Daily Threat Intelligence Report โ 2025-07-14
Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker across US, GB, and JP nodes, alongside a surge in Remote Access Trojan (RAT) samples including QuasarRAT, AsyncRAT, LokiRAT, RemcosRAT, and BlackShades identified via MalwareBazaar. Lazarus Group is actively conducting a macOS-targeted ClickFix campaign distributing 'Mach-O Man' malware, confirmed by AlienVault OTX with 16 IOCs, while MUSTANG PANDA is targeting India's banking sector and South Korean diplomatic circles with a new LOTUSLITE backdoor variant. CISA has added CVE-2025-34291 (Langflow CORS/token abuse enabling arbitrary code execution) and CVE-2026-34926 (Trend Micro Apex One directory traversal) to the Known Exploited Vulnerabilities catalog, requiring immediate patching. SOC teams should immediately block all listed Feodotracker C2 IPs, submit RAT hashes to EDR platforms, and prioritize patching of Langflow and Trend Micro Apex One deployments.
Lazarus Group 'Mach-O Man' macOS ClickFix Campaign with Active QakBot/Emotet C2 Crossover
CRITICAL Lazarus GroupAlienVault OTX confirms Lazarus Group is conducting an active campaign targeting businesses via ClickFix social engineering, delivering a newly identified macOS malware kit dubbed 'Mach-O Man' through fake meeting invitations. This campaign carries 16 confirmed IOCs and is designed to achieve persistent access on macOS endpoints, a platform historically underserved by enterprise EDR controls. Concurrently, Feodotracker confirms four active QakBot C2 servers (50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) and one Emotet C2 (162.243.103.246), all actively beaconing, indicating a multi-malware intrusion ecosystem likely used for initial access brokering and lateral movement post-compromise. MalwareBazaar further documents a fresh AsyncRAT sample (9860b2cdf23fc044bf7c6715197068b3cf6349f7ffb5e95dfd0229f212c40e63) and a CoinMiner payload dropped by Amadey (6e0ef3af90cd3e4a8d48b6e5fee62e5d88f69d007135314f9014e63cfb179e93), consistent with Lazarus Group's dual financial and espionage objectives.
MUSTANG PANDA LOTUSLITE Backdoor v1.1 Targeting India Banking Sector and South Korean Diplomacy via DLL Sideloading
HIGH Unknown Threat ActorAlienVault OTX documents a newly identified LOTUSLITE backdoor version 1.1 attributed to MUSTANG PANDA (China-aligned APT) actively targeting India's banking sector and South Korean diplomatic circles, with 11 confirmed IOCs. The backdoor is delivered via DLL sideloading, a technique designed to abuse legitimate signed executables to load malicious DLL payloads while evading endpoint detection. Concurrently, GitHub/stamparm/maltrail confirms an update to the apt_kimsuky.txt trail list, indicating parallel North Korean APT activity in the same geopolitical targeting space (Korean peninsula/South Asia), suggesting a broader East Asia-origin threat convergence. The LOTUSLITE campaign's focus on banking sector targets in India elevates financial system risk, while the diplomatic targeting in South Korea presents espionage and data exfiltration concerns. Organizations in the Indian financial services sector and South Korean government supply chains should treat this as a priority threat.
CISA KEV: Langflow CORS Vulnerability (CVE-2025-34291) and Trend Micro Apex One Directory Traversal (CVE-2026-34926) Actively Exploited
MEDIUM Unknown Threat ActorCISA has added two critical vulnerabilities to the Known Exploited Vulnerabilities catalog requiring immediate remediation action. CVE-2025-34291 affects Langflow, an AI workflow platform, where an overly permissive CORS configuration combined with SameSite=None refresh token cookies allows malicious webpages to perform cross-origin requests with credentials, ultimately enabling arbitrary code execution and full system compromise via authenticated endpoint access โ this is particularly dangerous given the increasing enterprise adoption of AI/ML pipeline tooling. CVE-2026-34926 affects Trend Micro Apex One (on-premise), where a directory traversal vulnerability allows pre-authenticated local attackers to modify server key tables and inject malicious code for deployment to all managed agents, potentially enabling mass endpoint compromise across an organization's entire Apex One-managed fleet. Both vulnerabilities have been confirmed as actively exploited in the wild by CISA, mandating federal agency remediation but representing best practice for all organizations. Additionally, legacy Microsoft and Adobe vulnerabilities (CVE-2008-4250, CVE-2009-1537, CVE-2009-3459) remain on the KEV list, indicating continued exploitation of unpatched legacy systems.