Daily Threat Intelligence Report โ 2026-05-14
Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker, with four QakBot C2 servers spanning the US, UK, and Japan indicating an active, geographically distributed campaign. CISA has added five critical vulnerabilities to the KEV catalog โ including an authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20182), an RCE in Palo Alto PAN-OS (CVE-2026-0300), and an RCE in Ivanti EPMM (CVE-2026-6973) โ all requiring immediate remediation. MalwareBazaar has identified active Phorpiex-dropped CoinMiner and QuasarRAT samples alongside Mirai ELF binaries, signaling concurrent botnet recruitment and cryptojacking operations. Immediate actions include blocking all five Feodotracker C2 IPs at the perimeter, patching all five CISA KEV vulnerabilities under Emergency Directive 26-03 guidance, and deploying detection rules for QakBot, Emotet, Mirai, and QuasarRAT indicators.
Active QakBot & Emotet C2 Infrastructure โ Multi-Region Banking Trojan Campaign
CRITICAL TA505Feodotracker has confirmed five active C2 servers associated with QakBot (four nodes: 50.16.16.211 US, 34.204.119.63 US, 178.62.3.223 GB, 27.133.154.218 JP) and Emotet (162.243.103.246 US) as of the last 24 hours. TA505, a financially motivated threat actor historically associated with both QakBot distribution and large-scale spam campaigns, leverages these geographically distributed C2 nodes to evade geo-blocking and maintain resilient command-and-control over compromised endpoints. QakBot is a modular banking trojan capable of credential theft, lateral movement via network worm propagation, and acting as a loader for follow-on ransomware payloads such as Black Basta and Cactus. The simultaneous presence of Emotet C2 infrastructure suggests a potential loader-as-a-service relationship, where Emotet re-infections are used to re-seed QakBot into previously remediated environments.
CISA KEV โ Five Critical Vulnerabilities Including Unauthenticated Cisco SD-WAN Bypass and PAN-OS RCE Requiring Emergency Patching
HIGH Unknown Threat ActorCISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. The most severe is CVE-2026-20182 in Cisco Catalyst SD-WAN, which allows unauthenticated remote attackers to bypass authentication and gain administrative privileges โ CISA has issued Emergency Directive 26-03 and dedicated Hunt & Hardening Guidance for this vulnerability. Equally critical is CVE-2026-0300 in Palo Alto PAN-OS, an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) enabling unauthenticated root-level RCE on PA-Series and VM-Series firewalls via specially crafted packets, with patches released by Palo Alto as of May 13, 2026. CVE-2026-6973 in Ivanti EPMM enables authenticated remote code execution by administrators, CVE-2026-42208 in BerriAI LiteLLM exposes SQL injection leading to credential theft from the proxy database, and CVE-2026-31431 in the Linux Kernel allows local privilege escalation โ collectively representing a broad attack surface across network infrastructure, mobile device management, AI proxies, and operating systems.
Active Mirai Botnet Recruitment, QuasarRAT Deployment, and Multi-Platform Phishing Campaign Targeting Financial and Gaming Brands
MEDIUM Unknown Threat ActorMalwareBazaar has confirmed two distinct Mirai ELF samples (hashes 79f77aca985555923e0cdf6e466234f40baf6ac5fe7d99ec35eefefaab7ffddd and c90da7fb6b8f73f88bea60206a6f393dc2e1c2e8d7a6cfb3795e7fd4b1a5f93d) alongside a QuasarRAT EXE sample (8843a708f2855097f055047fb82be8a98a37b23f19406cea51c884b47aeb73a2, tagged botnet/c2/trojan) and GCleaner-dropped payloads (fcbe8040b49c48395fd7d4d3d12517f3ed77718536ec3e5f9e20fdde3774b346, 312f74461b96165887d62b7d3ba6000c58976ee2fd38cf5d53c0f546dabc55d5), indicating simultaneous IoT botnet expansion and Windows RAT deployment operations. In parallel, OpenPhish confirms an active multi-brand phishing campaign with 15 live phishing URLs targeting T-Mobile payment portals (t-mobile.mzdglw.top/pay/, t-mobile.dfezuc.top/pay/), Amazon (nazuk-kabra1111.github.io/amazon-clone/), Roblox (roblox.et, robiox.com.ps), Uphold cryptocurrency platform (uphold-up.square.site), and Meta/Facebook business accounts (service-blueticks-fb-479843.vercel.app, customer-sp-alexk.pages.dev). The URLhaus bin.sh download URLs (175.150.71.143:35692/bin.sh, 42.235.114.171:34214/bin.sh) corroborate active Mirai dropper delivery targeting Linux and IoT devices, while GitHub/stamparm maltrail commits show concurrent updates to MagentoCORE skimmer and compromised npm repository tracking lists, indicating e-commerce skimming activity running in parallel.