โ† Back to Dashboard
May 19, 2026

Daily Threat Intelligence Report โ€” 2026-05-14

35
IOCs
9
TTPs
9
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker, with four C2 servers actively beaconing across US, GB, and JP geolocations. A significant Mirai botnet campaign is simultaneously underway, evidenced by eight distinct ELF and shell-script samples uploaded to MalwareBazaar targeting internet-of-things and Linux devices. CISA has added five critical vulnerabilities to its Known Exploited Vulnerabilities catalog โ€” including a Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20182) and a Palo Alto Networks PAN-OS out-of-bounds write (CVE-2026-0300) โ€” demanding immediate patching prioritization. SOC teams should immediately block all five Feodotracker C2 IPs, hash-block all eight Mirai ELF samples in EDR, and apply CISA KEV mitigations without delay.

#1

Active QakBot & Emotet C2 Infrastructure Beaconing โ€” Multi-Country Distribution

CRITICAL TA505

Feodotracker has confirmed five active C2 servers associated with QakBot (four nodes: 50.16.16.211/US, 34.204.119.63/US, 178.62.3.223/GB, 27.133.154.218/JP) and Emotet (one node: 162.243.103.246/US) within the last 24 hours. TA505, a financially motivated threat actor historically linked to both QakBot distribution and Emotet delivery chains, represents the most probable operator given the multi-geography C2 spread and concurrent Emotet/QakBot co-deployment pattern consistent with their documented TTPs. QakBot is a modular banking trojan and initial-access broker tool used to deploy ransomware payloads including Conti and Black Basta; active C2 nodes indicate live campaigns targeting corporate environments. Immediate network-level blocking of all five IPs is required, followed by retrospective log analysis for any prior beaconing activity.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server hosted in the United States โ€” Feodotracker confirmed active within last 24 hours
IP 50.16.16.211 QakBot C2 server hosted in the United States โ€” Feodotracker confirmed active within last 24 hours
IP 34.204.119.63 QakBot C2 server hosted in the United States โ€” Feodotracker confirmed active within last 24 hours
IP 178.62.3.223 QakBot C2 server hosted in Great Britain โ€” Feodotracker confirmed active within last 24 hours
IP 27.133.154.218 QakBot C2 server hosted in Japan โ€” Feodotracker confirmed active within last 24 hours
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol โ€” Web Protocols C2 MITRE โ†’
T1055 Process Injection MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 connections to QakBot and Emotet Feodotracker infrastructure

Detects outbound network connections to all five confirmed QakBot and Emotet C2 servers identified by Feodotracker in the last 24 hours. Any hit should be treated as a high-priority incident requiring immediate host isolation.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect Office process spawning shells โ€” QakBot/Emotet initial access indicator

Identifies Microsoft Office applications spawning command interpreters, a primary delivery mechanism for QakBot and Emotet via malicious document attachments consistent with TA505 TTPs.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ('winword.exe', 'excel.exe', 'powerpnt.exe', 'outlook.exe', 'onenote.exe')
| where FileName in~ ('cmd.exe', 'powershell.exe', 'wscript.exe', 'cscript.exe', 'mshta.exe', 'regsvr32.exe', 'rundll32.exe')
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by TimeGenerated desc
SENTINEL Detect network flows to confirmed Emotet and QakBot C2 nodes

Identifies any internal host communicating with the five Feodotracker-confirmed C2 IP addresses associated with Emotet and QakBot malware families. Correlates across firewall, proxy, and flow logs ingested into Microsoft Sentinel.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| project TimeGenerated, SourceIP, SourceHostName, DestinationIP, DestinationPort, RequestURL, Activity, DeviceVendor, DeviceProduct
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, proxy, and DNS sinkholes
โ†’ IMMEDIATE: Run the provided MDE KQL query across all endpoints โ€” any device with a ConnectionSuccess hit to these IPs must be isolated and triaged as a potential active infection
โ†’ IMMEDIATE: Notify SOC L2/L3 analysts of active QakBot and Emotet C2 beaconing โ€” escalate any positive hits to incident response within 30 minutes
โ†’ SHORT-TERM: Run retrospective 7-day and 30-day log searches against all five C2 IPs to identify any prior undetected beaconing activity indicating established footholds
โ†’ SHORT-TERM: Disable macro execution in Microsoft Office via Group Policy for all users who do not have a documented business requirement; enforce Protected View for documents received from external sources
โ†’ SHORT-TERM: Search email gateway logs for attachments that triggered macro warnings or sandbox detonations in the last 72 hours and correlate sending domains with known QakBot/Emotet delivery infrastructure
โ†’ LONG-TERM: Integrate Feodotracker C2 blocklist into SIEM/SOAR automated threat intelligence ingestion pipeline for continuous blocking without manual intervention
โ†’ LONG-TERM: Evaluate network segmentation controls to restrict workstation-to-internet direct connections; route all outbound HTTP/HTTPS through inspecting proxy
#2

Mirai Botnet Expansion Campaign โ€” Eight Active ELF Samples Distributed via Malware-Download Infrastructure

HIGH Unknown Threat Actor

MalwareBazaar has recorded eight distinct Mirai malware samples within the last 24 hours โ€” seven ELF binaries and one shell-script variant โ€” indicating an active botnet expansion or recruitment campaign targeting Linux-based and IoT devices. Concurrently, URLhaus has confirmed multiple active malware-download URLs including two endpoints on 222.140.198.163 (serving both '/i' payload and '/bin.sh' dropper scripts) and additional download nodes across Asian IP ranges (123.4.236.124, 124.163.55.40, 110.36.92.72, 115.49.78.36, 119.114.195.42, 220.192.238.82), consistent with Mirai's documented technique of scanning for vulnerable devices and fetching architecture-specific ELF binaries via shell script droppers. The scale of simultaneous sample submissions and active download infrastructure strongly suggests a coordinated botnet build-out, likely targeting routers, NAS devices, IP cameras, and Linux servers with default or weak credentials. Organizations with internet-exposed Linux systems or embedded devices should treat this as a high-priority threat requiring immediate network-level blocking and firmware/patch review.

๐Ÿ”ด Indicators of Compromise
HASH be27d319f75643466bcfdbbfbd522616cd38771102dcd7af6bfe7a1b088228c6 Mirai ELF binary โ€” MalwareBazaar confirmed active sample tagged elf, Mirai
HASH 4ef4745dd219d096a39548d22e3b35021a60e7336e8a468115468266b1b45560 Mirai shell-script dropper โ€” MalwareBazaar confirmed active sample tagged Mirai, sh
HASH 7cd1d037e07aae06ee395005504aaefa652d463ab3751609903f3a71aef8e7be Mirai ELF binary โ€” MalwareBazaar confirmed active sample tagged elf, Mirai
HASH 382532451215dd8a3c5fa070ced106e02f3eceb33bb4ff20c1c3c1d800ed587a Mirai ELF binary โ€” MalwareBazaar confirmed active sample tagged elf, Mirai
HASH cbbe7ef922e2127c492e4a0fcf56e198e330c964512c92bdd34ece7e08a6d2ce Mirai ELF binary โ€” MalwareBazaar confirmed active sample tagged elf, Mirai
HASH 1a59b44271e873fbbbe7b142c598723725f3838aeb31ad2389f31eef6a5315fa Mirai ELF binary โ€” MalwareBazaar confirmed active sample tagged elf, Mirai
HASH 82b2d959f05dff769caf3609d40624c268940ea47181dcbc0ef1fe9e09f06dd2 Mirai ELF binary โ€” MalwareBazaar confirmed active sample tagged elf, Mirai
HASH 6bc133276ca529863571f49aeea200ea88720827afd2c99450278473cc467c6e Mirai ELF binary โ€” MalwareBazaar confirmed active sample tagged elf, Mirai
URL http://222.140.198.163:36243/i Active Mirai payload download endpoint โ€” URLhaus confirmed malware_download
URL http://222.140.198.163:36243/bin.sh Active Mirai shell-script dropper endpoint โ€” URLhaus confirmed malware_download; fetches architecture-specific ELF binaries
URL http://123.4.236.124:59762/i Active Mirai payload download endpoint โ€” URLhaus confirmed malware_download
URL http://124.163.55.40:48861/i Active Mirai payload download endpoint โ€” URLhaus confirmed malware_download
URL http://110.36.92.72:56054/i Active Mirai payload download endpoint โ€” URLhaus confirmed malware_download
URL http://115.49.78.36:57642/i Active Mirai payload download endpoint โ€” URLhaus confirmed malware_download
URL http://119.114.195.42:43583/i Active Mirai payload download endpoint โ€” URLhaus confirmed malware_download
URL http://220.192.238.82:57206/i Active Mirai payload download endpoint โ€” URLhaus confirmed malware_download
IP 222.140.198.163 Mirai payload distribution server hosting both ELF binary (/i) and shell-script dropper (/bin.sh) โ€” URLhaus confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1595.001 Scanning IP Blocks MITRE โ†’
T1078.001 Valid Accounts โ€” Default Accounts MITRE โ†’
T1498.001 Direct Network Flood โ€” DDoS MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for Mirai ELF binary hashes on Linux and IoT-managed endpoints

Searches for file creation or execution events matching the eight confirmed Mirai sample hashes from MalwareBazaar across all MDE-enrolled endpoints. Positive hits indicate active Mirai infection.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    'be27d319f75643466bcfdbbfbd522616cd38771102dcd7af6bfe7a1b088228c6',
    '4ef4745dd219d096a39548d22e3b35021a60e7336e8a468115468266b1b45560',
    '7cd1d037e07aae06ee395005504aaefa652d463ab3751609903f3a71aef8e7be',
    '382532451215dd8a3c5fa070ced106e02f3eceb33bb4ff20c1c3c1d800ed587a',
    'cbbe7ef922e2127c492e4a0fcf56e198e330c964512c92bdd34ece7e08a6d2ce',
    '1a59b44271e873fbbbe7b142c598723725f3838aeb31ad2389f31eef6a5315fa',
    '82b2d959f05dff769caf3609d40624c268940ea47181dcbc0ef1fe9e09f06dd2',
    '6bc133276ca529863571f49aeea200ea88720827afd2c99450278473cc467c6e'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect connections to Mirai payload distribution servers from URLhaus

Identifies any endpoint or network device making outbound connections to confirmed URLhaus Mirai distribution server IPs, which serve both ELF payloads and shell-script droppers.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('222.140.198.163', '123.4.236.124', '124.163.55.40', '110.36.92.72', '115.49.78.36', '119.114.195.42', '220.192.238.82')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Detect downloads from Mirai payload distribution URLs across proxy and firewall logs

Queries proxy, web gateway, and firewall logs for HTTP requests to the confirmed URLhaus Mirai download URLs serving ELF binaries and the /bin.sh dropper script.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('222.140.198.163', '123.4.236.124', '124.163.55.40', '110.36.92.72', '115.49.78.36', '119.114.195.42', '220.192.238.82')
    or RequestURL has_any ('/bin.sh', '222.140.198.163', '123.4.236.124', '124.163.55.40')
| project TimeGenerated, SourceIP, SourceHostName, DestinationIP, DestinationPort, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all URLhaus-listed Mirai distribution IPs (222.140.198.163, 123.4.236.124, 124.163.55.40, 110.36.92.72, 115.49.78.36, 119.114.195.42, 220.192.238.82) at perimeter firewall and DNS
โ†’ IMMEDIATE: Submit all eight Mirai SHA256 hashes to EDR/AV platforms for immediate blocking and conduct a retroactive scan across all enrolled Linux and embedded systems
โ†’ IMMEDIATE: Audit all internet-facing IoT devices, routers, NAS appliances, and IP cameras โ€” change all default credentials and disable Telnet where not required
โ†’ SHORT-TERM: Run the MDE and Sentinel KQL queries to identify any internal hosts that have communicated with Mirai distribution infrastructure or have matching file hashes
โ†’ SHORT-TERM: Review firewall rules to ensure Telnet (port 23) and unnecessary SSH access from the internet is blocked at the perimeter for all non-managed network devices
โ†’ SHORT-TERM: Implement outbound traffic volume alerting on all network devices โ€” sudden traffic spikes may indicate DDoS participation by a Mirai-compromised device
โ†’ LONG-TERM: Establish an asset inventory for all internet-exposed embedded Linux and IoT devices; enforce firmware update policies and monitor for new CVE disclosures affecting deployed device models
โ†’ LONG-TERM: Integrate URLhaus malware-download feed into web proxy and DNS filtering for automated blocking of newly identified Mirai distribution infrastructure
#3

Multi-Platform Phishing Campaign โ€” Social Media, Banking, Gaming, and Marketplace Credential Harvesting

MEDIUM Unknown Threat Actor

OpenPhish has confirmed fifteen active phishing URLs within the last 24 hours targeting a diverse set of platforms including Instagram (insta-clone-application.vercel.app), Facebook (facebook-similer.vercel.app, meta-id17641/17640.program-ads-agency.com), Roblox (www.roblox.et), Bank of America (siginjai99.com/bank0famericasecuritymail), mobile.de automotive marketplace (talentsync.co.uk/id.handel.mobile.de/login), and generic credential harvesting portals. Two infrastructure clusters stand out: fake Instagram and Facebook clone sites hosted on Vercel and program-ads-agency.com suggesting a coordinated social media account takeover campaign, and a separate banking phishing cluster targeting Bank of America customers via obfuscated URL parameters. Additionally, AlienVault OTX has reported FlowerStorm, a Phishing-as-a-Service (PhaaS) operator, deploying novel VM-based obfuscation (KrakVM) to evade detection โ€” indicating that commodity PhaaS infrastructure is becoming significantly harder to detect with traditional signature-based approaches. Organizations should immediately update proxy and email gateway block lists with all confirmed OpenPhish URLs and brief users about current social media and banking phishing lure themes.

๐Ÿ”ด Indicators of Compromise
URL https://insta-clone-application.vercel.app/auth/ Instagram credential-harvesting phishing page hosted on Vercel โ€” OpenPhish confirmed active
URL https://www.insta-clone-application.vercel.app/auth/ Instagram credential-harvesting phishing page (www subdomain variant) hosted on Vercel โ€” OpenPhish confirmed active
URL https://facebook-similer.vercel.app/ Facebook credential-harvesting phishing page hosted on Vercel โ€” OpenPhish confirmed active
URL http://meta-id17641.program-ads-agency.com/ Meta/Facebook impersonation phishing site โ€” OpenPhish confirmed active
URL http://meta-id17640.program-ads-agency.com/ Meta/Facebook impersonation phishing site (sequential variant) โ€” OpenPhish confirmed active
URL https://siginjai99.com/bank0famericasecuritymail/?amrldmluzubwywxtywlyzmvnbgyuy29t= Bank of America credential-harvesting phishing page with obfuscated URL parameter โ€” OpenPhish confirmed active
URL https://talentsync.co.uk/id.handel.mobile.de/login mobile.de automotive marketplace login phishing page hosted on talentsync.co.uk โ€” OpenPhish confirmed active
URL http://ning1-ddere5bmduh3h7gd.z03.azurefd.net/ Phishing page abusing Microsoft Azure Front Door CDN infrastructure โ€” OpenPhish confirmed active
URL https://amber-fossil-mosquito.garden/3ac57b2f-2bfc-4f12-b1cd-247c272c148f/google.cl Malware download URL masquerading as Google content โ€” URLhaus confirmed malware_download
URL https://phase-shift-bridge-driver.garden/77ba6dfa-c0e0-4c28-982d-42f0146fdf04/google.cl Malware download URL masquerading as Google content โ€” URLhaus confirmed malware_download
URL https://survey.refassured.com/BZXOR4xm Phishing page disguised as survey โ€” OpenPhish confirmed active
URL https://sonhaberleri255.shop/auth Credential harvesting phishing authentication page โ€” OpenPhish confirmed active
URL https://sahityasarokar.com/wp-noon/pages/login.php Phishing login page hosted on compromised WordPress site โ€” OpenPhish confirmed active
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.002 Spearphishing Link MITRE โ†’
T1539 Steal Web Session Cookie MITRE โ†’
T1608.005 Stage Capabilities โ€” Link Target MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect user navigation to confirmed OpenPhish phishing URLs

Identifies endpoint browser activity connecting to the confirmed OpenPhish phishing domains. Covers social media, banking, gaming, and marketplace phishing infrastructure active today.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has_any (
    'insta-clone-application.vercel.app',
    'facebook-similer.vercel.app',
    'program-ads-agency.com',
    'siginjai99.com',
    'talentsync.co.uk',
    'sonhaberleri255.shop',
    'sahityasarokar.com',
    'amber-fossil-mosquito.garden',
    'phase-shift-bridge-driver.garden',
    'survey.refassured.com/BZXOR4xm',
    'ning1-ddere5bmduh3h7gd.z03.azurefd.net',
    'roblox.et'
)
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, AccountName
| order by TimeGenerated desc
MDI Detect impossible travel and new device logons following phishing โ€” credential theft indicator

Hunts for authentication anomalies consistent with stolen credentials or session cookie replay after phishing. Flags accounts logging in from multiple geographically distant IPs within a short time window, consistent with FlowerStorm AiTM PhaaS TTPs reported by AlienVault OTX.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| summarize IPList=make_set(IPAddress), LocationList=make_set(Location), LogonCount=count() by AccountDisplayName, bin(TimeGenerated, 30m)
| where array_length(IPList) > 1
| where array_length(LocationList) > 1
| order by LogonCount desc
SENTINEL Detect proxy and DNS requests to active phishing infrastructure from OpenPhish

Queries web proxy, DNS, and firewall logs for any organizational user accessing confirmed OpenPhish phishing domains or URLhaus malware-download masquerade pages. Covers all 15 OpenPhish URLs and two URLhaus google.cl masquerade URLs.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    'insta-clone-application.vercel.app',
    'facebook-similer.vercel.app',
    'program-ads-agency.com',
    'siginjai99.com',
    'talentsync.co.uk',
    'sonhaberleri255.shop',
    'sahityasarokar.com',
    'amber-fossil-mosquito.garden',
    'phase-shift-bridge-driver.garden',
    'survey.refassured.com',
    'ning1-ddere5bmduh3h7gd.z03.azurefd.net',
    'roblox.et',
    'b35n.com',
    'thewabisabinook.com/wp-content/nf74nd'
)
| project TimeGenerated, SourceIP, SourceHostName, DestinationIP, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Push all 15 OpenPhish-confirmed phishing URLs and associated domains to web proxy, DNS filtering, and email gateway block lists
โ†’ IMMEDIATE: Block program-ads-agency.com, siginjai99.com, sonhaberleri255.shop, roblox.et, and the two amber-fossil-mosquito.garden / phase-shift-bridge-driver.garden domains at DNS and proxy layer
โ†’ IMMEDIATE: Alert the security awareness team to distribute urgent user notification about active Instagram, Facebook, Bank of America, and Roblox phishing campaigns matching today's OpenPhish intelligence
โ†’ SHORT-TERM: Run the Sentinel KQL query across all proxy and DNS logs for the past 7 days to identify any users who may have already accessed these phishing pages before today's blocking
โ†’ SHORT-TERM: For any user identified as having visited a phishing URL, immediately force password reset for the targeted platform account and review for signs of account compromise or MFA bypass
โ†’ SHORT-TERM: Review conditional access policies to ensure that new device registrations and logins from new locations require step-up MFA โ€” this directly mitigates FlowerStorm AiTM session-cookie theft as reported by AlienVault OTX
โ†’ SHORT-TERM: Audit Azure Front Door and Vercel-hosted applications in your environment โ€” ensure that .azurefd.net and *.vercel.app subdomains not belonging to your organization are blocked at proxy
โ†’ LONG-TERM: Implement a PhaaS-aware detection strategy including AiTM-specific indicators such as token-theft detection in Entra ID (formerly Azure AD) sign-in logs, aligned with the FlowerStorm KrakVM VM-obfuscation capability reported by AlienVault OTX