Daily Threat Intelligence Report โ 2025-07-14
Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker across US, UK, and Japanese IP space, alongside a cluster of ValleyRAT and SilverFox malware samples identified in MalwareBazaar indicating active loader campaigns. CISA has added five critical vulnerabilities to the KEV catalog โ including a Palo Alto Networks PAN-OS out-of-bounds write (CVE-2026-0300) allowing unauthenticated RCE with root privileges and an Ivanti EPMM authenticated RCE (CVE-2026-6973) โ demanding immediate patching priority. A MuddyWater-attributed espionage campaign targeting electronics manufacturers across nine countries and a supply-chain attack compromising 84 TanStack npm packages (attributed to TeamPCP) represent significant ongoing strategic threats per AlienVault OTX. SOC teams should immediately block all five Feodotracker C2 IPs, prioritise PAN-OS and Ivanti EPMM patching, and audit CI/CD pipelines for compromised TanStack dependencies.
Active QakBot and Emotet C2 Infrastructure โ Multi-Region Botnet Operations Confirmed
CRITICAL TA505Feodotracker has confirmed five active command-and-control servers operational within the last 24 hours: four QakBot C2 nodes hosted across the US (50.16.16.211, 34.204.119.63), UK (178.62.3.223), and Japan (27.133.154.218), and one Emotet C2 node in the US (162.243.103.246). QakBot and Emotet are primary initial-access and post-exploitation tools historically associated with TA505 and related ransomware-as-a-service ecosystems, used for credential harvesting, lateral movement, and ransomware staging. The geographic distribution of C2 infrastructure across three countries suggests active infrastructure rotation to evade single-country blocking strategies. MalwareBazaar corroborates active loader activity with a confirmed AgentTesla sample (4a4d0da0f8c4cd9a46178150f755a1348100b2c5b471874f8a898258c39a26a4) and additional RemoteManipulator tooling, consistent with post-QakBot/Emotet access monetisation patterns.
ValleyRAT/SilverFox Loader Campaign and ZigClipper Clipper Malware Active โ Windows Endpoint Targeting
HIGH Unknown Threat ActorMalwareBazaar has identified multiple active malware samples within the last 24 hours including two ValleyRAT/SilverFox loader executables (hashes: 2323b5a8e01c2ec1ac3ebc05317dac329c87d4ff54e8f2214672e81fd9728939 and 791b8b0ae50f56089a9fff33d391a99ab56da62adf19825e716d86bda075f1c5), a malicious Agent executable (240736de9d08d836e979156a5bdc29a94dba0bff0ffffab49e9887452773a8b7), and two ZigClipper samples (36c005a6cb62dd768959b6841d9e7c596089d948e9f5f6f4eedf858c30017b9a and 6356a12295738d0badce36a73faa2051778f2c5368e70393a042942338846cbb) tagged as dropped by ACRStealer via the domain sp13-gstats-api-coni-co. ValleyRAT is a sophisticated multi-stage RAT with capabilities for remote command execution, file operations, and persistence, while ZigClipper intercepts and replaces cryptocurrency wallet addresses in clipboard content to redirect transactions to attacker-controlled wallets. The ACRStealer dropper relationship confirms a chained infection pipeline: initial access via stealer, followed by clipboard hijacking for financial theft โ a pattern increasingly observed in cryptocurrency-targeting campaigns. GitHub activity from stamparm/maltrail also recorded updates to ClearFake and PureLogs tracking files, corroborating an active exploit-kit and stealer ecosystem consistent with this campaign.
CISA KEV: Five Critical Vulnerabilities Actively Exploited โ PAN-OS, Ivanti EPMM, Linux Kernel, cPanel, and LiteLLM Require Immediate Patching
MEDIUM Unknown Threat ActorCISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The most critical is CVE-2026-0300 in Palo Alto Networks PAN-OS โ an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) allowing unauthenticated remote attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls; this represents a network perimeter compromise risk of the highest severity. CVE-2026-6973 in Ivanti EPMM allows a remotely authenticated administrative user to achieve RCE, threatening mobile device management infrastructure. CVE-2026-41940 in WebPros cPanel and WHM enables unauthenticated authentication bypass giving attackers full control panel access, while CVE-2026-31431 in the Linux Kernel allows local privilege escalation via incorrect resource transfer. CVE-2026-42208 in BerriAI LiteLLM introduces SQL injection enabling unauthorized read/write access to AI proxy credentials โ a significant risk for organisations using LLM infrastructure. All five require immediate remediation per BOD 22-01 guidance.