โ† Back to Dashboard
May 22, 2026

Daily Threat Intelligence Report โ€” 2025-07-14

21
IOCs
12
TTPs
9
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker across US, GB, and JP nodes, alongside a surge in Remote Access Trojan (RAT) samples including QuasarRAT, AsyncRAT, LokiRAT, RemcosRAT, and BlackShades identified via MalwareBazaar. Lazarus Group is actively conducting a macOS-targeted ClickFix campaign distributing 'Mach-O Man' malware, confirmed by AlienVault OTX with 16 IOCs, while MUSTANG PANDA is targeting India's banking sector and South Korean diplomatic circles with a new LOTUSLITE backdoor variant. CISA has added CVE-2025-34291 (Langflow CORS/token abuse enabling arbitrary code execution) and CVE-2026-34926 (Trend Micro Apex One directory traversal) to the Known Exploited Vulnerabilities catalog, requiring immediate patching. SOC teams should immediately block all listed Feodotracker C2 IPs, submit RAT hashes to EDR platforms, and prioritize patching of Langflow and Trend Micro Apex One deployments.

#1

Lazarus Group 'Mach-O Man' macOS ClickFix Campaign with Active QakBot/Emotet C2 Crossover

CRITICAL Lazarus Group

AlienVault OTX confirms Lazarus Group is conducting an active campaign targeting businesses via ClickFix social engineering, delivering a newly identified macOS malware kit dubbed 'Mach-O Man' through fake meeting invitations. This campaign carries 16 confirmed IOCs and is designed to achieve persistent access on macOS endpoints, a platform historically underserved by enterprise EDR controls. Concurrently, Feodotracker confirms four active QakBot C2 servers (50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) and one Emotet C2 (162.243.103.246), all actively beaconing, indicating a multi-malware intrusion ecosystem likely used for initial access brokering and lateral movement post-compromise. MalwareBazaar further documents a fresh AsyncRAT sample (9860b2cdf23fc044bf7c6715197068b3cf6349f7ffb5e95dfd0229f212c40e63) and a CoinMiner payload dropped by Amadey (6e0ef3af90cd3e4a8d48b6e5fee62e5d88f69d007135314f9014e63cfb179e93), consistent with Lazarus Group's dual financial and espionage objectives.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server hosted in US โ€” Feodotracker confirmed active within last 24 hours
IP 50.16.16.211 QakBot C2 server hosted in US โ€” Feodotracker confirmed active within last 24 hours
IP 34.204.119.63 QakBot C2 server hosted in US โ€” Feodotracker confirmed active within last 24 hours
IP 178.62.3.223 QakBot C2 server hosted in GB โ€” Feodotracker confirmed active within last 24 hours
IP 27.133.154.218 QakBot C2 server hosted in JP โ€” Feodotracker confirmed active within last 24 hours
HASH 9860b2cdf23fc044bf7c6715197068b3cf6349f7ffb5e95dfd0229f212c40e63 AsyncRAT malware sample โ€” MalwareBazaar confirmed, tagged AsyncRAT, consistent with Lazarus Group post-exploitation tooling
HASH 6e0ef3af90cd3e4a8d48b6e5fee62e5d88f69d007135314f9014e63cfb179e93 CoinMiner payload dropped by Amadey loader โ€” MalwareBazaar confirmed, tagged dropped-by-Amadey, exe, 54e64e
URL http://42.231.42.65:57589/i Active malware download URL โ€” URLhaus confirmed malware_download category, likely used in payload staging
URL https://quantumvelocitylabs.christmas/78875570-5e84-486b-a61d-0005477244e6/g.ch Active malware download URL via HTTPS using holiday-themed domain to evade detection โ€” URLhaus confirmed malware_download
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.002 Spearphishing Link MITRE โ†’
T1071.001 Application Layer Protocol: Web Protocols MITRE โ†’
T1059.004 Command and Scripting Interpreter: Unix Shell MITRE โ†’
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 connections to QakBot and Emotet infrastructure

Detects outbound connections to all five Feodotracker-confirmed QakBot and Emotet C2 servers active in the last 24 hours.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc
MDE Detect AsyncRAT and CoinMiner sample execution by hash

Identifies execution of MalwareBazaar-confirmed AsyncRAT and Amadey-dropped CoinMiner samples on endpoints.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '9860b2cdf23fc044bf7c6715197068b3cf6349f7ffb5e95dfd0229f212c40e63',
    '6e0ef3af90cd3e4a8d48b6e5fee62e5d88f69d007135314f9014e63cfb179e93'
)
| project TimeGenerated, DeviceName, FileName, SHA256, ProcessCommandLine, AccountName, InitiatingProcessFileName
| order by TimeGenerated desc
SENTINEL Detect connections to URLhaus malware download infrastructure

Identifies internal hosts connecting to URLhaus-confirmed malware download URLs and IPs used for payload staging.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('42.231.42.65', '110.39.226.242', '123.7.237.214', '112.238.131.71', '182.124.143.10', '115.55.45.238', '123.14.210.109')
    or RequestURL has_any ('quantumvelocitylabs.christmas', 'bin.sh', '/i')
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, proxy, and DNS sinkhole
โ†’ IMMEDIATE: Submit AsyncRAT hash (9860b2cdf23fc044bf7c6715197068b3cf6349f7ffb5e95dfd0229f212c40e63) and CoinMiner hash (6e0ef3af90cd3e4a8d48b6e5fee62e5d88f69d007135314f9014e63cfb179e93) to EDR/AV platforms for immediate blocking
โ†’ IMMEDIATE: Block URLhaus-confirmed malware download IPs (42.231.42.65, 110.39.226.242, 123.7.237.214, 112.238.131.71, 182.124.143.10, 115.55.45.238, 123.14.210.109) and domain quantumvelocitylabs.christmas at web proxy
โ†’ SHORT-TERM: Run all three KQL queries across MDE, Sentinel environments and escalate any hits to Tier 2 immediately
โ†’ SHORT-TERM: Brief macOS endpoint users on ClickFix fake meeting invitation lures โ€” distribute phishing awareness alert referencing Lazarus Group Mach-O Man campaign
โ†’ SHORT-TERM: Review AlienVault OTX Lazarus Group Mach-O Man pulse (16 IOCs) and ingest into SIEM/TIP platform
โ†’ LONG-TERM: Ensure macOS endpoints are enrolled in EDR with behavioural monitoring enabled โ€” Lazarus Group is actively pivoting to macOS targets
โ†’ LONG-TERM: Update threat intelligence feeds with all Feodotracker, URLhaus, and MalwareBazaar IOCs from this report
#2

MUSTANG PANDA LOTUSLITE Backdoor v1.1 Targeting India Banking Sector and South Korean Diplomacy via DLL Sideloading

HIGH Unknown Threat Actor

AlienVault OTX documents a newly identified LOTUSLITE backdoor version 1.1 attributed to MUSTANG PANDA (China-aligned APT) actively targeting India's banking sector and South Korean diplomatic circles, with 11 confirmed IOCs. The backdoor is delivered via DLL sideloading, a technique designed to abuse legitimate signed executables to load malicious DLL payloads while evading endpoint detection. Concurrently, GitHub/stamparm/maltrail confirms an update to the apt_kimsuky.txt trail list, indicating parallel North Korean APT activity in the same geopolitical targeting space (Korean peninsula/South Asia), suggesting a broader East Asia-origin threat convergence. The LOTUSLITE campaign's focus on banking sector targets in India elevates financial system risk, while the diplomatic targeting in South Korea presents espionage and data exfiltration concerns. Organizations in the Indian financial services sector and South Korean government supply chains should treat this as a priority threat.

๐Ÿ”ด Indicators of Compromise
HASH 23e04d32fec762b39dfadc746ee73f22ca83580f30aa8c69fec24afe79f87320 QuasarRAT sample โ€” MalwareBazaar confirmed, tagged QuasarRAT; consistent with APT initial access tooling used by China-aligned actors including MUSTANG PANDA
HASH e70e2ca57d3ac6941b419b621cf144d4c3de70dcbaf09446bd3b7d2ead69399f LokiRAT malware sample โ€” MalwareBazaar confirmed, tagged LokiRAT; credential harvesting tool consistent with espionage-focused APT operations
HASH bc55dce2e859b0d282b04d328fce7e15663e7ba273172cadb39e9206d398ac99 ELF binary โ€” MalwareBazaar confirmed, tagged elf; Linux/Unix format consistent with server-side implants used in banking infrastructure targeting
URL http://110.39.226.242:42420/i Active malware download URL โ€” URLhaus confirmed malware_download; high-port non-standard delivery consistent with APT staging infrastructure
URL http://110.39.226.242:42420/bin.sh Active shell script delivery URL from same host as above โ€” URLhaus confirmed malware_download; dual-payload (binary + shell script) staging pattern
URL https://casaluna.spahotel.guru/ Active phishing URL โ€” OpenPhish confirmed; typosquatting/compromised hospitality domain used in credential harvesting campaigns
๐ŸŸฃ MITRE ATT&CK TTPs
T1574.002 Hijack Execution Flow: DLL Side-Loading MITRE โ†’
T1555.003 Credentials from Password Stores: Credentials from Web Browsers MITRE โ†’
T1027.003 Obfuscated Files or Information: Steganography MITRE โ†’
T1566.001 Spearphishing Attachment MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for DLL Sideloading from Writable Directories โ€” LOTUSLITE/MUSTANG PANDA TTP

Detects signed executables loading DLLs from user-writable directories, consistent with LOTUSLITE DLL sideloading delivery technique confirmed by AlienVault OTX.

DeviceImageLoadEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFolderPath !startswith @'C:\Windows' 
    and InitiatingProcessFolderPath !startswith @'C:\Program Files'
| where FolderPath has_any ('AppData', 'Temp', 'Downloads', 'Public', 'ProgramData')
| where InitiatingProcessSignatureStatus == 'Valid'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, FileName, FolderPath, InitiatingProcessAccountName
| order by TimeGenerated desc
MDE Detect LokiRAT, QuasarRAT, and ELF sample execution by hash

Identifies execution events matching MalwareBazaar-confirmed LokiRAT, QuasarRAT, and unclassified ELF binary samples relevant to APT credential harvesting operations.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    'e70e2ca57d3ac6941b419b621cf144d4c3de70dcbaf09446bd3b7d2ead69399f',
    '23e04d32fec762b39dfadc746ee73f22ca83580f30aa8c69fec24afe79f87320',
    'bc55dce2e859b0d282b04d328fce7e15663e7ba273172cadb39e9206d398ac99'
)
| project TimeGenerated, DeviceName, FileName, SHA256, ProcessCommandLine, AccountName, InitiatingProcessFileName, FolderPath
| order by TimeGenerated desc
SENTINEL Detect connections to OpenPhish-confirmed phishing infrastructure

Identifies internal hosts connecting to OpenPhish-confirmed phishing URLs targeting brand impersonation and credential harvesting relevant to banking and diplomatic targeting.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    'casaluna.spahotel.guru',
    'pcn-noticyo.cyou',
    'oc-google.com.cn',
    'bet365casinoplay.online',
    'hengyitong.com.cn',
    'aumentosobremedida.s3.us-east-005.backblazeb2.com',
    'steamcommunnlty.com',
    'metamaskwallett.blogspot.com',
    'busines-help-center.com',
    'cdn-y-whatsapp.com.cn',
    'cdn-b-whatsapp.com.cn',
    'danyousen.com'
)
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, Activity, DeviceVendor, SourceUserName
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Ingest AlienVault OTX MUSTANG PANDA LOTUSLITE pulse (11 IOCs) into SIEM/TIP and block all associated indicators
โ†’ IMMEDIATE: Submit LokiRAT (e70e2ca57d3ac6941b419b621cf144d4c3de70dcbaf09446bd3b7d2ead69399f) and QuasarRAT (23e04d32fec762b39dfadc746ee73f22ca83580f30aa8c69fec24afe79f87320) hashes to EDR for immediate blocking
โ†’ IMMEDIATE: Block all 15 OpenPhish URLs at web proxy and DNS, with priority on .com.cn domains impersonating Google, WhatsApp, and CDN services
โ†’ SHORT-TERM: Run DLL sideloading detection KQL query across all MDE-enrolled endpoints and prioritize investigation of any signed executables loading DLLs from writable paths
โ†’ SHORT-TERM: Implement email gateway rules to block or quarantine TXZ archive attachments โ€” PureLogs/PawsRunner steganography campaign uses this vector
โ†’ SHORT-TERM: Brief SOC team on MUSTANG PANDA TTPs, specifically DLL sideloading and LOTUSLITE backdoor behavioral indicators
โ†’ LONG-TERM: For organizations in Indian financial services or South Korean government supply chains, elevate monitoring posture and consider threat hunting engagement focused on DLL sideloading detection
โ†’ LONG-TERM: Review GitHub/stamparm/maltrail apt_kimsuky.txt update and ingest updated Kimsuky trail indicators for parallel North Korean APT coverage
#3

CISA KEV: Langflow CORS Vulnerability (CVE-2025-34291) and Trend Micro Apex One Directory Traversal (CVE-2026-34926) Actively Exploited

MEDIUM Unknown Threat Actor

CISA has added two critical vulnerabilities to the Known Exploited Vulnerabilities catalog requiring immediate remediation action. CVE-2025-34291 affects Langflow, an AI workflow platform, where an overly permissive CORS configuration combined with SameSite=None refresh token cookies allows malicious webpages to perform cross-origin requests with credentials, ultimately enabling arbitrary code execution and full system compromise via authenticated endpoint access โ€” this is particularly dangerous given the increasing enterprise adoption of AI/ML pipeline tooling. CVE-2026-34926 affects Trend Micro Apex One (on-premise), where a directory traversal vulnerability allows pre-authenticated local attackers to modify server key tables and inject malicious code for deployment to all managed agents, potentially enabling mass endpoint compromise across an organization's entire Apex One-managed fleet. Both vulnerabilities have been confirmed as actively exploited in the wild by CISA, mandating federal agency remediation but representing best practice for all organizations. Additionally, legacy Microsoft and Adobe vulnerabilities (CVE-2008-4250, CVE-2009-1537, CVE-2009-3459) remain on the KEV list, indicating continued exploitation of unpatched legacy systems.

๐Ÿ”ด Indicators of Compromise
URL http://112.238.131.71:48734/i Active malware download URL โ€” URLhaus confirmed malware_download; likely exploit kit payload delivery endpoint consistent with ClearFake EK infrastructure updated in maltrail
URL http://112.238.131.71:48734/bin.sh Active shell script delivery URL from same host โ€” URLhaus confirmed malware_download; dual-payload staging from single host indicates automated exploit kit infrastructure
URL http://123.14.210.109:53047/i Active malware download URL โ€” URLhaus confirmed malware_download; high non-standard port delivery consistent with exploit kit staging
HASH 6114904c95e9d95dc436f3a7b9059499d3d045dad3f30000ba06f85d8ae57a87 RemcosRAT executable โ€” MalwareBazaar confirmed, tagged exe and RemcosRAT; commonly deployed as post-exploitation payload following vulnerability exploitation
HASH 98a78797b8a8db6976d8510dc697babfd35892ec6c37aaf5d2b385495aa8d84f BlackShades RAT โ€” MalwareBazaar confirmed, tagged BlackShades; remote access tool deployed post-exploitation, consistent with exploit kit payload delivery chains
URL http://115.55.45.238:36989/i Active malware download URL โ€” URLhaus confirmed malware_download; additional payload staging endpoint
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1203 Exploitation for Client Execution MITRE โ†’
T1505.003 Server Software Component: Web Shell MITRE โ†’
T1219 Remote Access Software MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect RemcosRAT and BlackShades RAT execution โ€” post-exploitation payload hunting

Identifies execution of MalwareBazaar-confirmed RemcosRAT and BlackShades RAT samples commonly deployed following vulnerability exploitation.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '6114904c95e9d95dc436f3a7b9059499d3d045dad3f30000ba06f85d8ae57a87',
    '98a78797b8a8db6976d8510dc697babfd35892ec6c37aaf5d2b385495aa8d84f',
    'c21ad347e05405bc23f7efc6022f03951fab7461e7d52661d579a9c651cbf0d2',
    '9985205911ef112161c34c2fd949e5351375f27ee1dce33eaca6e03ef7968537',
    'ec94f33e18cdb22dba51a90b4fdf6250487c6a2eaef96267d9988045353d83fd'
)
| project TimeGenerated, DeviceName, FileName, SHA256, ProcessCommandLine, AccountName, InitiatingProcessFileName
| order by TimeGenerated desc
SENTINEL Detect Langflow CORS Exploitation Attempts โ€” CVE-2025-34291

Hunts for suspicious cross-origin requests to Langflow refresh endpoints that may indicate active exploitation of CVE-2025-34291 as confirmed by CISA KEV.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has '/refresh' or RequestURL has 'langflow'
| where isnotempty(SourceIP)
| extend OriginHeader = extract('Origin: ([^\r\n]+)', 1, AdditionalExtensions)
| where isnotempty(OriginHeader)
| where OriginHeader !has 'yourdomain.com'
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, OriginHeader, Activity, DeviceVendor
| order by TimeGenerated desc
MDE Detect Trend Micro Apex One Directory Traversal Exploitation โ€” CVE-2026-34926

Hunts for directory traversal patterns in process command lines targeting Trend Micro Apex One server processes, consistent with CVE-2026-34926 exploitation per CISA KEV.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName has_any ('Ntrtscan.exe', 'TmListen.exe', 'PccNTUpd.exe', 'cgiOnlineQuery.exe')
    or ProcessCommandLine has_any ('../', '..\\', '%2e%2e', '%252e%252e')
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName, FolderPath
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Apply vendor patches for CVE-2025-34291 (Langflow) per CISA KEV required action โ€” if patch unavailable, restrict CORS policy and disable SameSite=None on refresh token cookies, or take Langflow offline
โ†’ IMMEDIATE: Apply vendor patches for CVE-2026-34926 (Trend Micro Apex One on-premise) per CISA KEV required action โ€” audit all Apex One server key tables for unauthorized modifications
โ†’ IMMEDIATE: Block exploit kit staging IPs at perimeter (112.238.131.71, 115.55.45.238, 123.14.210.109) confirmed active via URLhaus
โ†’ IMMEDIATE: Submit RemcosRAT (6114904c95e9d95dc436f3a7b9059499d3d045dad3f30000ba06f85d8ae57a87) and BlackShades (98a78797b8a8db6976d8510dc697babfd35892ec6c37aaf5d2b385495aa8d84f) hashes to EDR/AV for immediate blocking
โ†’ SHORT-TERM: Verify patch status for legacy CVEs CVE-2008-4250 (Windows Server Service) and CVE-2009-3459 (Adobe Acrobat) across all managed endpoints โ€” continued CISA KEV listing confirms active exploitation
โ†’ SHORT-TERM: Ingest updated ClearFake EK trail indicators from GitHub/stamparm/maltrail commits (562f1a2b, d1e83a04, 1e6871ac) into SIEM detection rules
โ†’ SHORT-TERM: Run all three KQL queries and escalate any hits immediately to Tier 2/IR team
โ†’ LONG-TERM: Establish a formal CISA KEV remediation SLA (e.g., 7 days for internet-facing, 14 days for internal) and track Langflow and Apex One patching to closure