โ† Back to Dashboard
May 21, 2026

Daily Threat Intelligence Report โ€” 2025-07-14

22
IOCs
12
TTPs
10
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed across five IPs by Feodotracker, alongside a cluster of malware samples including AsyncRAT, Gh0stRAT/ValleyRAT, RemcosRAT, and Phorpiex-dropped CoinMiners observed in MalwareBazaar. A sophisticated ClickFix campaign targeting both Windows and macOS users via fake CAPTCHA pages is actively deploying stealers, while a PyPI supply chain attack by actor TeamPCP has compromised Microsoft DurableTask Python client versions 1.4.1โ€“1.4.3. SOC teams should immediately block all five Feodotracker C2 IPs, quarantine the listed malware hashes, and audit Python package environments for compromised DurableTask versions.

#1

Active QakBot and Emotet C2 Infrastructure Detected Across US, UK, and JP โ€” Multi-Family Banking Malware Campaign

CRITICAL TA505

Feodotracker has confirmed five active command-and-control servers associated with QakBot (four IPs) and Emotet (one IP) operating across the United States, United Kingdom, and Japan as of the last 24 hours. QakBot and Emotet are modular banking trojans historically leveraged by TA505 and affiliated initial access brokers to establish persistent footholds that are subsequently monetised via ransomware deployment, credential theft, and lateral movement. The geographic distribution of C2 nodes โ€” spanning US (50.16.16.211, 34.204.119.63), GB (178.62.3.223), and JP (27.133.154.218) โ€” suggests active global campaign infrastructure designed to evade geographically-scoped blocking. Any outbound connection from internal hosts to these IPs should be treated as a confirmed compromise indicator requiring immediate isolation and forensic investigation.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server hosted in the United States โ€” Feodotracker confirmed active within last 24 hours
IP 50.16.16.211 QakBot C2 server hosted in the United States โ€” Feodotracker confirmed active within last 24 hours
IP 34.204.119.63 QakBot C2 server hosted in the United States โ€” Feodotracker confirmed active within last 24 hours
IP 178.62.3.223 QakBot C2 server hosted in the United Kingdom โ€” Feodotracker confirmed active within last 24 hours
IP 27.133.154.218 QakBot C2 server hosted in Japan โ€” Feodotracker confirmed active within last 24 hours
HASH d80cc8fb6839fbd7f636ddb293c00a92afe8b2480609ff847047fe84653d4d53 Banker DLL sample tagged with IP 157-230-222-44 โ€” MalwareBazaar confirmed, likely dropper component associated with banking malware cluster
HASH a6593508ead57038569489dfacdf127021405fdf4edbfd1f7d63ad68712410b2 Banker BAT script tagged with IP 157-230-222-44 โ€” MalwareBazaar confirmed, execution component associated with banking malware cluster
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol โ€” Web Protocols MITRE โ†’
T1055 Process Injection MITRE โ†’
T1021.001 Remote Services โ€” Remote Desktop Protocol MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 Connections to Confirmed QakBot and Emotet Infrastructure

Detects outbound network connections from any device to the five Feodotracker-confirmed QakBot and Emotet C2 servers. Any hit should be treated as a high-priority confirmed compromise indicator.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect Banker DLL and BAT Sample Execution โ€” QakBot/Emotet Dropper Chain

Hunts for execution or loading of the confirmed banker DLL and BAT dropper samples identified in MalwareBazaar. Detects both file hash matches and suspicious DLL loads from non-standard paths.

DeviceEvents
| where TimeGenerated > ago(24h)
| where SHA256 in ('d80cc8fb6839fbd7f636ddb293c00a92afe8b2480609ff847047fe84653d4d53', 'a6593508ead57038569489dfacdf127021405fdf4edbfd1f7d63ad68712410b2')
| project TimeGenerated, DeviceName, ActionType, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDI Detect Post-Compromise Lateral Movement via NTLM Following QakBot C2 Contact

Identifies accounts performing high-volume NTLM logons potentially indicating lateral movement following QakBot/Emotet initial access. Cross-reference with devices that connected to Feodotracker C2 IPs.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| summarize LogonCount=count(), TargetDevices=make_set(DeviceName) by AccountDisplayName, IPAddress
| where LogonCount > 5
| order by LogonCount desc
SENTINEL Detect Outbound Traffic to QakBot and Emotet C2 Servers via Firewall Logs

Correlates perimeter firewall and proxy logs against the five confirmed Feodotracker C2 IPs for QakBot and Emotet. Covers traffic not visible to endpoint telemetry (e.g., from servers, IoT, or non-MDE enrolled devices).

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| project TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, RequestURL, Activity, DeviceVendor, DeviceProduct
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, proxy, and DNS sinkhole โ€” treat any existing outbound connection as confirmed compromise
โ†’ IMMEDIATE: Submit hashes d80cc8fb6839fbd7f636ddb293c00a92afe8b2480609ff847047fe84653d4d53 and a6593508ead57038569489dfacdf127021405fdf4edbfd1f7d63ad68712410b2 to EDR/AV platform for immediate detection and quarantine
โ†’ IMMEDIATE: Isolate any endpoint found to have communicated with the listed C2 IPs and initiate incident response โ€” assume credential theft and lateral movement have occurred
โ†’ SHORT-TERM: Execute all four KQL queries across MDE, MDI, and Sentinel environments and triage all hits within 4 hours
โ†’ SHORT-TERM: Review email gateway logs for BAT, DLL, and macro-enabled Office attachments received in the last 72 hours and quarantine suspicious items
โ†’ SHORT-TERM: Enforce MFA on all RDP-accessible accounts and disable RDP on workstations where not operationally required
โ†’ LONG-TERM: Integrate Feodotracker C2 feed into automated threat intel platform for real-time firewall rule updates
โ†’ LONG-TERM: Deploy network traffic analysis tooling to baseline and alert on periodic beaconing patterns consistent with QakBot/Emotet C2 communication
#2

Multi-Family RAT Campaign: AsyncRAT, Gh0stRAT/ValleyRAT, and RemcosRAT Samples Active โ€” SilverFox Infrastructure Linkage

HIGH Unknown Threat Actor

MalwareBazaar has confirmed four distinct remote access trojan samples active within the last 24 hours, spanning AsyncRAT, Gh0stRAT (tagged SilverFox/ValleyRAT), and RemcosRAT delivered via a JavaScript dropper. The presence of Gh0stRAT and ValleyRAT samples sharing the 'SilverFox' tag across two separate hashes (ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4 and 3683d673395b2ef445ea80d604af15a7d05c5d21cdcbbb02fc933298ba9b9862) indicates a coordinated campaign using SilverFox as a distribution service or toolkit, consistent with the AlienVault OTX report on Fox Tempest operating a malware-signing-as-a-service business. The RemcosRAT JS-based delivery and AsyncRAT botnet/C2 tagging suggest these families are being distributed across multiple independent campaigns simultaneously, substantially increasing the probability of enterprise exposure across different attack vectors.

๐Ÿ”ด Indicators of Compromise
HASH 3c06afd6074e6b5a71138f3037d0b03d6ff4ee589d8aed2c15ae7db38250009e AsyncRAT executable โ€” tagged botnet, c2, trojan โ€” MalwareBazaar confirmed active
HASH ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4 Gh0stRAT executable tagged SilverFox and ValleyRAT โ€” MalwareBazaar confirmed, likely Fox Tempest MSaaS signed sample
HASH 3683d673395b2ef445ea80d604af15a7d05c5d21cdcbbb02fc933298ba9b9862 SilverFox/ValleyRAT executable โ€” MalwareBazaar confirmed, infrastructure overlap with Gh0stRAT sample
HASH 1345f21a54489d342367deff244634710e027677d73452dfa10e132ccf860137 RemcosRAT delivered via JavaScript dropper โ€” MalwareBazaar confirmed active
URL https://okb0lvez.subdermalbiometricchip.digital/?ublib=48e0d0ba-a30a-4710-bf8d-2c181f9b94ef Active malware download URL โ€” URLhaus confirmed, likely serving RAT payloads
URL https://hasmysql.christmas/fa603fda-db92-4076-9c6c-a89fa306b822/zone.id Active malware download URL โ€” URLhaus confirmed, zone.id file path indicative of Windows download artifact delivery
URL https://regexcar.christmas/784faaec-059c-4fc5-9812-5df35c549fba/zone.id Active malware download URL โ€” URLhaus confirmed, zone.id path pattern matches known malware staging technique
๐ŸŸฃ MITRE ATT&CK TTPs
T1059.007 Command and Scripting Interpreter โ€” JavaScript MITRE โ†’
T1219 Remote Access Software MITRE โ†’
T1553.002 Subvert Trust Controls โ€” Code Signing MITRE โ†’
T1105 Ingress Tool Transfer MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Execution of Confirmed RAT Samples โ€” AsyncRAT, Gh0stRAT, ValleyRAT, RemcosRAT

Hunts for process creation or file events matching the SHA256 hashes of the four confirmed RAT samples from MalwareBazaar. Any match indicates active malware execution and requires immediate incident response.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '3c06afd6074e6b5a71138f3037d0b03d6ff4ee589d8aed2c15ae7db38250009e',
    'ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4',
    '3683d673395b2ef445ea80d604af15a7d05c5d21cdcbbb02fc933298ba9b9862',
    '1345f21a54489d342367deff244634710e027677d73452dfa10e132ccf860137'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by TimeGenerated desc
MDE Detect JavaScript Dropper Execution via Windows Script Host โ€” RemcosRAT Delivery

Identifies wscript.exe or cscript.exe spawning suspicious child processes or network connections, consistent with JavaScript-based RemcosRAT delivery observed in MalwareBazaar sample 1345f21a54489d342367deff244634710e027677d73452dfa10e132ccf860137.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ('wscript.exe', 'cscript.exe')
| where FileName in~ ('cmd.exe', 'powershell.exe', 'mshta.exe', 'regsvr32.exe', 'rundll32.exe', 'certutil.exe')
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated desc
SENTINEL Detect Connections to URLhaus Malware Download Infrastructure โ€” RAT Payload Staging

Identifies outbound connections to confirmed URLhaus malware download URLs associated with RAT payload delivery, including the unconventional .christmas and .digital TLD domains used for staging.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    'hasmysql.christmas',
    'regexcar.christmas',
    'subdermalbiometricchip.digital',
    'okb0lvez'
)
or DestinationIP in ('123.132.166.119', '110.36.1.80', '123.14.91.149', '182.126.81.148', '178.80.46.95')
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Submit all four RAT hashes (3c06afd6074e6b5a71138f3037d0b03d6ff4ee589d8aed2c15ae7db38250009e, ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4, 3683d673395b2ef445ea80d604af15a7d05c5d21cdcbbb02fc933298ba9b9862, 1345f21a54489d342367deff244634710e027677d73452dfa10e132ccf860137) to EDR platform for immediate detection and block
โ†’ IMMEDIATE: Block the three confirmed URLhaus malware download URLs (hasmysql.christmas, regexcar.christmas, subdermalbiometricchip.digital) at DNS and web proxy layers
โ†’ IMMEDIATE: Block outbound connections to URLhaus IPs 123.132.166.119, 110.36.1.80, 123.14.91.149, 182.126.81.148, and 178.80.46.95 at perimeter firewall
โ†’ SHORT-TERM: Execute the three KQL detection queries across MDE and Sentinel and escalate all hits to Tier 2 analysts within 2 hours
โ†’ SHORT-TERM: Alert threat hunters to search for persistence mechanisms (scheduled tasks, registry run keys, services) created by any of the four RAT sample hashes
โ†’ SHORT-TERM: Review code signing validation policies โ€” implement certificate authority allowlisting to mitigate Fox Tempest MSaaS signed malware risk per AlienVault OTX intelligence
โ†’ SHORT-TERM: Disable Windows Script Host (wscript.exe/cscript.exe) on endpoints where JavaScript execution is not operationally required
โ†’ LONG-TERM: Subscribe to Fox Tempest and SilverFox/ValleyRAT threat intelligence feeds and integrate into SIEM threat intel platform for automated IOC matching
#3

Coordinated Phishing Campaign Impersonating Google Meet and Cryptocurrency Platforms โ€” Credential and Wallet Harvesting

MEDIUM Unknown Threat Actor

OpenPhish has confirmed 15 active phishing URLs in the last 24 hours spanning two distinct campaigns: a Google Meet and collaboration platform impersonation cluster centered on the ecortbabylon.site domain (11 unique paths including Gmail, Duo, Google Meet, and login portals) and a cryptocurrency wallet harvesting campaign targeting MetaMask (metamaskwallet.to) and PancakeSwap (app-pancakeswap.to) users. The ecortbabylon.site infrastructure is particularly concerning due to its breadth โ€” hosting phishing pages for Gmail, Duo MFA bypass, generic login, location services, and cash PIN harvesting simultaneously, suggesting a single adversary operating a multi-tenant credential harvesting platform. This activity aligns with the AlienVault OTX ClickFix macOS campaign targeting meeting-themed lures, and the Phishing.Database GitHub repository has received two feed updates in the last 24 hours indicating active community detection of new phishing infrastructure.

๐Ÿ”ด Indicators of Compromise
URL http://live-join-gooqle-meet.4-c4.com/ Google Meet impersonation phishing page โ€” OpenPhish confirmed active, typosquat of google.com
URL http://ecortbabylon.site/gmail/asdasd Gmail credential harvesting phishing page on ecortbabylon.site โ€” OpenPhish confirmed active
URL http://ecortbabylon.site/duo/test Duo MFA phishing page โ€” OpenPhish confirmed, designed to capture MFA tokens in real time
URL http://ecortbabylon.site/cashpin Cash PIN harvesting phishing page โ€” OpenPhish confirmed, financial credential theft
URL http://livemeetcall.xyz/ Live meeting call impersonation phishing site โ€” OpenPhish confirmed active
URL http://metamaskwallet.to/ MetaMask cryptocurrency wallet phishing page โ€” OpenPhish confirmed, targets Web3 credential and seed phrase theft
URL http://app-pancakeswap.to/ PancakeSwap DeFi platform phishing page โ€” OpenPhish confirmed, targets cryptocurrency wallet connections
URL http://ecortbabylon.site/ Root phishing domain hosting multiple credential harvesting pages โ€” OpenPhish confirmed, block entire domain
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.002 Spearphishing Link MITRE โ†’
T1557 Adversary-in-the-Middle MITRE โ†’
T1539 Steal Web Session Cookie MITRE โ†’
T1598.003 Phishing for Information โ€” Spearphishing Link MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect DNS Queries and Network Connections to Active Phishing Domains

Identifies any device querying or connecting to the confirmed OpenPhish phishing domains, including the ecortbabylon.site multi-path credential harvesting platform and Google Meet/crypto impersonation sites.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has_any (
    'ecortbabylon.site',
    'live-join-gooqle-meet.4-c4.com',
    'livemeetcall.xyz',
    'metamaskwallet.to',
    'app-pancakeswap.to'
)
or RemoteUrl has_any (
    'ecortbabylon',
    'gooqle-meet',
    'livemeetcall'
)
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessAccountName
| order by TimeGenerated desc
SENTINEL Detect User Clicks to Phishing Infrastructure โ€” Proxy and Firewall Logs

Correlates web proxy and firewall logs against all confirmed OpenPhish phishing domains. Captures traffic from devices not enrolled in MDE, such as BYOD or server infrastructure.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    'ecortbabylon.site',
    'live-join-gooqle-meet.4-c4.com',
    'livemeetcall.xyz',
    'metamaskwallet.to',
    'app-pancakeswap.to'
)
| project TimeGenerated, SourceIP, SourceUserName, RequestURL, DestinationIP, Activity, DeviceVendor, DeviceProduct
| order by TimeGenerated desc
MDI Detect Post-Phishing Account Compromise โ€” Impossible Travel and New Location Sign-ins

Hunts for authentication events consistent with stolen session cookies or credentials used after a successful phishing attack against the Google Meet or Gmail impersonation pages. Focuses on logons from new locations following a recent authentication.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where isnotempty(Location)
| summarize
    LogonCount = count(),
    Locations = make_set(Location),
    IPAddresses = make_set(IPAddress)
    by AccountDisplayName, bin(TimeGenerated, 1h)
| where array_length(Locations) > 1
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block ecortbabylon.site (entire domain), live-join-gooqle-meet.4-c4.com, livemeetcall.xyz, metamaskwallet.to, and app-pancakeswap.to at DNS, web proxy, and email security gateway
โ†’ IMMEDIATE: Notify security awareness team to send targeted employee advisory warning about Google Meet impersonation phishing โ€” reference legitimate Google Meet URL pattern (meet.google.com) for user verification
โ†’ IMMEDIATE: Alert SOC analysts to monitor Entra ID / Azure AD sign-in logs for impossible travel, new device, and new location flags on all accounts in the last 24 hours
โ†’ SHORT-TERM: Execute all three phishing detection KQL queries and investigate any user who accessed the phishing domains โ€” initiate password reset and session revocation immediately
โ†’ SHORT-TERM: Review and enforce MFA token binding where possible โ€” migrate high-privilege accounts to FIDO2 hardware keys to resist AiTM phishing capturing Duo MFA tokens
โ†’ SHORT-TERM: Submit all 15 OpenPhish URLs to web filtering vendor for categorisation and block list updates
โ†’ LONG-TERM: Implement Continuous Access Evaluation (CAE) in Microsoft Entra ID to enable near-real-time session token revocation following phishing-based compromise
โ†’ LONG-TERM: Integrate OpenPhish and Phishing.Database GitHub feeds into automated DNS RPZ (Response Policy Zone) blocking for continuous phishing domain protection