Daily Threat Intelligence Report โ 2025-07-14
Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed across five IPs by Feodotracker, alongside a cluster of malware samples including AsyncRAT, Gh0stRAT/ValleyRAT, RemcosRAT, and Phorpiex-dropped CoinMiners observed in MalwareBazaar. A sophisticated ClickFix campaign targeting both Windows and macOS users via fake CAPTCHA pages is actively deploying stealers, while a PyPI supply chain attack by actor TeamPCP has compromised Microsoft DurableTask Python client versions 1.4.1โ1.4.3. SOC teams should immediately block all five Feodotracker C2 IPs, quarantine the listed malware hashes, and audit Python package environments for compromised DurableTask versions.
Active QakBot and Emotet C2 Infrastructure Detected Across US, UK, and JP โ Multi-Family Banking Malware Campaign
CRITICAL TA505Feodotracker has confirmed five active command-and-control servers associated with QakBot (four IPs) and Emotet (one IP) operating across the United States, United Kingdom, and Japan as of the last 24 hours. QakBot and Emotet are modular banking trojans historically leveraged by TA505 and affiliated initial access brokers to establish persistent footholds that are subsequently monetised via ransomware deployment, credential theft, and lateral movement. The geographic distribution of C2 nodes โ spanning US (50.16.16.211, 34.204.119.63), GB (178.62.3.223), and JP (27.133.154.218) โ suggests active global campaign infrastructure designed to evade geographically-scoped blocking. Any outbound connection from internal hosts to these IPs should be treated as a confirmed compromise indicator requiring immediate isolation and forensic investigation.
Multi-Family RAT Campaign: AsyncRAT, Gh0stRAT/ValleyRAT, and RemcosRAT Samples Active โ SilverFox Infrastructure Linkage
HIGH Unknown Threat ActorMalwareBazaar has confirmed four distinct remote access trojan samples active within the last 24 hours, spanning AsyncRAT, Gh0stRAT (tagged SilverFox/ValleyRAT), and RemcosRAT delivered via a JavaScript dropper. The presence of Gh0stRAT and ValleyRAT samples sharing the 'SilverFox' tag across two separate hashes (ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4 and 3683d673395b2ef445ea80d604af15a7d05c5d21cdcbbb02fc933298ba9b9862) indicates a coordinated campaign using SilverFox as a distribution service or toolkit, consistent with the AlienVault OTX report on Fox Tempest operating a malware-signing-as-a-service business. The RemcosRAT JS-based delivery and AsyncRAT botnet/C2 tagging suggest these families are being distributed across multiple independent campaigns simultaneously, substantially increasing the probability of enterprise exposure across different attack vectors.
Coordinated Phishing Campaign Impersonating Google Meet and Cryptocurrency Platforms โ Credential and Wallet Harvesting
MEDIUM Unknown Threat ActorOpenPhish has confirmed 15 active phishing URLs in the last 24 hours spanning two distinct campaigns: a Google Meet and collaboration platform impersonation cluster centered on the ecortbabylon.site domain (11 unique paths including Gmail, Duo, Google Meet, and login portals) and a cryptocurrency wallet harvesting campaign targeting MetaMask (metamaskwallet.to) and PancakeSwap (app-pancakeswap.to) users. The ecortbabylon.site infrastructure is particularly concerning due to its breadth โ hosting phishing pages for Gmail, Duo MFA bypass, generic login, location services, and cash PIN harvesting simultaneously, suggesting a single adversary operating a multi-tenant credential harvesting platform. This activity aligns with the AlienVault OTX ClickFix macOS campaign targeting meeting-themed lures, and the Phishing.Database GitHub repository has received two feed updates in the last 24 hours indicating active community detection of new phishing infrastructure.