โ† Back to Dashboard
May 12, 2026

Daily Threat Intelligence Report โ€” 2026-07-11

26
IOCs
12
TTPs
14
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker, with four QakBot C2 servers and one Emotet C2 server actively beaconing across US, UK, and Japanese IP ranges. Concurrently, CISA has added five critical vulnerabilities to its Known Exploited Vulnerabilities catalog โ€” including a Palo Alto Networks PAN-OS out-of-bounds write enabling unauthenticated RCE and an Ivanti EPMM RCE flaw โ€” demanding immediate patch prioritization. AlienVault OTX pulses reveal emerging threats including AI supply chain attacks poisoning Hugging Face and ClawHub platforms with over 575 malicious models, and a ransomware chain involving EtherRAT leveraging Ethereum blockchain for C2 evasion. SOC teams should immediately block all five Feodotracker C2 IPs, prioritize patching CVE-2026-0300 and CVE-2026-6973, and hunt for AsyncRAT and AgentTesla samples confirmed in MalwareBazaar today.

#1

Active QakBot and Emotet C2 Infrastructure Beaconing โ€” Multi-Region Campaign with Confirmed Malware Delivery

CRITICAL TA505

Feodotracker has confirmed five active C2 servers operational within the last 24 hours: four serving QakBot (50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) and one serving Emotet (162.243.103.246), spanning US, UK, and Japanese infrastructure. TA505, a prolific financially motivated threat actor historically linked to Emotet and QakBot distribution, leverages this infrastructure for initial access brokering, credential harvesting, and ransomware pre-positioning. MalwareBazaar simultaneously confirmed active AgentTesla (hash: 8a27732f805c8cb6a4f37443ed728cd5239dffb6e3e12d02aa7e698b5fc3f23c) and AsyncRAT (hash: 9ec0777164bfb8981553f9beec161e092b05ffea560ef90d0d5333797eade5c2) samples in the wild, both consistent with TA505's second-stage payload deployment tradecraft. URLhaus has also flagged 10 active malware download URLs serving bin.sh and generic payloads, indicating active dropper infrastructure supporting this campaign. Organizations should treat any outbound connection to these five C2 IPs as a confirmed compromise indicator requiring immediate containment.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server hosted in the United States โ€” Feodotracker confirmed active within last 24 hours
IP 50.16.16.211 QakBot C2 server hosted in the United States โ€” Feodotracker confirmed active within last 24 hours
IP 34.204.119.63 QakBot C2 server hosted in the United States โ€” Feodotracker confirmed active within last 24 hours
IP 178.62.3.223 QakBot C2 server hosted in Great Britain โ€” Feodotracker confirmed active within last 24 hours
IP 27.133.154.218 QakBot C2 server hosted in Japan โ€” Feodotracker confirmed active within last 24 hours
HASH 9ec0777164bfb8981553f9beec161e092b05ffea560ef90d0d5333797eade5c2 AsyncRAT executable โ€” confirmed active sample tagged asyncrat, exe โ€” MalwareBazaar
HASH 8a27732f805c8cb6a4f37443ed728cd5239dffb6e3e12d02aa7e698b5fc3f23c AgentTesla executable โ€” confirmed active infostealer sample โ€” MalwareBazaar
HASH 6d0d8ed7f5b697dc23734a075e1c2f0854d29cd7a634b641c88d678d15b741cd Payload dropped by Amadey loader โ€” tagged dropped-by-Amadey, exe โ€” MalwareBazaar
URL http://151.237.28.218:49493/bin.sh Active malware download URL serving shell script payload โ€” URLhaus confirmed
URL http://58.242.91.159:19140/i Active malware download URL โ€” URLhaus confirmed, same host also serves bin.sh on same port
URL http://123.4.47.185:47548/bin.sh Active malware download URL serving shell script payload โ€” URLhaus confirmed
URL http://58.242.91.159:19140/bin.sh Active malware download URL โ€” same host as /i endpoint, dual-path dropper infrastructure โ€” URLhaus confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol: Web Protocols MITRE โ†’
T1105 Ingress Tool Transfer MITRE โ†’
T1555.003 Credentials from Web Browsers MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 Connections to QakBot and Emotet Infrastructure

Detects outbound network connections to all five Feodotracker-confirmed QakBot and Emotet C2 servers. Any match should be treated as confirmed compromise requiring immediate containment.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, LocalIP, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect AsyncRAT and AgentTesla Malware Hashes on Endpoints

Identifies presence of MalwareBazaar-confirmed AsyncRAT and AgentTesla samples on any device in the estate. Matches on file creation, modification, or process execution events.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '9ec0777164bfb8981553f9beec161e092b05ffea560ef90d0d5333797eade5c2',
    '8a27732f805c8cb6a4f37443ed728cd5239dffb6e3e12d02aa7e698b5fc3f23c',
    '6d0d8ed7f5b697dc23734a075e1c2f0854d29cd7a634b641c88d678d15b741cd',
    'd5449f7a1351ffe3266524958cfdee3e9c53adbd06b05b686276dea18d4548ef'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect Downloads from URLhaus-Confirmed Malware Distribution Infrastructure

Hunts for outbound connections to URLhaus-confirmed malware download hosts, including the dual-path 58.242.91.159 server and other active dropper infrastructure.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('151.237.28.218', '58.242.91.159', '119.115.119.126', '123.4.47.185', '42.231.183.171', '42.179.125.113', '61.53.201.127', '123.5.157.10', '182.125.23.111')
| where ActionType in ('ConnectionSuccess', 'ConnectionAttempt')
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
SENTINEL QakBot and Emotet C2 Beaconing Detection โ€” Network Logs

Identifies connections to Feodotracker-confirmed C2 IPs via firewall, proxy, and network security logs ingested into Sentinel. Covers all five active C2 nodes.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, DeviceVendor, DeviceProduct
| order by TimeGenerated desc
MDI Detect Lateral Movement Post-QakBot Compromise

Hunts for NTLM-based lateral movement patterns consistent with QakBot post-exploitation tradecraft, where harvested credentials are used to pivot across the environment.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| summarize LogonCount=count(), DistinctDevices=dcount(DeviceName) by AccountDisplayName, IPAddress
| where LogonCount > 5 or DistinctDevices > 3
| order by LogonCount desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, web proxy, and NGFW with deny-and-log rules
โ†’ IMMEDIATE: Block all nine URLhaus malware download source IPs at perimeter and egress filtering points
โ†’ IMMEDIATE: Submit hashes 9ec0777164bfb8981553f9beec161e092b05ffea560ef90d0d5333797eade5c2 (AsyncRAT), 8a27732f805c8cb6a4f37443ed728cd5239dffb6e3e12d02aa7e698b5fc3f23c (AgentTesla), and 6d0d8ed7f5b697dc23734a075e1c2f0854d29cd7a634b641c88d678d15b741cd (Amadey-dropped) to EDR/AV for immediate blocking and retrospective scan
โ†’ IMMEDIATE: Execute all provided MDE KQL queries across the full device estate and escalate any matches to IR tier immediately
โ†’ SHORT-TERM: Review all proxy/firewall logs for historical connections to the five C2 IPs to identify dwell time and patient-zero devices
โ†’ SHORT-TERM: Alert SOC analysts to monitor for NTLM authentication anomalies using the MDI query above, particularly accounts authenticating to more than 3 distinct devices
โ†’ SHORT-TERM: Implement network egress filtering to block outbound HTTP on non-standard ports (>1024) from workstations where not operationally required
โ†’ LONG-TERM: Integrate all confirmed IOCs into SIEM threat intelligence feeds and update EDR custom IOC blocklists
โ†’ LONG-TERM: Evaluate email gateway configuration to ensure macro-enabled Office documents and HTML smuggling attachments are blocked or sandboxed
#2

CISA KEV: Five Critical Vulnerabilities Under Active Exploitation โ€” Palo Alto PAN-OS, Ivanti EPMM, Linux Kernel, cPanel and LiteLLM

HIGH Unknown Threat Actor

CISA has added five vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation. The most critical is CVE-2026-0300 affecting Palo Alto Networks PAN-OS, where an unauthenticated attacker can achieve root-level RCE on PA-Series and VM-Series firewalls via an out-of-bounds write in the User-ID Authentication Portal โ€” representing a perimeter compromise risk that could provide direct network access to threat actors. CVE-2026-6973 in Ivanti Endpoint Manager Mobile allows an authenticated administrator to achieve RCE, a technique consistent with APT29 and Lazarus Group tradecraft of targeting mobile device management infrastructure to intercept credentials and pivot to enterprise networks. CVE-2026-41940 in WebPros cPanel and WHM introduces an authentication bypass enabling unauthenticated access to web hosting control panels, posing significant risk to shared hosting environments and managed service providers. CVE-2026-31431 in the Linux Kernel enables privilege escalation via incorrect resource transfer, while CVE-2026-42208 in BerriAI LiteLLM exposes a SQL injection vulnerability in AI proxy infrastructure โ€” particularly relevant given today's AlienVault OTX intelligence on active AI platform supply chain attacks.

๐Ÿ”ด Indicators of Compromise
CVE CVE-2026-0300 Palo Alto Networks PAN-OS โ€” Unauthenticated RCE via out-of-bounds write in User-ID Authentication Portal โ€” CISA KEV confirmed active exploitation
CVE CVE-2026-6973 Ivanti Endpoint Manager Mobile (EPMM) โ€” Authenticated RCE via improper input validation โ€” CISA KEV confirmed active exploitation
CVE CVE-2026-41940 WebPros cPanel and WHM โ€” Authentication bypass allowing unauthenticated remote access โ€” CISA KEV confirmed active exploitation
CVE CVE-2026-31431 Linux Kernel โ€” Privilege escalation via incorrect resource transfer between spheres โ€” CISA KEV confirmed active exploitation
CVE CVE-2026-42208 BerriAI LiteLLM โ€” SQL injection enabling unauthorised access to AI proxy database and managed credentials โ€” CISA KEV confirmed active exploitation
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1068 Exploitation for Privilege Escalation MITRE โ†’
T1078.001 Valid Accounts: Default Accounts MITRE โ†’
T1190 Exploit Public-Facing Application: SQL Injection MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Exploitation Attempts Against PAN-OS Captive Portal (CVE-2026-0300)

Hunts for network events and process activity consistent with exploitation of CVE-2026-0300 on PAN-OS firewall management interfaces. Looks for unusual processes spawned from web services on firewall management hosts.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ('nginx', 'httpd', 'apache2', 'pan_task', 'sslmgr')
| where FileName in~ ('sh', 'bash', 'python', 'python3', 'perl', 'nc', 'ncat', 'curl', 'wget')
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
| order by TimeGenerated desc
MDE Detect Linux Kernel Privilege Escalation Activity (CVE-2026-31431)

Identifies suspicious privilege escalation patterns on Linux hosts consistent with exploitation of CVE-2026-31431, specifically looking for processes that escalate to root from non-privileged parent processes.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where AccountName == 'root'
| where InitiatingProcessAccountName != 'root' and InitiatingProcessAccountName != 'SYSTEM'
| where FileName in~ ('bash', 'sh', 'python', 'python3', 'perl')
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc
SENTINEL Detect Phishing Infrastructure Connections Linked to Exploitation Campaigns

Identifies outbound connections to OpenPhish-confirmed phishing domains that may be used as secondary infrastructure in campaigns exploiting the CISA KEV vulnerabilities, including fake login portals targeting credentials.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    'member17.agency-connect-profile.com',
    'ynabioueconus-meriescs-experinces-t.vercel.app',
    'member427.partner-business-hub.com',
    'ftx.claims-notification.com',
    'desenrolabrasil2026.site',
    'app86365.cc',
    'survey.refassured.com',
    'survey.refassured.co',
    'id-meta.busines-help-center.com',
    'finnest.ink',
    'usa_bluckfilouin.godaddysites.com',
    'hughssherika896572396.pages.dev',
    'loenwe-hopeagia-noprobs.pages.dev'
)
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
SENTINEL Ivanti EPMM RCE Exploitation Detection (CVE-2026-6973)

Detects anomalous command execution and network activity from Ivanti EPMM servers that may indicate exploitation of CVE-2026-6973, focusing on unusual outbound connections from MDM infrastructure.

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4688, 4689)
| where ParentProcessName has_any ('tomcat', 'java', 'epmm', 'mifs')
| where NewProcessName has_any ('cmd.exe', 'powershell.exe', 'bash', 'sh', 'curl', 'wget', 'certutil')
| project TimeGenerated, Computer, NewProcessName, CommandLine, ParentProcessName, SubjectUserName
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Apply vendor patches for CVE-2026-0300 (Palo Alto PAN-OS) โ€” until patched, implement the CISA-specified workaround: restrict User-ID Authentication Portal to trusted zones only and disable if not operationally required
โ†’ IMMEDIATE: Apply vendor patches for CVE-2026-6973 (Ivanti EPMM) โ€” restrict administrative EPMM access to trusted IP ranges and require MFA for all admin accounts
โ†’ IMMEDIATE: Apply vendor patches for CVE-2026-41940 (WebPros cPanel/WHM) โ€” audit all admin accounts for unauthorized additions and review authentication logs for bypass indicators
โ†’ IMMEDIATE: Apply Linux kernel patches addressing CVE-2026-31431 across all Linux servers and containers โ€” prioritize internet-facing and privileged hosts
โ†’ IMMEDIATE: Apply vendor mitigations for CVE-2026-42208 (BerriAI LiteLLM) โ€” rotate all API keys and credentials managed by LiteLLM proxies and audit database access logs for unauthorized reads
โ†’ SHORT-TERM: Audit PAN-OS, Ivanti EPMM, and cPanel/WHM authentication logs from the past 30 days for indicators of pre-patch exploitation
โ†’ SHORT-TERM: Implement network segmentation to isolate EPMM management interfaces and PAN-OS captive portal from general internet access
โ†’ SHORT-TERM: Review all AI proxy deployments using LiteLLM and correlate with AlienVault OTX intelligence on Hugging Face and ClawHub supply chain compromise
โ†’ LONG-TERM: Establish a CISA KEV patch SLA of 72 hours or less for all network edge and authentication infrastructure vulnerabilities
โ†’ LONG-TERM: Implement vulnerability management tooling that auto-ingests CISA KEV feeds and generates prioritized patch tickets
#3

AI Supply Chain and Fake Application Lure Campaigns โ€” EtherRAT, Vidar Stealer, and LuaJIT Infostealers Targeting Developers and Gamers

MEDIUM TroyDen

AlienVault OTX has published three correlated threat pulses describing an active AI supply chain compromise campaign and associated malware distribution operations targeting developers and gamers. Threat actor TroyDen is confirmed operating a large-scale 'Lure Factory' distributing LuaJIT-based infostealers through over 300 delivery packages hosted on GitHub, using AI-generated lures to target developer and gaming communities with 9 confirmed IOCs. Separately, a multi-stage loader campaign was identified using AutoIt abuse and MicrosoftToolkit.exe execution to deliver Vidar Stealer, with 9 IOCs and a sophisticated execution chain beginning with a commonly abused hack tool. A third pulse documents threat actors actively poisoning Hugging Face and ClawHub AI platforms with malicious code embedded in over 575 models, datasets, and agent extensions โ€” representing a significant supply chain risk for any organization using AI models from these platforms. The April 2026 EtherRAT intrusion (44 IOCs) further demonstrates adversary innovation in using Ethereum blockchain for C2 communications to evade traditional network-based detection. GitHub threat intelligence also confirms active updates to maltrail's fakeapp.txt tracker (three commits in 24 hours) and ConnectWise abuse tracking, corroborating the fake application lure campaign activity.

๐Ÿ”ด Indicators of Compromise
HASH d5449f7a1351ffe3266524958cfdee3e9c53adbd06b05b686276dea18d4548ef Executable dropped by GCleaner loader โ€” tagged dropped-by-GCleaner, EU.file โ€” consistent with fake application lure delivery chain โ€” MalwareBazaar
HASH 9dff4c782d0dae42c5aef8a755da13a2ad9b7ac2172d0e2753d6cf145d7e3e64 HTA file sample โ€” tagged hta โ€” consistent with multi-stage loader delivery via HTML Application execution โ€” MalwareBazaar
HASH 9248b313a40c89e3c91c36c2a037c0ed2e24db27321c5f8cd3b0603780cf98ef Shell script sample โ€” tagged sh โ€” consistent with dropper stage in fake application or AI supply chain compromise delivery chain โ€” MalwareBazaar
URL https://member17.agency-connect-profile.com/ Active phishing URL โ€” likely credential harvesting portal โ€” OpenPhish confirmed
URL https://ynabioueconus-meriescs-experinces-t.vercel.app/ Active phishing URL hosted on Vercel โ€” financial/account lure โ€” OpenPhish confirmed
URL https://id-meta.busines-help-center.com/ Active phishing URL โ€” Meta/Facebook business account credential harvesting โ€” OpenPhish confirmed
URL https://ftx.claims-notification.com/portal-claims/?id=Y2FsY3VsYXRvYXJlcGl0ZXN0aS5jb20 Active phishing URL โ€” FTX crypto claims lure for financial credential harvesting โ€” OpenPhish confirmed
URL http://diogohenriquedotpy.github.io/meus-sites-favoritos Active phishing URL hosted on GitHub Pages โ€” OpenPhish confirmed
URL http://42.231.183.171:46996/i Active malware download URL โ€” URLhaus confirmed, non-standard port delivery consistent with TroyDen/fake app distribution chain
๐ŸŸฃ MITRE ATT&CK TTPs
T1195.001 Compromise Software Dependencies and Development Tools MITRE โ†’
T1036.005 Masquerading: Match Legitimate Name or Location MITRE โ†’
T1568.002 Dynamic Resolution: Domain Generation Algorithms MITRE โ†’
T1566.003 Phishing: Spearphishing via Service MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect GCleaner-Dropped Malware and HTA/Shell Script Execution

Identifies execution of MalwareBazaar-confirmed samples dropped by GCleaner and HTA/shell script payloads consistent with multi-stage fake application lure delivery chains.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    'd5449f7a1351ffe3266524958cfdee3e9c53adbd06b05b686276dea18d4548ef',
    '9dff4c782d0dae42c5aef8a755da13a2ad9b7ac2172d0e2753d6cf145d7e3e64',
    '9248b313a40c89e3c91c36c2a037c0ed2e24db27321c5f8cd3b0603780cf98ef',
    '6df513fd0947891b38063d2e94a617521a3d76d36182cb8db5dc3c9d6f200123',
    '68e47f41fe02072b220efa24088903dc687049d481bae41102858430c5dd918b',
    '8fc021a28f84fc009fe1b36d54ae1a81a7850611760ad9b6799453412fd3c752',
    'cf64c80a5f94c1cd9033dcb45945fa39b55d14f8aa54f5c4732a5c72533800fc'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect AutoIt Abuse and Fake Tool Execution Leading to Vidar Stealer

Hunts for AutoIt script execution and masquerading executables consistent with the AutoIt/Vidar Stealer multi-stage loader campaign documented in AlienVault OTX, specifically looking for AutoIt processes spawning suspicious child processes.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (InitiatingProcessFileName =~ 'AutoIt3.exe' or InitiatingProcessFileName =~ 'Au3Check.exe'
    or ProcessCommandLine has 'MicrosoftToolkit'
    or FileName =~ 'MicrosoftToolkit.exe')
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, FolderPath
| order by TimeGenerated desc
MDE Detect Ethereum Blockchain C2 Communication (EtherRAT)

Identifies outbound connections to Ethereum RPC endpoints and blockchain APIs that may indicate EtherRAT C2 activity, as documented in the AlienVault OTX EtherRAT/Gentleman Ransomware pulse.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemotePort in (8545, 8546, 30303)
    or RemoteUrl has_any ('infura.io', 'alchemy.com', 'etherscan.io', 'rpc.ankr.com', 'cloudflare-eth.com')
| where InitiatingProcessFileName !in~ ('chrome.exe', 'firefox.exe', 'msedge.exe', 'brave.exe')
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Detect User Connections to OpenPhish-Confirmed Phishing Infrastructure

Identifies web proxy and firewall events where internal users or systems have connected to the 15 OpenPhish-confirmed active phishing URLs, including Vercel-hosted and GitHub Pages lures.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    'agency-connect-profile.com',
    'ynabioueconus-meriescs-experinces-t.vercel.app',
    'partner-business-hub.com',
    'claims-notification.com',
    'desenrolabrasil2026.site',
    'app86365.cc',
    'refassured.com',
    'refassured.co',
    'busines-help-center.com',
    'finnest.ink',
    'bluckfilouin.godaddysites.com',
    'hughssherika896572396.pages.dev',
    'loenwe-hopeagia-noprobs.pages.dev',
    'diogohenriquedotpy.github.io'
)
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, Activity, DeviceVendor, DeviceProduct
| order by TimeGenerated desc
MDI Detect Post-Phishing Account Compromise and Suspicious OAuth Activity

Identifies suspicious identity events following potential phishing lure clicks, including anomalous OAuth token issuance and impossible travel patterns consistent with credential harvesting via the confirmed OpenPhish infrastructure.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType in ('LogonSuccess', 'LogonFailed')
| where LogonType == 'Interactive' or LogonType == 'RemoteInteractive'
| summarize FailedAttempts=countif(ActionType=='LogonFailed'), SuccessAttempts=countif(ActionType=='LogonSuccess'), DistinctIPs=dcount(IPAddress), IPList=make_set(IPAddress) by AccountDisplayName
| where FailedAttempts > 10 or DistinctIPs > 3
| order by FailedAttempts desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all 15 OpenPhish-confirmed phishing URLs at web proxy and DNS filtering layers โ€” prioritize id-meta.busines-help-center.com (Meta credential harvesting) and ftx.claims-notification.com (crypto lure)
โ†’ IMMEDIATE: Alert security awareness team to send user notification about active fake application and AI model supply chain threats โ€” specifically warn developers against downloading models from Hugging Face and ClawHub without integrity verification
โ†’ IMMEDIATE: Block or monitor all nine URLhaus malware download IPs, especially 42.231.183.171 which is consistent with fake app delivery infrastructure
โ†’ IMMEDIATE: Submit all seven MalwareBazaar hashes (including GCleaner-dropped and HTA samples) to EDR for retrospective scanning across the estate
โ†’ SHORT-TERM: Audit all developer workstations for AutoIt installations and MicrosoftToolkit.exe execution events in the past 30 days โ€” cross-reference with Vidar Stealer IOCs from AlienVault OTX pulse (9 IOCs)
โ†’ SHORT-TERM: Review all AI/ML pipeline dependencies for models sourced from Hugging Face or ClawHub โ€” implement model integrity checks and quarantine any models downloaded in the past 60 days pending verification
โ†’ SHORT-TERM: Deploy Ethereum RPC monitoring on network egress to detect EtherRAT C2 beaconing โ€” alert on any non-approved application communicating with Ethereum nodes
โ†’ SHORT-TERM: Review JDownloader installations across the estate for compromise โ€” the May 2026 OTX pulse documents a supply chain attack via official JDownloader installer links between May 6-7, 2026
โ†’ LONG-TERM: Implement a formal AI model provenance policy requiring cryptographic signing and organizational approval for all AI model imports
โ†’ LONG-TERM: Subscribe to maltrail fakeapp.txt and connectwise.txt GitHub feeds for ongoing fake application and RMM tool abuse indicators
โ†’ LONG-TERM: Develop detection engineering rules for blockchain-based C2 communications as a novel evasion technique trending in advanced threat actor toolkits