroyDenAlienVault OTX has published three correlated threat pulses describing an active AI supply chain compromise campaign and associated malware distribution operations targeting developers and gamers. Threat actor TroyDen is confirmed operating a large-scale 'Lure Factory' distributing LuaJIT-based infostealers through over 300 delivery packages hosted on GitHub, using AI-generated lures to target developer and gaming communities with 9 confirmed IOCs. Separately, a multi-stage loader campaign was identified using AutoIt abuse and MicrosoftToolkit.exe execution to deliver Vidar Stealer, with 9 IOCs and a sophisticated execution chain beginning with a commonly abused hack tool. A third pulse documents threat actors actively poisoning Hugging Face and ClawHub AI platforms with malicious code embedded in over 575 models, datasets, and agent extensions โ representing a significant supply chain risk for any organization using AI models from these platforms. The April 2026 EtherRAT intrusion (44 IOCs) further demonstrates adversary innovation in using Ethereum blockchain for C2 communications to evade traditional network-based detection. GitHub threat intelligence also confirms active updates to maltrail's fakeapp.txt tracker (three commits in 24 hours) and ConnectWise abuse tracking, corroborating the fake application lure campaign activity.