Daily Threat Intelligence Report โ 2026-05-14
Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker, with four C2 servers actively beaconing across US, GB, and JP geolocations. A significant Mirai botnet campaign is simultaneously underway, evidenced by eight distinct ELF and shell-script samples uploaded to MalwareBazaar targeting internet-of-things and Linux devices. CISA has added five critical vulnerabilities to its Known Exploited Vulnerabilities catalog โ including a Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20182) and a Palo Alto Networks PAN-OS out-of-bounds write (CVE-2026-0300) โ demanding immediate patching prioritization. SOC teams should immediately block all five Feodotracker C2 IPs, hash-block all eight Mirai ELF samples in EDR, and apply CISA KEV mitigations without delay.
Active QakBot & Emotet C2 Infrastructure Beaconing โ Multi-Country Distribution
CRITICAL TA505Feodotracker has confirmed five active C2 servers associated with QakBot (four nodes: 50.16.16.211/US, 34.204.119.63/US, 178.62.3.223/GB, 27.133.154.218/JP) and Emotet (one node: 162.243.103.246/US) within the last 24 hours. TA505, a financially motivated threat actor historically linked to both QakBot distribution and Emotet delivery chains, represents the most probable operator given the multi-geography C2 spread and concurrent Emotet/QakBot co-deployment pattern consistent with their documented TTPs. QakBot is a modular banking trojan and initial-access broker tool used to deploy ransomware payloads including Conti and Black Basta; active C2 nodes indicate live campaigns targeting corporate environments. Immediate network-level blocking of all five IPs is required, followed by retrospective log analysis for any prior beaconing activity.
Mirai Botnet Expansion Campaign โ Eight Active ELF Samples Distributed via Malware-Download Infrastructure
HIGH Unknown Threat ActorMalwareBazaar has recorded eight distinct Mirai malware samples within the last 24 hours โ seven ELF binaries and one shell-script variant โ indicating an active botnet expansion or recruitment campaign targeting Linux-based and IoT devices. Concurrently, URLhaus has confirmed multiple active malware-download URLs including two endpoints on 222.140.198.163 (serving both '/i' payload and '/bin.sh' dropper scripts) and additional download nodes across Asian IP ranges (123.4.236.124, 124.163.55.40, 110.36.92.72, 115.49.78.36, 119.114.195.42, 220.192.238.82), consistent with Mirai's documented technique of scanning for vulnerable devices and fetching architecture-specific ELF binaries via shell script droppers. The scale of simultaneous sample submissions and active download infrastructure strongly suggests a coordinated botnet build-out, likely targeting routers, NAS devices, IP cameras, and Linux servers with default or weak credentials. Organizations with internet-exposed Linux systems or embedded devices should treat this as a high-priority threat requiring immediate network-level blocking and firmware/patch review.
Multi-Platform Phishing Campaign โ Social Media, Banking, Gaming, and Marketplace Credential Harvesting
MEDIUM Unknown Threat ActorOpenPhish has confirmed fifteen active phishing URLs within the last 24 hours targeting a diverse set of platforms including Instagram (insta-clone-application.vercel.app), Facebook (facebook-similer.vercel.app, meta-id17641/17640.program-ads-agency.com), Roblox (www.roblox.et), Bank of America (siginjai99.com/bank0famericasecuritymail), mobile.de automotive marketplace (talentsync.co.uk/id.handel.mobile.de/login), and generic credential harvesting portals. Two infrastructure clusters stand out: fake Instagram and Facebook clone sites hosted on Vercel and program-ads-agency.com suggesting a coordinated social media account takeover campaign, and a separate banking phishing cluster targeting Bank of America customers via obfuscated URL parameters. Additionally, AlienVault OTX has reported FlowerStorm, a Phishing-as-a-Service (PhaaS) operator, deploying novel VM-based obfuscation (KrakVM) to evade detection โ indicating that commodity PhaaS infrastructure is becoming significantly harder to detect with traditional signature-based approaches. Organizations should immediately update proxy and email gateway block lists with all confirmed OpenPhish URLs and brief users about current social media and banking phishing lure themes.