โ† Back to Dashboard
May 15, 2026

Daily Threat Intelligence Report โ€” 2026-05-14

32
IOCs
12
TTPs
12
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker, with four QakBot C2 servers spanning the US, UK, and Japan indicating an active, geographically distributed campaign. CISA has added five critical vulnerabilities to the KEV catalog โ€” including an authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20182), an RCE in Palo Alto PAN-OS (CVE-2026-0300), and an RCE in Ivanti EPMM (CVE-2026-6973) โ€” all requiring immediate remediation. MalwareBazaar has identified active Phorpiex-dropped CoinMiner and QuasarRAT samples alongside Mirai ELF binaries, signaling concurrent botnet recruitment and cryptojacking operations. Immediate actions include blocking all five Feodotracker C2 IPs at the perimeter, patching all five CISA KEV vulnerabilities under Emergency Directive 26-03 guidance, and deploying detection rules for QakBot, Emotet, Mirai, and QuasarRAT indicators.

#1

Active QakBot & Emotet C2 Infrastructure โ€” Multi-Region Banking Trojan Campaign

CRITICAL TA505

Feodotracker has confirmed five active C2 servers associated with QakBot (four nodes: 50.16.16.211 US, 34.204.119.63 US, 178.62.3.223 GB, 27.133.154.218 JP) and Emotet (162.243.103.246 US) as of the last 24 hours. TA505, a financially motivated threat actor historically associated with both QakBot distribution and large-scale spam campaigns, leverages these geographically distributed C2 nodes to evade geo-blocking and maintain resilient command-and-control over compromised endpoints. QakBot is a modular banking trojan capable of credential theft, lateral movement via network worm propagation, and acting as a loader for follow-on ransomware payloads such as Black Basta and Cactus. The simultaneous presence of Emotet C2 infrastructure suggests a potential loader-as-a-service relationship, where Emotet re-infections are used to re-seed QakBot into previously remediated environments.

๐Ÿ”ด Indicators of Compromise
IP 50.16.16.211 QakBot C2 server โ€” US-hosted, Feodotracker confirmed active
IP 34.204.119.63 QakBot C2 server โ€” US-hosted, Feodotracker confirmed active
IP 178.62.3.223 QakBot C2 server โ€” GB-hosted, Feodotracker confirmed active
IP 27.133.154.218 QakBot C2 server โ€” JP-hosted, Feodotracker confirmed active
IP 162.243.103.246 Emotet C2 server โ€” US-hosted, Feodotracker confirmed active
HASH aa261c4c46a0c4ab97d0c8b8f36341a688b8803f46f9da85008410a9a889c858 EXE dropper tagged dropped-by-phorpiex โ€” active dropper chain, MalwareBazaar confirmed
HASH 4ad2df70224af36a98f01733eb396b8d49165a3e979b08af75ce953c30518fde CoinMiner EXE dropped by Phorpiex โ€” secondary payload in active dropper chain
URL http://125.41.226.132:45693/i Active malware download URL โ€” URLhaus confirmed, likely payload staging
URL http://163.142.92.40:48312/i Active malware download URL โ€” URLhaus confirmed, likely payload staging
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol โ€” Web Protocols C2 MITRE โ†’
T1027 Obfuscated Files or Information MITRE โ†’
T1078 Valid Accounts MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 Connections to QakBot and Emotet Infrastructure

Detects outbound network connections from any device to all five Feodotracker-confirmed active C2 servers associated with QakBot and Emotet campaigns.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218', '162.243.103.246')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect Phorpiex-Dropped Malware Execution by Hash

Identifies execution of MalwareBazaar-confirmed Phorpiex-dropped EXE samples including the CoinMiner payload on endpoints.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    'aa261c4c46a0c4ab97d0c8b8f36341a688b8803f46f9da85008410a9a889c858',
    '4ad2df70224af36a98f01733eb396b8d49165a3e979b08af75ce953c30518fde'
)
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated desc
MDI Detect Lateral Movement Patterns Associated with QakBot Credential Theft

Hunts for anomalous NTLM authentication patterns consistent with QakBot credential harvesting and subsequent lateral movement, a key TA505 post-exploitation TTP.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| summarize LogonCount=count(), DistinctDevices=dcount(DeviceName) by AccountDisplayName, IPAddress
| where LogonCount > 5 or DistinctDevices > 3
| order by LogonCount desc
SENTINEL Detect Connections to URLhaus-Confirmed QakBot Payload Staging URLs

Identifies outbound HTTP requests to URLhaus-confirmed malware download endpoints used for QakBot and related payload staging.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    '125.41.226.132',
    '163.142.92.40',
    '123.4.137.38',
    '45.234.9.227',
    '85.226.213.123',
    '46.236.172.14',
    '112.248.63.80',
    '175.150.71.143',
    '182.112.29.141',
    '42.235.114.171'
)
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker C2 IPs (50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218, 162.243.103.246) at perimeter firewall, proxy, and NGFW with deny-all rules for both inbound and outbound traffic.
โ†’ IMMEDIATE: Submit MalwareBazaar hashes aa261c4c46a0c4ab97d0c8b8f36341a688b8803f46f9da85008410a9a889c858 and 4ad2df70224af36a98f01733eb396b8d49165a3e979b08af75ce953c30518fde to EDR/AV platforms for immediate blocking and retrospective scan.
โ†’ IMMEDIATE: Block all ten URLhaus malware download URLs at web proxy and DNS filtering layers โ€” particularly the /bin.sh endpoints (175.150.71.143:35692/bin.sh, 42.235.114.171:34214/bin.sh) which indicate Linux/IoT targeting.
โ†’ SHORT-TERM: Execute all four KQL hunting queries across MDE, MDI, and Sentinel environments and escalate any hits to Tier 2 for immediate investigation.
โ†’ SHORT-TERM: Alert SOC analysts to monitor for beaconing patterns (short-interval repeated connections) to the five C2 IPs โ€” QakBot typically beacons every 3-5 minutes.
โ†’ SHORT-TERM: Conduct a targeted threat hunt for QakBot persistence mechanisms โ€” scheduled tasks, registry run keys, and DLL sideloading โ€” on any endpoint that had network connections to the listed C2 IPs in the past 7 days.
โ†’ LONG-TERM: Ingest all five Feodotracker C2 IPs and ten URLhaus URLs into SIEM threat intelligence feeds and SOAR playbooks for automated blocking and alerting.
โ†’ LONG-TERM: Review and enforce MFA across all VPN, RDP, and email access points to mitigate QakBot credential-theft lateral movement capability.
#2

CISA KEV โ€” Five Critical Vulnerabilities Including Unauthenticated Cisco SD-WAN Bypass and PAN-OS RCE Requiring Emergency Patching

HIGH Unknown Threat Actor

CISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. The most severe is CVE-2026-20182 in Cisco Catalyst SD-WAN, which allows unauthenticated remote attackers to bypass authentication and gain administrative privileges โ€” CISA has issued Emergency Directive 26-03 and dedicated Hunt & Hardening Guidance for this vulnerability. Equally critical is CVE-2026-0300 in Palo Alto PAN-OS, an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) enabling unauthenticated root-level RCE on PA-Series and VM-Series firewalls via specially crafted packets, with patches released by Palo Alto as of May 13, 2026. CVE-2026-6973 in Ivanti EPMM enables authenticated remote code execution by administrators, CVE-2026-42208 in BerriAI LiteLLM exposes SQL injection leading to credential theft from the proxy database, and CVE-2026-31431 in the Linux Kernel allows local privilege escalation โ€” collectively representing a broad attack surface across network infrastructure, mobile device management, AI proxies, and operating systems.

๐Ÿ”ด Indicators of Compromise
CVE CVE-2026-20182 Cisco Catalyst SD-WAN authentication bypass โ€” unauthenticated remote admin privilege escalation โ€” CISA Emergency Directive 26-03 issued
CVE CVE-2026-0300 Palo Alto PAN-OS out-of-bounds write in Captive Portal โ€” unauthenticated root RCE on PA-Series and VM-Series firewalls โ€” patches available as of 2026-05-13
CVE CVE-2026-6973 Ivanti EPMM improper input validation โ€” authenticated admin RCE โ€” apply vendor mitigations immediately
CVE CVE-2026-42208 BerriAI LiteLLM SQL injection โ€” unauthorized database read/write and credential theft from AI proxy
CVE CVE-2026-31431 Linux Kernel incorrect resource transfer โ€” local privilege escalation vulnerability
URL http://www.partnercenter-dataprocessinghub.me/public/index?ref=business-support-center-DASDFDSYUYEE43FJDSHFSDFsetting%25popup%3fclient_id=889943718806-ual26tplnot2ea8b7n5t4p77keo8eb Active phishing URL impersonating Microsoft Partner Center โ€” OpenPhish confirmed, may be used for credential harvesting ahead of exploiting authenticated CVEs
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1078.003 Valid Accounts โ€” Local Accounts MITRE โ†’
T1505.003 Server Software Component โ€” Web Shell MITRE โ†’
T1190 SQL Injection โ€” Exploit Public-Facing Application MITRE โ†’
๐ŸŸข Hunt Queries
SENTINEL Detect Anomalous Authentication to Cisco SD-WAN and PAN-OS Management Interfaces โ€” CVE-2026-20182 / CVE-2026-0300

Identifies authentication bypass attempts and unexpected admin logins to Cisco SD-WAN and Palo Alto PAN-OS management interfaces consistent with active exploitation of CISA KEV vulnerabilities.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor in ('Cisco', 'Palo Alto Networks')
| where Activity has_any ('authentication', 'login', 'admin', 'bypass', 'privilege')
| where DeviceAction !in ('Allow', 'permit')
    or (DeviceAction in ('Allow', 'permit') and SourceUserName == '')
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, SourceUserName, Activity, DeviceAction, Message
| order by TimeGenerated desc
MDE Detect Linux Kernel Privilege Escalation โ€” CVE-2026-31431

Hunts for process privilege escalation patterns on Linux endpoints consistent with exploitation of the Linux Kernel incorrect resource transfer vulnerability (CVE-2026-31431).

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where Platform == 'Linux'
| where AccountName != 'root'
| where InitiatingProcessAccountName != 'root'
| where FileName in ('sudo', 'su', 'bash', 'sh', 'python', 'python3', 'perl')
| where ProcessCommandLine has_any ('chmod +s', 'setuid', '/proc/self', 'nsenter', 'unshare', 'clone')
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDI Detect Credential Access Following Exploitation of Ivanti EPMM โ€” CVE-2026-6973

Identifies anomalous administrative authentication and remote code execution indicators on systems managed by Ivanti EPMM, consistent with exploitation of CVE-2026-6973.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType in ('LogonSuccess', 'LogonFailed')
| where Application has_any ('Ivanti', 'EPMM', 'MobileIron')
| summarize SuccessCount=countif(ActionType=='LogonSuccess'), FailCount=countif(ActionType=='LogonFailed') by AccountDisplayName, IPAddress, Application
| where FailCount > 10 or (SuccessCount > 0 and FailCount > 5)
| order by FailCount desc
SENTINEL Detect Microsoft Partner Center Phishing Infrastructure Connections โ€” OpenPhish

Identifies user connections to confirmed phishing domains impersonating Microsoft Partner Center, which may be used to harvest credentials for subsequent exploitation of authenticated vulnerabilities like CVE-2026-6973.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    'partnercenter-dataprocessinghub.me',
    'coorporationmail20226.iceiy.com',
    'service-blueticks-fb-479843.vercel.app',
    't-mobile.mzdglw.top',
    't-mobile.dfezuc.top',
    'tkshopssvip.com',
    'robiox.com.ps',
    'aicc108-demo.pages.dev',
    'uphold-up.square.site'
)
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, SourceUserName, Activity
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: For CVE-2026-20182 โ€” Follow CISA Emergency Directive 26-03 and CISA Hunt & Hardening Guidance for Cisco SD-WAN Devices. Assess all internet-exposed Cisco Catalyst SD-WAN Controller and Manager instances and apply vendor patches immediately or discontinue internet exposure.
โ†’ IMMEDIATE: For CVE-2026-0300 โ€” Apply Palo Alto PAN-OS patches released on 2026-05-13 to all PA-Series and VM-Series firewalls. Until patched, restrict User-ID Authentication Portal (Captive Portal) access to trusted zones only and disable if not operationally required.
โ†’ IMMEDIATE: For CVE-2026-6973 โ€” Apply Ivanti EPMM vendor mitigations. Audit all admin accounts and review recent administrative activity logs for signs of unauthorized RCE.
โ†’ IMMEDIATE: For CVE-2026-42208 โ€” Patch BerriAI LiteLLM per vendor instructions. Immediately rotate all API credentials stored in the LiteLLM proxy database as a precautionary measure even if exploitation is not confirmed.
โ†’ IMMEDIATE: For CVE-2026-31431 โ€” Apply Linux kernel patches per vendor instructions across all Linux endpoints and servers. Prioritize internet-facing Linux systems and those with untrusted local user access.
โ†’ SHORT-TERM: Block all OpenPhish-confirmed phishing domains at DNS filtering and web proxy layers to prevent credential harvesting that could facilitate exploitation of authenticated CVEs.
โ†’ SHORT-TERM: Execute all four KQL detection queries across Sentinel, MDE, and MDI and escalate any alerts to Tier 2 for immediate investigation.
โ†’ SHORT-TERM: Conduct asset inventory of all Cisco SD-WAN, PAN-OS, Ivanti EPMM, LiteLLM, and Linux systems to confirm patching scope and prioritize by internet exposure.
โ†’ LONG-TERM: Establish a 24-hour SLA for patching all future CISA KEV additions. Integrate CISA KEV feed into vulnerability management platform for automated prioritization.
#3

Active Mirai Botnet Recruitment, QuasarRAT Deployment, and Multi-Platform Phishing Campaign Targeting Financial and Gaming Brands

MEDIUM Unknown Threat Actor

MalwareBazaar has confirmed two distinct Mirai ELF samples (hashes 79f77aca985555923e0cdf6e466234f40baf6ac5fe7d99ec35eefefaab7ffddd and c90da7fb6b8f73f88bea60206a6f393dc2e1c2e8d7a6cfb3795e7fd4b1a5f93d) alongside a QuasarRAT EXE sample (8843a708f2855097f055047fb82be8a98a37b23f19406cea51c884b47aeb73a2, tagged botnet/c2/trojan) and GCleaner-dropped payloads (fcbe8040b49c48395fd7d4d3d12517f3ed77718536ec3e5f9e20fdde3774b346, 312f74461b96165887d62b7d3ba6000c58976ee2fd38cf5d53c0f546dabc55d5), indicating simultaneous IoT botnet expansion and Windows RAT deployment operations. In parallel, OpenPhish confirms an active multi-brand phishing campaign with 15 live phishing URLs targeting T-Mobile payment portals (t-mobile.mzdglw.top/pay/, t-mobile.dfezuc.top/pay/), Amazon (nazuk-kabra1111.github.io/amazon-clone/), Roblox (roblox.et, robiox.com.ps), Uphold cryptocurrency platform (uphold-up.square.site), and Meta/Facebook business accounts (service-blueticks-fb-479843.vercel.app, customer-sp-alexk.pages.dev). The URLhaus bin.sh download URLs (175.150.71.143:35692/bin.sh, 42.235.114.171:34214/bin.sh) corroborate active Mirai dropper delivery targeting Linux and IoT devices, while GitHub/stamparm maltrail commits show concurrent updates to MagentoCORE skimmer and compromised npm repository tracking lists, indicating e-commerce skimming activity running in parallel.

๐Ÿ”ด Indicators of Compromise
HASH 79f77aca985555923e0cdf6e466234f40baf6ac5fe7d99ec35eefefaab7ffddd Mirai ELF binary โ€” active IoT botnet recruitment sample โ€” MalwareBazaar confirmed
HASH c90da7fb6b8f73f88bea60206a6f393dc2e1c2e8d7a6cfb3795e7fd4b1a5f93d Mirai ELF binary โ€” second distinct Mirai variant โ€” MalwareBazaar confirmed
HASH 8843a708f2855097f055047fb82be8a98a37b23f19406cea51c884b47aeb73a2 QuasarRAT EXE โ€” botnet/c2/trojan tagged โ€” remote access trojan with C2 capability โ€” MalwareBazaar confirmed
HASH fcbe8040b49c48395fd7d4d3d12517f3ed77718536ec3e5f9e20fdde3774b346 EXE dropped by GCleaner (UNIQPREM.file) โ€” malware delivery chain payload โ€” MalwareBazaar confirmed
HASH 312f74461b96165887d62b7d3ba6000c58976ee2fd38cf5d53c0f546dabc55d5 EXE dropped by GCleaner (BB5.file) โ€” malware delivery chain payload โ€” MalwareBazaar confirmed
HASH 47a300898c707806733bd82a1c0b63e47d62a28ceb62e3cc556382dca8d9564a Shell script (sh) sample โ€” potential Mirai/botnet dropper script โ€” MalwareBazaar confirmed
HASH e6029bec551eb856598427cc70bd0686057be780aa16c1a657f4c56a9dd8eb5b Shell script (sh) sample โ€” potential Mirai/botnet dropper script โ€” MalwareBazaar confirmed
URL http://175.150.71.143:35692/bin.sh Active Mirai/botnet dropper shell script delivery URL โ€” URLhaus confirmed malware_download
URL http://42.235.114.171:34214/bin.sh Active Mirai/botnet dropper shell script delivery URL โ€” URLhaus confirmed malware_download
URL http://t-mobile.mzdglw.top/pay/ Active T-Mobile payment phishing page โ€” OpenPhish confirmed
URL https://t-mobile.dfezuc.top/pay/ Active T-Mobile payment phishing page โ€” second domain variant โ€” OpenPhish confirmed
URL http://uphold-up.square.site/ Active Uphold cryptocurrency platform phishing page โ€” OpenPhish confirmed
URL https://nazuk-kabra1111.github.io/amazon-clone/ Active Amazon phishing clone hosted on GitHub Pages โ€” OpenPhish confirmed
URL http://www.service-blueticks-fb-479843.vercel.app/ Active Meta/Facebook business account phishing page โ€” OpenPhish confirmed
URL https://tkshopssvip.com/h5/ Active phishing URL โ€” OpenPhish confirmed
DOMAIN partnercenter-dataprocessinghub.me Active Microsoft Partner Center phishing domain โ€” OpenPhish confirmed
DOMAIN coorporationmail20226.iceiy.com Active corporate email phishing domain โ€” OpenPhish confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1498 Network Denial of Service MITRE โ†’
T1219 Remote Access Software MITRE โ†’
T1566.002 Spearphishing Link MITRE โ†’
T1195.002 Supply Chain Compromise โ€” Compromise Software Supply Chain MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Mirai ELF and QuasarRAT Sample Execution by Hash

Identifies execution or file creation events matching MalwareBazaar-confirmed Mirai ELF binaries and QuasarRAT sample on monitored endpoints.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '79f77aca985555923e0cdf6e466234f40baf6ac5fe7d99ec35eefefaab7ffddd',
    'c90da7fb6b8f73f88bea60206a6f393dc2e1c2e8d7a6cfb3795e7fd4b1a5f93d',
    '8843a708f2855097f055047fb82be8a98a37b23f19406cea51c884b47aeb73a2',
    'fcbe8040b49c48395fd7d4d3d12517f3ed77718536ec3e5f9e20fdde3774b346',
    '312f74461b96165887d62b7d3ba6000c58976ee2fd38cf5d53c0f546dabc55d5',
    '47a300898c707806733bd82a1c0b63e47d62a28ceb62e3cc556382dca8d9564a',
    'e6029bec551eb856598427cc70bd0686057be780aa16c1a657f4c56a9dd8eb5b'
)
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect Mirai Dropper Shell Script Downloads from URLhaus Infrastructure

Identifies curl or wget download attempts targeting URLhaus-confirmed Mirai bin.sh delivery endpoints on monitored Linux and Windows endpoints.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in ('curl', 'wget', 'sh', 'bash')
| where ProcessCommandLine has_any (
    '175.150.71.143',
    '42.235.114.171',
    '123.4.137.38',
    '45.234.9.227',
    '85.226.213.123',
    '46.236.172.14',
    '112.248.63.80',
    '182.112.29.141'
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated desc
SENTINEL Detect Multi-Brand Phishing URL Access โ€” T-Mobile, Amazon, Roblox, Uphold, Meta

Identifies user connections to all 15 OpenPhish-confirmed phishing URLs targeting T-Mobile, Amazon, Roblox, Uphold, Meta/Facebook, and Microsoft Partner Center brands.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    't-mobile.mzdglw.top',
    't-mobile.dfezuc.top',
    'uphold-up.square.site',
    'roblox.et',
    'robiox.com.ps',
    'aicc108-demo.pages.dev',
    'tkshopssvip.com',
    'customer-sp-alexk.pages.dev',
    'partnercenter-dataprocessinghub.me',
    'coorporationmail20226.iceiy.com',
    'service-blueticks-fb-479843.vercel.app',
    'nazuk-kabra1111.github.io'
)
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, SourceUserName, Activity, DeviceVendor
| order by TimeGenerated desc
MDE Detect QuasarRAT C2 Beacon Behavior โ€” Outbound Encrypted TCP from .NET Processes

Hunts for QuasarRAT-style C2 beaconing behavior: encrypted TCP connections initiated by .NET executables running from non-standard paths.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'ConnectionSuccess'
| where InitiatingProcessFolderPath has_any ('AppData', 'Temp', 'ProgramData', 'Users\\Public')
| where RemotePort !in (80, 443, 8080, 8443)
| where InitiatingProcessFileName endswith '.exe'
| join kind=inner (
    DeviceProcessEvents
    | where SHA256 == '8843a708f2855097f055047fb82be8a98a37b23f19406cea51c884b47aeb73a2'
    | project DeviceId, ProcessId=InitiatingProcessId
) on DeviceId
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all 15 OpenPhish-confirmed phishing URLs and their associated domains at DNS filtering, web proxy, and email security gateway layers to prevent credential harvesting across T-Mobile, Amazon, Roblox, Uphold, and Meta brand impersonations.
โ†’ IMMEDIATE: Submit all seven MalwareBazaar hashes (Mirai x2, QuasarRAT x1, GCleaner-dropped x2, shell scripts x2) to EDR/AV platforms for immediate blocking and retrospective environment-wide scan.
โ†’ IMMEDIATE: Block the two URLhaus bin.sh delivery endpoints (175.150.71.143:35692 and 42.235.114.171:34214) at perimeter firewall and proxy to prevent Mirai dropper delivery to Linux and IoT assets.
โ†’ SHORT-TERM: Execute all four KQL detection queries across MDE, Sentinel, and correlate results. Any QuasarRAT execution or Mirai download hits should be treated as active incidents and escalated immediately.
โ†’ SHORT-TERM: Audit all internet-facing Linux servers and IoT devices for Mirai infection indicators โ€” check for ELF binaries in /tmp, /var/run, or /dev/shm, and inspect network connections for high-volume UDP traffic.
โ†’ SHORT-TERM: Review the GitHub/stamparm maltrail hacked_npmrepos.txt update and cross-reference against all npm packages used in active development and CI/CD pipelines. Flag any matches for immediate dependency removal.
โ†’ SHORT-TERM: For Magento/Adobe Commerce deployments, perform a full JavaScript integrity scan against the updated magentocore.txt list from GitHub/stamparm maltrail to identify active skimmer infections.
โ†’ LONG-TERM: Implement phishing-resistant MFA (FIDO2/hardware keys) for all T-Mobile accounts, cryptocurrency platforms, and social media business accounts to mitigate the impact of phishing credential theft.
โ†’ LONG-TERM: Deploy IoT device management platform to enforce firmware updates, disable Telnet, and change default credentials on all network-connected IoT devices to reduce Mirai recruitment surface.
โ†’ LONG-TERM: Integrate maltrail magentocore.txt and hacked_npmrepos.txt feeds into continuous monitoring for e-commerce and software supply chain threat detection.