Daily Threat Intelligence Report โ 2026-06-10
Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker across US, UK, and Japan, with five C2 IPs actively operational. RemcosRAT continues to proliferate with four distinct confirmed samples tracked via MalwareBazaar, representing an active remote access trojan campaign likely leveraging phishing delivery chains. CISA's Known Exploited Vulnerabilities catalog has been updated with critical flaws in Drupal Core (CVE-2026-9082), Langflow (CVE-2025-34291), and Trend Micro Apex One (CVE-2026-34926), all requiring immediate patching. SOC teams should immediately block all five Feodotracker C2 IPs, hash-block all four RemcosRAT samples in EDR, and prioritize patching of any exposed Drupal, Langflow, or Trend Micro Apex One instances.
Active QakBot and Emotet C2 Infrastructure โ Multi-Region Banking Trojan Campaign
CRITICAL TA505Feodotracker has confirmed five actively operational C2 servers associated with QakBot (four IPs across US, UK, and Japan) and Emotet (one US-hosted IP) within the last 24 hours. QakBot and Emotet are cornerstone malware families historically attributed to TA505 and associated financially motivated threat actors, used as initial access brokers that deliver follow-on ransomware payloads including Cl0p and Dridex. The geographic distribution of QakBot C2 infrastructure โ spanning 50.16.16.211 and 34.204.119.63 in the US, 178.62.3.223 in the UK, and 27.133.154.218 in Japan โ suggests a globally distributed botnet operation actively maintaining redundant command channels. Any endpoint beaconing to these IPs should be treated as a high-priority incident requiring immediate isolation, full forensic triage, and credential reset across the affected environment.
RemcosRAT Multi-Sample Proliferation via Phorpiex Dropper and StealC โ Active RAT Campaign
HIGH Unknown Threat ActorMalwareBazaar has confirmed four distinct RemcosRAT executable samples (tagged exe, rat, remcos, remote-access, trojan) uploaded within the last 24 hours, alongside three Phorpiex-dropped executables โ including one confirmed CoinMiner payload โ and one StealC-dropped sample. The volume and diversity of RemcosRAT samples indicates an active distribution campaign; RemcosRAT provides full remote access capability including keylogging, screen capture, webcam access, file exfiltration, and shell execution. The presence of Phorpiex-dropped samples alongside RemcosRAT is significant as Phorpiex (Trik) botnet is known to deliver multiple second-stage payloads, and the CoinMiner sample (9c514030372c500dfd81832beac9eb15ccd47f8ec1716b18fb30fcac5ddee908) confirms active financial motivation. The StealC-dropped sample (9511ac1a00c40e879a726eed9a549adc725faff959b218011d3ed1c66f478674) tagged '06x05x2026' suggests a timestamped campaign with potential operational planning.
CISA KEV: Critical Vulnerabilities in Drupal Core, Langflow, and Trend Micro Apex One Actively Exploited
MEDIUM Unknown Threat ActorCISA has added three new vulnerabilities to the Known Exploited Vulnerabilities catalog, indicating confirmed active exploitation in the wild. CVE-2026-9082 (Drupal Core SQL injection) allows unauthenticated privilege escalation and remote code execution via the database abstraction API โ any internet-facing Drupal instance is at immediate risk. CVE-2025-34291 (Langflow origin validation error) combines a permissive CORS misconfiguration with SameSite=None cookie handling to enable cross-origin credential theft and arbitrary code execution, representing a significant risk for AI/ML pipeline infrastructure using Langflow. CVE-2026-34926 (Trend Micro Apex One directory traversal) allows a pre-authenticated local attacker to modify server-side tables and push malicious code to all managed Apex One agents, effectively weaponizing the endpoint security platform itself against the enterprise. Additionally, legacy vulnerabilities CVE-2008-4250 (MS08-067 Windows Server Service RPC buffer overflow) and CVE-2009-1537 (DirectX QuickTime parser RCE) remain in the KEV catalog, indicating continued exploitation โ these affect unpatched legacy Windows systems.