โ† Back to Dashboard
May 20, 2026

Daily Threat Intelligence Report โ€” 2025-07-14

20
IOCs
11
TTPs
11
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker, with four QakBot C2 servers spanning the US, UK, and Japan alongside one active Emotet C2. CISA has added five critical vulnerabilities to its Known Exploited Vulnerabilities catalog, including a Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20182) and a Palo Alto Networks PAN-OS out-of-bounds write (CVE-2026-0300) enabling unauthenticated root-level code execution. An active npm supply chain attack โ€” the 'Mini Shai-Hulud' campaign โ€” has compromised 639 packages in the @antv ecosystem, posing significant risk to development pipelines. Immediate actions include blocking all five Feodotracker C2 IPs at the perimeter, patching all five CISA KEV vulnerabilities on priority, and auditing npm dependencies for @antv ecosystem packages.

#1

Active QakBot & Emotet C2 Infrastructure โ€” Multi-Region Banking Trojan Operations

CRITICAL TA505

Feodotracker has confirmed five active C2 servers operating within the last 24 hours: four attributed to QakBot (50.16.16.211 โ€” US, 34.204.119.63 โ€” US, 178.62.3.223 โ€” GB, 27.133.154.218 โ€” JP) and one to Emotet (162.243.103.246 โ€” US). QakBot and Emotet are well-established initial access and loader malware families historically leveraged by TA505 and affiliated threat actors to deliver ransomware and conduct financial fraud. The geographic distribution of C2 nodes across the US, UK, and Japan indicates a globally distributed botnet infrastructure designed for resilience against takedown. Any outbound connections from enterprise endpoints to these IPs should be treated as high-priority incidents indicating active compromise or beacon activity.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server hosted in the US โ€” Feodotracker confirmed active within last 24 hours
IP 50.16.16.211 QakBot C2 server hosted in the US โ€” Feodotracker confirmed active within last 24 hours
IP 34.204.119.63 QakBot C2 server hosted in the US โ€” Feodotracker confirmed active within last 24 hours
IP 178.62.3.223 QakBot C2 server hosted in the UK โ€” Feodotracker confirmed active within last 24 hours
IP 27.133.154.218 QakBot C2 server hosted in Japan โ€” Feodotracker confirmed active within last 24 hours
HASH 6dcbbe9f8d4072b99884ceb48e69a6fef1d3cb8fffacebbfab602093dcb987d4 AsyncRAT sample confirmed by MalwareBazaar โ€” associated with loader-stage malware consistent with QakBot/Emotet delivery chains
URL http://110.37.39.32:48888/bin.sh Active malware download URL โ€” URLhaus confirmed, shell script delivery consistent with post-exploitation payload staging
URL http://110.36.28.230:44960/i Active malware download URL โ€” URLhaus confirmed, likely dropper or implant delivery endpoint
URL http://113.229.188.49:46902/bin.sh Active malware download URL โ€” URLhaus confirmed, shell script delivery on non-standard port
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol: Web Protocols MITRE โ†’
T1105 Ingress Tool Transfer MITRE โ†’
T1055 Process Injection MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 Connections to QakBot and Emotet Infrastructure

Detects outbound network connections from any device to the five Feodotracker-confirmed active C2 servers for QakBot and Emotet within the last 24 hours.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect Malware Download from URLhaus-Listed Endpoints

Identifies HTTP connections to URLhaus-confirmed malware download IPs associated with active payload staging infrastructure.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('110.37.39.32', '110.36.28.230', '113.229.188.49', '27.220.76.50', '115.59.80.140', '112.242.90.238', '113.239.237.55')
| where ActionType in ('ConnectionSuccess', 'ConnectionAttempt')
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDI Detect Lateral Movement Patterns Associated with QakBot/Emotet Post-Exploitation

Hunts for suspicious NTLM authentication patterns indicative of lateral movement following QakBot or Emotet initial compromise, a common next step in TA505 operations.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| summarize LogonCount=count(), TargetDevices=make_set(DeviceName) by AccountDisplayName, IPAddress
| where LogonCount > 5
| order by LogonCount desc
SENTINEL Detect Connections to QakBot/Emotet C2 and Malware Staging Infrastructure

Identifies any network traffic destined for Feodotracker-confirmed C2 IPs or URLhaus-confirmed malware download IPs across all log sources ingested into Sentinel.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218', '110.37.39.32', '110.36.28.230', '113.229.188.49', '27.220.76.50', '115.59.80.140', '112.242.90.238', '113.239.237.55')
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, DeviceAction, Activity
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, proxy, and DNS layers
โ†’ IMMEDIATE: Block all URLhaus malware download IPs (110.37.39.32, 110.36.28.230, 113.229.188.49, 27.220.76.50, 115.59.80.140, 112.242.90.238, 113.239.237.55) at the web proxy and firewall
โ†’ IMMEDIATE: Submit AsyncRAT hash 6dcbbe9f8d4072b99884ceb48e69a6fef1d3cb8fffacebbfab602093dcb987d4 to your AV/EDR platform for immediate blocking and retrospective scan
โ†’ IMMEDIATE: Run all four KQL hunting queries across MDE, MDI, and Sentinel; escalate any hits to Tier 2 for immediate investigation
โ†’ SHORT-TERM: Conduct email gateway sweep for attachments delivering Office macros, HTML smuggling payloads, or ZIP archives consistent with QakBot/Emotet delivery TTPs over the last 7 days
โ†’ SHORT-TERM: Isolate any endpoints identified as communicating with listed C2 IPs and initiate full forensic triage
โ†’ LONG-TERM: Integrate all Feodotracker and URLhaus IOCs into SIEM threat intelligence feeds and SOAR automated blocking playbooks
โ†’ LONG-TERM: Review and harden macro execution policies across the enterprise via Group Policy to block VBA macros in Office documents from the internet
#2

CISA KEV: Critical Vulnerabilities in Cisco SD-WAN, PAN-OS, Ivanti EPMM, Microsoft Exchange, and BerriAI LiteLLM Actively Exploited

HIGH Unknown Threat Actor

CISA has added five vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The most critical are CVE-2026-20182 (Cisco Catalyst SD-WAN authentication bypass allowing unauthenticated remote attackers to obtain administrative privileges) and CVE-2026-0300 (Palo Alto Networks PAN-OS out-of-bounds write in the User-ID Authentication Portal enabling unauthenticated root-level RCE on PA-Series and VM-Series firewalls). Also notable are CVE-2026-6973 (Ivanti EPMM RCE for authenticated admin users), CVE-2026-42897 (Microsoft Exchange Server XSS in Outlook Web Access), and CVE-2026-42208 (BerriAI LiteLLM SQL injection exposing proxy credentials). These vulnerabilities span network infrastructure, endpoint management, and AI tooling, representing a broad attack surface that threat actors including APT28, APT29, and Lazarus Group are known to target.

๐Ÿ”ด Indicators of Compromise
CVE CVE-2026-20182 Cisco Catalyst SD-WAN authentication bypass โ€” unauthenticated remote attacker can obtain administrative privileges. CISA KEV confirmed active exploitation. CISA Emergency Directive 26-03 issued.
CVE CVE-2026-0300 Palo Alto Networks PAN-OS out-of-bounds write in User-ID Authentication Portal โ€” unauthenticated RCE with root privileges on PA-Series and VM-Series firewalls. CISA KEV confirmed active exploitation. Patches released by Palo Alto.
CVE CVE-2026-6973 Ivanti EPMM improper input validation โ€” authenticated remote admin can achieve RCE. CISA KEV confirmed active exploitation.
CVE CVE-2026-42897 Microsoft Exchange Server XSS vulnerability in Outlook Web Access โ€” arbitrary JavaScript execution in browser context under specific interaction conditions. CISA KEV confirmed active exploitation.
CVE CVE-2026-42208 BerriAI LiteLLM SQL injection โ€” attacker can read and modify proxy database including managed credentials. CISA KEV confirmed active exploitation.
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1078 Valid Accounts MITRE โ†’
T1505.003 Server Software Component: Web Shell MITRE โ†’
T1089 Disable or Modify Tools MITRE โ†’
๐ŸŸข Hunt Queries
SENTINEL Detect Exploitation Attempts Against Palo Alto PAN-OS User-ID Authentication Portal (CVE-2026-0300)

Identifies anomalous or suspicious HTTP/HTTPS requests targeting the PAN-OS User-ID Authentication Portal from external IP addresses, consistent with CVE-2026-0300 exploitation attempts.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor == 'Palo Alto Networks'
| where RequestURL has_any ('captive-portal', 'user-id', 'auth-portal', 'php', 'login')
| where SourceIP !startswith '10.' and SourceIP !startswith '192.168.' and SourceIP !startswith '172.'
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, RequestMethod, DeviceAction, AdditionalExtensions
| order by TimeGenerated desc
SENTINEL Detect Unauthorized Administrative Access on Cisco Catalyst SD-WAN (CVE-2026-20182)

Hunts for unexpected administrative logins or configuration changes on Cisco Catalyst SD-WAN infrastructure consistent with authentication bypass exploitation of CVE-2026-20182.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor has_any ('Cisco')
| where Activity has_any ('admin', 'login', 'authentication', 'privilege', 'config')
| where SourceIP !startswith '10.' and SourceIP !startswith '192.168.' and SourceIP !startswith '172.'
| project TimeGenerated, SourceIP, DestinationIP, Activity, DeviceAction, AdditionalExtensions
| order by TimeGenerated desc
MDE Detect Post-Exploitation Activity Following Ivanti EPMM RCE (CVE-2026-6973)

Identifies suspicious process execution patterns on systems hosting Ivanti EPMM that could indicate successful exploitation of CVE-2026-6973, including spawning of shell processes or unusual outbound connections.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName has_any ('java', 'tomcat', 'ivanti', 'epmm')
| where FileName in ('cmd.exe', 'powershell.exe', 'sh', 'bash', 'curl', 'wget', 'certutil.exe', 'bitsadmin.exe')
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Detect Microsoft Exchange OWA XSS Exploitation Indicators (CVE-2026-42897)

Identifies suspicious JavaScript injection patterns in requests to Microsoft Exchange Outlook Web Access, consistent with CVE-2026-42897 exploitation attempts.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any ('owa', 'exchange', 'outlook')
| where RequestURL has_any ('<script', 'javascript:', 'onerror=', 'onload=', 'alert(', 'document.cookie')
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, RequestMethod, DeviceAction
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Apply Cisco Catalyst SD-WAN patches per CISA Emergency Directive 26-03 and CISA Hunt & Hardening Guidance for Cisco SD-WAN devices; restrict management interface access to trusted IPs only
โ†’ IMMEDIATE: Apply Palo Alto Networks PAN-OS patches released 2026-05-13; until patched, restrict User-ID Authentication Portal access to trusted zones only and disable if not operationally required
โ†’ IMMEDIATE: Apply Ivanti EPMM mitigations per vendor instructions for CVE-2026-6973; audit all recent administrative actions in the EPMM console for unauthorized RCE indicators
โ†’ IMMEDIATE: Apply Microsoft Exchange Server patches for CVE-2026-42897; review OWA access logs for XSS payload patterns
โ†’ IMMEDIATE: Apply BerriAI LiteLLM patches for CVE-2026-42208; rotate all credentials managed by or accessible through the LiteLLM proxy immediately
โ†’ SHORT-TERM: Run all four KQL queries to hunt for active exploitation evidence in your environment
โ†’ SHORT-TERM: Conduct vulnerability scan of all affected product versions (Exchange, Cisco SD-WAN, PAN-OS, Ivanti EPMM, LiteLLM) to identify unpatched instances
โ†’ LONG-TERM: Ensure all five CVEs are tracked in your vulnerability management program with SLA timers aligned to BOD 22-01 remediation deadlines
#3

Active npm Supply Chain Attack โ€” Mini Shai-Hulud Campaign Compromises @antv Ecosystem and chalk-tempalte Package

MEDIUM Unknown Threat Actor

AlienVault OTX reports an active npm supply chain attack designated the 'Mini Shai-Hulud' campaign, which has compromised 639 packages in the @antv ecosystem by targeting the maintainer account 'atool'. A copycat variant has also emerged infecting the npm package 'chalk-tempalte', appearing just five days after the original worm was open-sourced by its creators, alongside three additional malicious packages published by the same threat actor. This attack mirrors the worm-based npm supply chain attack pattern where a single compromised maintainer account can cascade malicious code across hundreds of dependent packages. Organizations using @antv data visualization libraries or chalk-tempalte in their development pipelines or production Node.js applications should treat this as a high-priority dependency audit action. GitHub/stamparm/maltrail has also updated its hacked_pypirepos.txt and bad_script.txt signatures, indicating concurrent activity in compromised PyPI repositories, suggesting a broader open-source ecosystem supply chain threat posture today.

๐Ÿ”ด Indicators of Compromise
PACKAGE @antv ecosystem (639 compromised packages) โ€” maintainer account 'atool' npm supply chain attack โ€” Mini Shai-Hulud campaign. All packages published under the @antv scope should be treated as potentially compromised pending verification. AlienVault OTX confirmed.
PACKAGE chalk-tempalte (npm) Copycat Shai-Hulud worm infection in npm package chalk-tempalte. Note: this is distinct from the legitimate 'chalk-template' package โ€” the typosquatting name is intentional. AlienVault OTX confirmed.
HASH 3167d724d58a4e36528eb3458648301670c32d97461d87058738bda2ff79c2db Executable dropped by GCleaner (MIX3.file tag) โ€” MalwareBazaar confirmed. GCleaner is a pay-per-install malware loader consistent with supply chain or dropper campaigns.
HASH 084d2d3e2fd1a6613dcbc247737da8473498dbd2b1e367eab7d7c1149e8090f8 Executable dropped by GCleaner (MIX4.file tag) โ€” MalwareBazaar confirmed. Second GCleaner-dropped payload identified in same timeframe as supply chain activity.
URL https://0zfu07h8.audioattenuatorschematic.digital/?ublib=2897a368-da61-44b7-a104-12985a052ff6 Active malware download URL with UUID-parameterized path โ€” URLhaus confirmed. Pattern consistent with campaign-tracked payload delivery using unique identifiers per victim.
URL https://vintage-telemetry-receiver.garden/4f8006b4-9542-4bdc-8297-abe7ef4b020c/google.ct Active malware download URL masquerading as Google Certificate Transparency data โ€” URLhaus confirmed. The google.ct filename is likely designed to evade content inspection.
๐ŸŸฃ MITRE ATT&CK TTPs
T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools MITRE โ†’
T1554 Compromise Client Software Binary MITRE โ†’
T1059.007 Command and Scripting Interpreter: JavaScript MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect npm Post-Install Script Executing Suspicious Child Processes

Identifies npm or Node.js processes spawning unexpected shell or scripting interpreter child processes, consistent with malicious npm package post-install script execution in the Shai-Hulud supply chain attack.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName has_any ('node.exe', 'npm.cmd', 'npm', 'npx')
| where FileName in ('cmd.exe', 'powershell.exe', 'sh', 'bash', 'curl', 'wget', 'certutil.exe', 'bitsadmin.exe', 'mshta.exe', 'wscript.exe', 'cscript.exe')
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect GCleaner Dropper Hashes from MalwareBazaar

Identifies execution of GCleaner-dropped executables (MIX3.file and MIX4.file) on endpoints, as confirmed by MalwareBazaar in the last 24 hours.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 in ('3167d724d58a4e36528eb3458648301670c32d97461d87058738bda2ff79c2db', '084d2d3e2fd1a6613dcbc247737da8473498dbd2b1e367eab7d7c1149e8090f8')
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated desc
SENTINEL Detect Connections to UUID-Parameterized Malware Download Infrastructure

Identifies outbound connections to URLhaus-confirmed malware download domains using UUID-parameterized URLs, consistent with campaign-tracked payload delivery seen in today's URLhaus data.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any ('audioattenuatorschematic.digital', 'vintage-telemetry-receiver.garden')
   or RequestURL matches regex '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, DeviceAction, Activity
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Audit all npm dependencies in production applications and CI/CD pipelines for @antv scoped packages and the chalk-tempalte package (note typo vs legitimate chalk-template); remove or replace any compromised versions
โ†’ IMMEDIATE: Block the two URLhaus malware download domains (audioattenuatorschematic.digital, vintage-telemetry-receiver.garden) at DNS and web proxy layers
โ†’ IMMEDIATE: Scan all endpoints for the two GCleaner-dropped payload hashes (3167d724d58a4e36528eb3458648301670c32d97461d87058738bda2ff79c2db, 084d2d3e2fd1a6613dcbc247737da8473498dbd2b1e367eab7d7c1149e8090f8) using EDR retrospective scan
โ†’ SHORT-TERM: Run the three KQL hunting queries to identify any npm post-install execution anomalies or GCleaner payload executions in your environment
โ†’ SHORT-TERM: Implement or enforce npm audit --audit-level=high in all CI/CD pipelines; consider implementing a private npm mirror or package allowlisting for production builds
โ†’ SHORT-TERM: Review the GitHub/stamparm/maltrail updates to hacked_pypirepos.txt, bad_script.txt, and powershell_injector.txt for additional IOCs relevant to your Python development environments
โ†’ LONG-TERM: Deploy a Software Composition Analysis (SCA) solution integrated into the build pipeline to continuously monitor for compromised or vulnerable open-source dependencies
โ†’ LONG-TERM: Establish a developer security awareness program covering supply chain attack risks including typosquatting, maintainer account compromise, and malicious postinstall scripts