Daily Threat Intelligence Report โ 2025-05-14
Today's threat landscape is dominated by active QakBot and Emotet C2 infrastructure confirmed by Feodotracker across US, UK, and Japanese nodes, alongside a significant Mirai/Gafgyt IoT botnet campaign corroborated by six ELF samples on MalwareBazaar and an active OTX pulse tracking the Nexcorium variant. CISA has added five critical vulnerabilities to the KEV catalog โ including a Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20182) and a Palo Alto PAN-OS out-of-bounds write (CVE-2026-0300) โ both of which enable unauthenticated remote compromise and require immediate patching or workaround implementation. Apple credential harvesting phishing infrastructure is active across multiple OpenPhish-confirmed domains impersonating Apple Find My services, and NanoCore RAT samples are circulating via MalwareBazaar. SOC teams should immediately block all Feodotracker C2 IPs, apply CISA KEV patches on priority, and push NanoCore and Mirai hashes to EDR for blocking.
QakBot and Emotet Multi-Region C2 Infrastructure Actively Serving Malware โ Feodotracker Confirmed
CRITICAL TA505Feodotracker has confirmed five active C2 servers operational within the last 24 hours: one Emotet node hosted in the United States (162.243.103.246) and four QakBot nodes spanning the United States (50.16.16.211, 34.204.119.63), United Kingdom (178.62.3.223), and Japan (27.133.154.218). The geographic distribution of QakBot C2 nodes across three continents indicates a resilient, globally distributed botnet infrastructure designed to survive regional takedown operations. TA505, a financially motivated threat group historically associated with distributing both Emotet and QakBot as precursors to ransomware deployment, aligns with this multi-region operational pattern. Any outbound connections from enterprise endpoints to these IPs should be treated as active compromise indicators and triaged immediately, as both malware families are known loaders for ransomware payloads.
Mirai/Gafgyt IoT Botnet Campaign โ Nexcorium Variant Actively Building DDoS Infrastructure (Nexus Team)
HIGH Unknown Threat ActorMalwareBazaar has surfaced six new ELF binaries in the last 24 hours tagged as Mirai and Gafgyt variants, including samples tagged with Hajime cross-infection capability and UPX-packed payloads designed to evade hash-based detection. AlienVault OTX independently corroborates this activity with a pulse tracking 'Nexcorium' โ a multi-architecture Mirai variant attributed to Nexus Team exploiting CVE-2024-3721 in TBK DVR devices to conscript IoT nodes into a DDoS botnet. URLhaus is simultaneously hosting active malware download URLs serving shell scripts (bin.sh) and ELF binaries from multiple IPs across Asian IP ranges, which align with the IoT infection delivery mechanism. Organizations with internet-exposed DVRs, routers, or Linux-based IoT devices should treat this as an active threat requiring immediate asset enumeration and patching of CVE-2024-3721.
Multi-Vector Phishing Campaign Targeting Apple Credentials and NanoCore RAT Distribution โ OpenPhish and MalwareBazaar Confirmed
MEDIUM Unknown Threat ActorOpenPhish has confirmed an active Apple credential harvesting campaign operating across multiple lookalike domains impersonating Apple's Find My device service โ including fndmy-support.com, apple-photos.sa.com, and several .wasmer.app subdomains โ with phishing URLs structured to mimic legitimate Apple authentication flows. Simultaneously, MalwareBazaar has surfaced two NanoCore RAT EXE samples in the last 24 hours, indicating active RAT distribution campaigns targeting Windows endpoints for remote access and credential theft. The parallel activity of credential-targeting phishing (Apple account takeover) and NanoCore RAT distribution suggests a broad initial access campaign that could be used for account compromise, credential resale, or as a foothold for further intrusion. DPD parcel delivery phishing domains (dpdloco*.top) are also active across five variants, suggesting a concurrent smishing or phishing wave targeting consumers that could be used for enterprise credential theft through personal device compromise.