Daily Threat Intelligence Report โ 2025-07-14
Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker, with four QakBot C2 servers spanning the US, UK, and Japan alongside one active Emotet C2. CISA has added five critical vulnerabilities to its Known Exploited Vulnerabilities catalog, including a Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20182) and a Palo Alto Networks PAN-OS out-of-bounds write (CVE-2026-0300) enabling unauthenticated root-level code execution. An active npm supply chain attack โ the 'Mini Shai-Hulud' campaign โ has compromised 639 packages in the @antv ecosystem, posing significant risk to development pipelines. Immediate actions include blocking all five Feodotracker C2 IPs at the perimeter, patching all five CISA KEV vulnerabilities on priority, and auditing npm dependencies for @antv ecosystem packages.
Active QakBot & Emotet C2 Infrastructure โ Multi-Region Banking Trojan Operations
CRITICAL TA505Feodotracker has confirmed five active C2 servers operating within the last 24 hours: four attributed to QakBot (50.16.16.211 โ US, 34.204.119.63 โ US, 178.62.3.223 โ GB, 27.133.154.218 โ JP) and one to Emotet (162.243.103.246 โ US). QakBot and Emotet are well-established initial access and loader malware families historically leveraged by TA505 and affiliated threat actors to deliver ransomware and conduct financial fraud. The geographic distribution of C2 nodes across the US, UK, and Japan indicates a globally distributed botnet infrastructure designed for resilience against takedown. Any outbound connections from enterprise endpoints to these IPs should be treated as high-priority incidents indicating active compromise or beacon activity.
CISA KEV: Critical Vulnerabilities in Cisco SD-WAN, PAN-OS, Ivanti EPMM, Microsoft Exchange, and BerriAI LiteLLM Actively Exploited
HIGH Unknown Threat ActorCISA has added five vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The most critical are CVE-2026-20182 (Cisco Catalyst SD-WAN authentication bypass allowing unauthenticated remote attackers to obtain administrative privileges) and CVE-2026-0300 (Palo Alto Networks PAN-OS out-of-bounds write in the User-ID Authentication Portal enabling unauthenticated root-level RCE on PA-Series and VM-Series firewalls). Also notable are CVE-2026-6973 (Ivanti EPMM RCE for authenticated admin users), CVE-2026-42897 (Microsoft Exchange Server XSS in Outlook Web Access), and CVE-2026-42208 (BerriAI LiteLLM SQL injection exposing proxy credentials). These vulnerabilities span network infrastructure, endpoint management, and AI tooling, representing a broad attack surface that threat actors including APT28, APT29, and Lazarus Group are known to target.
Active npm Supply Chain Attack โ Mini Shai-Hulud Campaign Compromises @antv Ecosystem and chalk-tempalte Package
MEDIUM Unknown Threat ActorAlienVault OTX reports an active npm supply chain attack designated the 'Mini Shai-Hulud' campaign, which has compromised 639 packages in the @antv ecosystem by targeting the maintainer account 'atool'. A copycat variant has also emerged infecting the npm package 'chalk-tempalte', appearing just five days after the original worm was open-sourced by its creators, alongside three additional malicious packages published by the same threat actor. This attack mirrors the worm-based npm supply chain attack pattern where a single compromised maintainer account can cascade malicious code across hundreds of dependent packages. Organizations using @antv data visualization libraries or chalk-tempalte in their development pipelines or production Node.js applications should treat this as a high-priority dependency audit action. GitHub/stamparm/maltrail has also updated its hacked_pypirepos.txt and bad_script.txt signatures, indicating concurrent activity in compromised PyPI repositories, suggesting a broader open-source ecosystem supply chain threat posture today.