Daily Threat Intelligence Report โ 2026-05-14
Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker across US, UK, and Japan nodes, alongside a surge in Mirai botnet ELF samples and an AsyncRAT trojan tracked in MalwareBazaar. CISA has added five critical vulnerabilities to the Known Exploited Vulnerabilities catalog, including a Palo Alto Networks PAN-OS out-of-bounds write (CVE-2026-0300) allowing unauthenticated root-level RCE and a cPanel authentication bypass (CVE-2026-41940), both requiring immediate patching. AlienVault OTX reports active Kimsuky APT activity leveraging a CHM dropper and three-stage PowerShell kill chain, with 38 IOCs published. SOC teams should immediately block all five Feodotracker C2 IPs, apply CISA KEV patches on an emergency basis, and hunt for AsyncRAT and Mirai indicators across Linux and Windows endpoints.
Active QakBot and Emotet C2 Infrastructure โ Multi-Region Banking Trojan Campaign
CRITICAL TA505Feodotracker has confirmed four active QakBot C2 servers and one Emotet C2 server operational within the last 24 hours, spanning infrastructure in the United States (50.16.16.211, 34.204.119.63, 162.243.103.246), United Kingdom (178.62.3.223), and Japan (27.133.154.218). QakBot and Emotet are historically associated with TA505 operations and serve as primary delivery mechanisms for ransomware payloads including Cl0p and Dridex. The geographic distribution across three countries suggests deliberate infrastructure diversification to evade regional blocklists and maintain persistence. Organizations with financial sector exposure or unpatched Windows endpoints should treat these C2 IPs as high-priority blocking targets and hunt for beaconing activity immediately.
Mirai Botnet Resurgence โ Four New ELF Samples and Active Linux Malware Download Infrastructure
HIGH Unknown Threat ActorMalwareBazaar has catalogued four new Mirai ELF binary samples within the past 24 hours (hashes: 775042943516f540da439945aa5fb43b296892b8211699cbd8c0610d5dc09b0f, ff1aa2a8e6fb56a6a5e43ee8ab77017454160b406003d1ee758f465afd225b60, 6abcb230fb1233ce9b56099a94a19c35c7ca199667130970edc47691f3fd3709, bd62de3c345b01497d327c369bf335cb48b66ba2a117a850081130a8a7f91152), indicating active botnet build-out or refresh of Mirai variant infrastructure. URLhaus concurrently tracks five active malware download URLs delivering shell scripts (bin.sh) and unclassified payloads from IPs spanning multiple countries, consistent with Mirai's known propagation methodology of exploiting weak SSH/Telnet credentials and vulnerable IoT/Linux services. The simultaneous appearance of four distinct ELF samples alongside active download infrastructure suggests a coordinated Mirai operator campaign targeting Linux servers and IoT devices. Organizations running internet-exposed Linux systems, routers, NVRs, or IoT devices should conduct immediate inventory and credential review.
Critical CISA KEV Additions โ PAN-OS RCE, Ivanti EPMM, cPanel Auth Bypass, Linux Kernel Privilege Escalation, and LiteLLM SQL Injection Actively Exploited
MEDIUM Unknown Threat ActorCISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog today, all requiring immediate action. The most critical is CVE-2026-0300 affecting Palo Alto Networks PAN-OS, an out-of-bounds write in the User-ID Authentication Portal enabling unauthenticated root-level remote code execution on PA-Series and VM-Series firewalls โ patches are available as of 2026-05-13. CVE-2026-41940 affects WebPros cPanel & WHM and WP2, allowing unauthenticated remote attackers to bypass authentication entirely and access the hosting control panel. CVE-2026-6973 in Ivanti EPMM allows authenticated remote administrators to achieve RCE, while CVE-2026-31431 in the Linux Kernel enables local privilege escalation, and CVE-2026-42208 in BerriAI LiteLLM exposes a SQL injection risk in AI proxy infrastructure. AlienVault OTX additionally reports an Adobe Reader zero-day exploited since at least December 2025, further expanding the vulnerability exploitation surface. Organizations must prioritize emergency patching of PAN-OS and cPanel given the unauthenticated attack vectors.