Daily Threat Intelligence Report โ 2025-07-14
Today's threat landscape is dominated by active QakBot and Emotet C2 infrastructure confirmed across four IPs by Feodotracker, alongside five CISA Known Exploited Vulnerabilities including critical flaws in Cisco Catalyst SD-WAN (CVE-2026-20182) and Palo Alto Networks PAN-OS (CVE-2026-0300) requiring immediate patching. MalwareBazaar has surfaced fresh samples of AsyncRAT, Mirai, Efimer (via ClickFix), ACRStealer-dropped payloads, and RemusStealer, indicating broad multi-vector campaigns. AlienVault OTX reports active weaponization of CVE-2026-39987 in the marimo Python notebook platform, with threat actors deploying blockchain botnet malware via HuggingFace within 72 hours of disclosure. SOC teams should immediately block all Feodotracker C2 IPs, prioritize patching of all five CISA KEV items, and hunt for ClickFix/Efimer and stealer activity across endpoints.
Active QakBot and Emotet C2 Infrastructure Enabling Banking Trojan and Ransomware Staging
CRITICAL TA505Feodotracker has confirmed four active QakBot C2 servers (50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) and one active Emotet C2 server (162.243.103.246) as of the past 24 hours, spanning infrastructure in the United States, United Kingdom, and Japan. QakBot and Emotet are historically leveraged by TA505 and affiliated initial access brokers to establish persistent footholds, conduct credential harvesting, and stage follow-on ransomware deployment. The geographic diversity of this C2 infrastructure โ including US-hosted cloud IPs and Japan/UK-based nodes โ is consistent with TA505's known practice of using compromised hosts and bulletproof hosting to evade geo-based blocking. Any outbound connection to these IPs from enterprise endpoints should be treated as an active compromise indicator requiring immediate isolation and forensic investigation.
Multi-Platform Infostealer Campaign: ACRStealer, RemusStealer, AsyncRAT and ClickFix/Efimer Dropper Active in the Wild
HIGH Unknown Threat ActorMalwareBazaar has confirmed fresh samples of at least five distinct malware families in the past 24 hours: AsyncRAT (hash: 99a421fac33b31425094f8874c11fcd9e6554d0fd334fc8042b0f407ba94b73a), two payloads dropped by ACRStealer (hashes: f8b4ce3547fef0d31d0d99d88bb1629d16ca46e80f035b3138200df4eda386c9 and 64dbbc8add8bae30fa577e3dd9316aa36abd69470e3797610b2fcae1087a7970), a signed RemusStealer executable (641950ea3ee0b3803d0f68ce122ad9cae479b1e0584208d985ce450e91b275e6), and an Efimer payload delivered via the ClickFix social engineering technique (cd6442b44b13c97c76a54be9a98bc55de867b512c20ac7343e7dcb75ff241be9). Additionally, an Amadey-dropped executable (5940c41ab003399680a04d726587eed242e4ad8969abe4b5617d712ff190a852) indicates this campaign uses the Amadey loader as a malware-as-a-service distribution platform. The combination of signed binaries (RemusStealer), ClickFix social engineering (Efimer), and PowerShell-based second-stage payloads (two ps1 hashes) represents a mature, multi-vector operation targeting credential stores, browser data, and cryptocurrency wallets across enterprise and consumer environments. OpenPhish has also confirmed active Microsoft 365 and Outlook phishing infrastructure (microsoft365xx1.iceiy.com, ws0utlouk365servic.iceiy.com) that likely serves as an initial delivery vector for these stealers.
Critical CISA KEV Vulnerabilities: Cisco SD-WAN Auth Bypass, PAN-OS RCE, Ivanti EPMM RCE, Exchange XSS and LiteLLM SQLi Require Immediate Remediation
MEDIUM Unknown Threat ActorCISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. The most critical are CVE-2026-20182 (Cisco Catalyst SD-WAN authentication bypass allowing unauthenticated remote attackers to gain administrative privileges) and CVE-2026-0300 (Palo Alto Networks PAN-OS out-of-bounds write in the User-ID Authentication Portal enabling unauthenticated root-level RCE on PA-Series and VM-Series firewalls). CVE-2026-6973 in Ivanti EPMM enables authenticated remote code execution by administrative users โ a significant risk given prior Ivanti EPMM exploitation by nation-state actors. CVE-2026-42897 (Microsoft Exchange Server XSS in Outlook Web Access) and CVE-2026-42208 (BerriAI LiteLLM SQL injection exposing proxy credentials) round out a broad attack surface across network, endpoint management, and AI infrastructure. CISA has issued Emergency Directive 26-03 specifically for the Cisco SD-WAN vulnerability, elevating its urgency. AlienVault OTX further corroborates rapid exploitation patterns with CVE-2026-39987 (marimo Python notebook RCE) being weaponized within 72 hours of disclosure for blockchain botnet deployment via HuggingFace.