โ† Back to Dashboard
May 18, 2026

Daily Threat Intelligence Report โ€” 2025-05-14

32
IOCs
11
TTPs
12
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet C2 infrastructure confirmed by Feodotracker across US, UK, and Japanese nodes, alongside a significant Mirai/Gafgyt IoT botnet campaign corroborated by six ELF samples on MalwareBazaar and an active OTX pulse tracking the Nexcorium variant. CISA has added five critical vulnerabilities to the KEV catalog โ€” including a Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20182) and a Palo Alto PAN-OS out-of-bounds write (CVE-2026-0300) โ€” both of which enable unauthenticated remote compromise and require immediate patching or workaround implementation. Apple credential harvesting phishing infrastructure is active across multiple OpenPhish-confirmed domains impersonating Apple Find My services, and NanoCore RAT samples are circulating via MalwareBazaar. SOC teams should immediately block all Feodotracker C2 IPs, apply CISA KEV patches on priority, and push NanoCore and Mirai hashes to EDR for blocking.

#1

QakBot and Emotet Multi-Region C2 Infrastructure Actively Serving Malware โ€” Feodotracker Confirmed

CRITICAL TA505

Feodotracker has confirmed five active C2 servers operational within the last 24 hours: one Emotet node hosted in the United States (162.243.103.246) and four QakBot nodes spanning the United States (50.16.16.211, 34.204.119.63), United Kingdom (178.62.3.223), and Japan (27.133.154.218). The geographic distribution of QakBot C2 nodes across three continents indicates a resilient, globally distributed botnet infrastructure designed to survive regional takedown operations. TA505, a financially motivated threat group historically associated with distributing both Emotet and QakBot as precursors to ransomware deployment, aligns with this multi-region operational pattern. Any outbound connections from enterprise endpoints to these IPs should be treated as active compromise indicators and triaged immediately, as both malware families are known loaders for ransomware payloads.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server hosted in the United States โ€” Feodotracker confirmed active
IP 50.16.16.211 QakBot C2 server hosted in the United States โ€” Feodotracker confirmed active
IP 34.204.119.63 QakBot C2 server hosted in the United States โ€” Feodotracker confirmed active
IP 178.62.3.223 QakBot C2 server hosted in the United Kingdom โ€” Feodotracker confirmed active
IP 27.133.154.218 QakBot C2 server hosted in Japan โ€” Feodotracker confirmed active
URL https://subfossil-oak-chronology.garden/e80cc5ae-8ac0-44dc-ac72-12224eedc7d8/google.cl Active malware download URL โ€” URLhaus confirmed, likely used as dropper staging for loader malware
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol: Web Protocols MITRE โ†’
T1105 Ingress Tool Transfer MITRE โ†’
T1486 Data Encrypted for Impact MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 connections to QakBot and Emotet infrastructure

Detects outbound connections to all five Feodotracker-confirmed active QakBot and Emotet C2 servers from any device in the environment.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect beaconing patterns to QakBot/Emotet C2 infrastructure

Identifies periodic beaconing behavior โ€” a hallmark of QakBot and Emotet โ€” by counting connection frequency per device per C2 IP over 24 hours.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| summarize ConnectionCount=count(), Ports=make_set(RemotePort), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by DeviceName, RemoteIP, InitiatingProcessFileName
| where ConnectionCount > 3
| order by ConnectionCount desc
SENTINEL Detect connections to QakBot/Emotet C2 and malware download URLs

Identifies connections to Feodotracker-confirmed C2 IPs and URLhaus-confirmed malware staging domains across all log sources in Sentinel.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
    or RequestURL has_any ('subfossil-oak-chronology.garden', 'crispy-chicken-cutlets.garden', 'orbital-docking-module.garden')
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
MDI Detect lateral movement patterns following QakBot/Emotet initial compromise

Hunts for suspicious NTLM authentication patterns indicative of lateral movement following a QakBot or Emotet loader infection, which frequently precede ransomware staging.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| summarize LogonCount=count(), TargetDevices=make_set(DeviceName), FirstSeen=min(TimeGenerated) by AccountDisplayName, IPAddress
| where LogonCount > 5
| order by LogonCount desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker-confirmed C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, web proxy, and DNS filtering layers
โ†’ IMMEDIATE: Block URLhaus malware download domains at proxy and DNS: subfossil-oak-chronology.garden, crispy-chicken-cutlets.garden, orbital-docking-module.garden
โ†’ IMMEDIATE: Run the MDE KQL beaconing detection query across all endpoints and escalate any hits as Priority 1 incidents
โ†’ SHORT-TERM: Run Sentinel query to identify any historical connections to C2 IPs or staging domains over the past 7 days to identify dwell time
โ†’ SHORT-TERM: Isolate any endpoint that has established connections to the listed C2 IPs and initiate full forensic triage
โ†’ SHORT-TERM: Alert SOC team to monitor NTLM lateral movement patterns using the MDI query as a post-compromise hunting measure
โ†’ LONG-TERM: Enrich SIEM threat intelligence feeds with all five Feodotracker IPs and URLhaus domains for automated alerting
#2

Mirai/Gafgyt IoT Botnet Campaign โ€” Nexcorium Variant Actively Building DDoS Infrastructure (Nexus Team)

HIGH Unknown Threat Actor

MalwareBazaar has surfaced six new ELF binaries in the last 24 hours tagged as Mirai and Gafgyt variants, including samples tagged with Hajime cross-infection capability and UPX-packed payloads designed to evade hash-based detection. AlienVault OTX independently corroborates this activity with a pulse tracking 'Nexcorium' โ€” a multi-architecture Mirai variant attributed to Nexus Team exploiting CVE-2024-3721 in TBK DVR devices to conscript IoT nodes into a DDoS botnet. URLhaus is simultaneously hosting active malware download URLs serving shell scripts (bin.sh) and ELF binaries from multiple IPs across Asian IP ranges, which align with the IoT infection delivery mechanism. Organizations with internet-exposed DVRs, routers, or Linux-based IoT devices should treat this as an active threat requiring immediate asset enumeration and patching of CVE-2024-3721.

๐Ÿ”ด Indicators of Compromise
HASH 438fa978de169d318889b1229639ce4c2195f54e2d9d8ab3c574df2efc9ec5bd Mirai/Gafgyt ELF variant โ€” MalwareBazaar confirmed, multi-tag: elf, Gafgyt, Mirai
HASH d80eaf02bb44b9c33821443ded56dcbbcaac6cf184dd3a6726b0eed6823581b3 Mirai/Gafgyt UPX-decoded ELF variant โ€” MalwareBazaar confirmed, tags: elf, Gafgyt, Mirai, upx-dec
HASH cc1c4b2fc00f127206103fe391dd73bd7a8939b098d5c7eb20505d21b23e819c Mirai ELF variant UPX-packed โ€” MalwareBazaar confirmed, tags: elf, upx
HASH dee911cd0b2987cedfbad85a750a8e56ce10815569212dfa548bc61e83fadb7d Mirai ELF variant โ€” MalwareBazaar confirmed, tags: elf, Mirai
HASH 2fc78af612168b531234325f9519427df1a905cd847b1ae29daacf9e57b52ba4 Mirai/Hajime ELF variant โ€” MalwareBazaar confirmed, tags: elf, Hajime, Mirai
HASH ce4caa576aeebbf2698798c62addf2ac2474e973f06ad7e27e354c116cf01ec3 Mirai/Gafgyt UPX-decoded ELF variant โ€” MalwareBazaar confirmed, tags: elf, Gafgyt, Mirai, upx-dec
URL http://110.37.107.203:53740/bin.sh Active malware download URL serving shell script for Mirai IoT infection โ€” URLhaus confirmed
URL http://123.5.10.122:56083/bin.sh Active malware download URL serving shell script for Mirai IoT infection โ€” URLhaus confirmed
URL http://61.52.157.121:46874/bin.sh Active malware download URL serving shell script for Mirai IoT infection โ€” URLhaus confirmed
URL http://182.123.217.37:51717/bin.sh Active malware download URL serving shell script for Mirai IoT infection โ€” URLhaus confirmed
URL http://110.36.76.43:42945/i Active malware download URL serving ELF binary for IoT infection โ€” URLhaus confirmed
URL http://182.123.217.37:51717/i Active malware download URL serving ELF binary for IoT infection โ€” URLhaus confirmed
URL http://119.185.130.62:60491/i Active malware download URL serving ELF binary for IoT infection โ€” URLhaus confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1105 Ingress Tool Transfer MITRE โ†’
T1498 Network Denial of Service MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for Mirai/Gafgyt ELF samples on Linux endpoints

Detects the presence of MalwareBazaar-confirmed Mirai and Gafgyt ELF binary hashes on monitored Linux endpoints.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '438fa978de169d318889b1229639ce4c2195f54e2d9d8ab3c574df2efc9ec5bd',
    'd80eaf02bb44b9c33821443ded56dcbbcaac6cf184dd3a6726b0eed6823581b3',
    'cc1c4b2fc00f127206103fe391dd73bd7a8939b098d5c7eb20505d21b23e819c',
    'dee911cd0b2987cedfbad85a750a8e56ce10815569212dfa548bc61e83fadb7d',
    '2fc78af612168b531234325f9519427df1a905cd847b1ae29daacf9e57b52ba4',
    'ce4caa576aeebbf2698798c62addf2ac2474e973f06ad7e27e354c116cf01ec3'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect connections to Mirai malware download infrastructure

Identifies outbound connections to URLhaus-confirmed Mirai payload delivery servers, specifically those serving bin.sh shell scripts and ELF binaries.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('110.37.107.203', '123.5.10.122', '110.36.76.43', '182.123.217.37', '61.52.157.121', '119.185.130.62')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Detect Mirai dropper shell script downloads from URLhaus-confirmed IPs

Hunts for HTTP requests fetching bin.sh or ELF payloads from URLhaus-confirmed Mirai delivery infrastructure across all log sources.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('110.37.107.203', '123.5.10.122', '110.36.76.43', '182.123.217.37', '61.52.157.121', '119.185.130.62')
    or RequestURL has_any ('bin.sh', '/i')
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
MDI Detect anomalous Linux service account authentication following potential Mirai compromise

Hunts for unusual authentication events from Linux service accounts that may indicate post-compromise lateral movement following Mirai IoT device takeover.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where AccountDisplayName has_any ('service', 'daemon', 'root', 'admin')
| where Protocol in ('Ssh', 'Ntlm', 'Kerberos')
| summarize LogonCount=count(), TargetDevices=make_set(DeviceName) by AccountDisplayName, IPAddress, Protocol
| where LogonCount > 3
| order by LogonCount desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all URLhaus-confirmed Mirai delivery IPs at perimeter firewall: 110.37.107.203, 123.5.10.122, 110.36.76.43, 182.123.217.37, 61.52.157.121, 119.185.130.62
โ†’ IMMEDIATE: Submit all six Mirai/Gafgyt ELF hashes from MalwareBazaar to EDR platform for immediate blocking and retrospective scan
โ†’ IMMEDIATE: Enumerate all internet-exposed TBK DVR devices and apply patches or mitigations for CVE-2024-3721 per the Nexcorium OTX pulse advisory
โ†’ SHORT-TERM: Run the MDE KQL queries to detect Mirai ELF hash presence and connections to delivery infrastructure across all Linux endpoints
โ†’ SHORT-TERM: Segment IoT and DVR devices onto isolated VLANs with egress filtering to prevent botnet enrollment
โ†’ SHORT-TERM: Review firewall and proxy logs for outbound connections to non-standard high-numbered ports from IoT devices โ€” this is the primary delivery mechanism
โ†’ LONG-TERM: Implement network behavioral analytics on IoT segments to detect DDoS bot activity via abnormal outbound traffic volume
#3

Multi-Vector Phishing Campaign Targeting Apple Credentials and NanoCore RAT Distribution โ€” OpenPhish and MalwareBazaar Confirmed

MEDIUM Unknown Threat Actor

OpenPhish has confirmed an active Apple credential harvesting campaign operating across multiple lookalike domains impersonating Apple's Find My device service โ€” including fndmy-support.com, apple-photos.sa.com, and several .wasmer.app subdomains โ€” with phishing URLs structured to mimic legitimate Apple authentication flows. Simultaneously, MalwareBazaar has surfaced two NanoCore RAT EXE samples in the last 24 hours, indicating active RAT distribution campaigns targeting Windows endpoints for remote access and credential theft. The parallel activity of credential-targeting phishing (Apple account takeover) and NanoCore RAT distribution suggests a broad initial access campaign that could be used for account compromise, credential resale, or as a foothold for further intrusion. DPD parcel delivery phishing domains (dpdloco*.top) are also active across five variants, suggesting a concurrent smishing or phishing wave targeting consumers that could be used for enterprise credential theft through personal device compromise.

๐Ÿ”ด Indicators of Compromise
HASH 4c423bbaba6531166cfc680d1554bdd235455ed33282633e033388fb85779f62 NanoCore RAT EXE sample โ€” MalwareBazaar confirmed, tags: exe, NanoCore, RAT
HASH 216691ada8d515a8e518cd070291e3ac61f80dcd81c50749b1f8395601d25999 NanoCore RAT EXE sample โ€” MalwareBazaar confirmed, tags: exe, NanoCore, RAT
URL https://fndmy-support.com/app/webroot/script/navigation_compass_find_devices_login_b4_passcode4/2026/ Active Apple Find My phishing URL harvesting Apple credentials โ€” OpenPhish confirmed
URL https://fndmy-support.com/script/navigation_compass_find_devices_login_b4_passcode4/2026 Active Apple Find My phishing URL harvesting Apple credentials โ€” OpenPhish confirmed
URL https://apple-photos.sa.com/app/webroot/script/navigation_compass_find_devices_login_b4_passcode4/2026/ Active Apple credential phishing URL โ€” OpenPhish confirmed
URL https://survey.refassured.com/mbMO6z3K Active phishing URL โ€” OpenPhish confirmed
URL http://dyaaka-meyhdi.wasmer.app/ Active phishing URL hosted on wasmer.app โ€” OpenPhish confirmed
URL http://sd-rizx.wasmer.app/ Active phishing URL hosted on wasmer.app โ€” OpenPhish confirmed
URL https://www.dpdlocowf.top/com Active DPD parcel delivery phishing URL โ€” OpenPhish confirmed
URL https://www.dpdlocorl.top/com Active DPD parcel delivery phishing URL โ€” OpenPhish confirmed
URL https://www.dpdlocotn.top/com Active DPD parcel delivery phishing URL โ€” OpenPhish confirmed
URL https://www.dpdlocots.top/com Active DPD parcel delivery phishing URL โ€” OpenPhish confirmed
URL https://www.dpdlocoyk.top/com Active DPD parcel delivery phishing URL โ€” OpenPhish confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.002 Phishing: Spearphishing Link MITRE โ†’
T1056.003 Input Capture: Web Portal Capture MITRE โ†’
T1219 Remote Access Software MITRE โ†’
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect NanoCore RAT execution by confirmed MalwareBazaar hashes

Identifies execution or file creation events matching the two MalwareBazaar-confirmed NanoCore RAT EXE samples.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '4c423bbaba6531166cfc680d1554bdd235455ed33282633e033388fb85779f62',
    '216691ada8d515a8e518cd070291e3ac61f80dcd81c50749b1f8395601d25999'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect user navigation to Apple phishing and DPD phishing domains

Identifies endpoint browser connections to OpenPhish-confirmed Apple credential phishing and DPD delivery phishing domains.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has_any (
    'fndmy-support.com',
    'apple-photos.sa.com',
    'dpdlocowf.top',
    'dpdlocorl.top',
    'dpdlocotn.top',
    'dpdlocots.top',
    'dpdlocoyk.top',
    'wasmer.app',
    'refassured.com'
)
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Detect connections to Apple phishing and NanoCore-related infrastructure

Cross-source hunt for connections to OpenPhish-confirmed phishing domains across all Sentinel log sources including proxy, DNS, and web gateway logs.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    'fndmy-support.com',
    'apple-photos.sa.com',
    'dpdlocowf.top',
    'dpdlocorl.top',
    'dpdlocotn.top',
    'dpdlocots.top',
    'dpdlocoyk.top',
    'dyaaka-meyhdi.wasmer.app',
    'sd-rizx.wasmer.app',
    'refassured.com'
)
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
MDI Detect credential-based anomalies following potential Apple phishing compromise

Hunts for impossible travel or unusual logon locations that may indicate Apple credential reuse following phishing credential harvesting.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| summarize LogonCount=count(), Countries=make_set(Location), IPAddresses=make_set(IPAddress) by AccountDisplayName, AccountDomain
| where array_length(Countries) > 1
| order by LogonCount desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all OpenPhish-confirmed phishing domains at DNS and web proxy: fndmy-support.com, apple-photos.sa.com, dpdlocowf.top, dpdlocorl.top, dpdlocotn.top, dpdlocots.top, dpdlocoyk.top, dyaaka-meyhdi.wasmer.app, sd-rizx.wasmer.app, refassured.com
โ†’ IMMEDIATE: Submit both NanoCore RAT EXE hashes to EDR for immediate blocking and run retrospective scan across all Windows endpoints
โ†’ IMMEDIATE: Issue user awareness advisory warning staff about active Apple credential phishing campaign using Find My device lures
โ†’ SHORT-TERM: Run MDE and Sentinel KQL queries to identify any users who have navigated to the phishing domains in the past 24-48 hours and force password resets for any affected accounts
โ†’ SHORT-TERM: Review email gateway quarantine logs for emails containing links to fndmy-support.com or apple-photos.sa.com and notify affected recipients
โ†’ SHORT-TERM: Run the MDI impossible travel query to identify any accounts showing signs of credential compromise following phishing
โ†’ LONG-TERM: Enforce MFA on all enterprise accounts to mitigate impact of credential theft from phishing; ensure phishing-resistant MFA (FIDO2) is deployed for high-value accounts