โ† Back to Dashboard
May 24, 2026

Daily Threat Intelligence Report โ€” 2026-06-10

23
IOCs
12
TTPs
12
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker across US, UK, and Japan, with five C2 IPs actively operational. RemcosRAT continues to proliferate with four distinct confirmed samples tracked via MalwareBazaar, representing an active remote access trojan campaign likely leveraging phishing delivery chains. CISA's Known Exploited Vulnerabilities catalog has been updated with critical flaws in Drupal Core (CVE-2026-9082), Langflow (CVE-2025-34291), and Trend Micro Apex One (CVE-2026-34926), all requiring immediate patching. SOC teams should immediately block all five Feodotracker C2 IPs, hash-block all four RemcosRAT samples in EDR, and prioritize patching of any exposed Drupal, Langflow, or Trend Micro Apex One instances.

#1

Active QakBot and Emotet C2 Infrastructure โ€” Multi-Region Banking Trojan Campaign

CRITICAL TA505

Feodotracker has confirmed five actively operational C2 servers associated with QakBot (four IPs across US, UK, and Japan) and Emotet (one US-hosted IP) within the last 24 hours. QakBot and Emotet are cornerstone malware families historically attributed to TA505 and associated financially motivated threat actors, used as initial access brokers that deliver follow-on ransomware payloads including Cl0p and Dridex. The geographic distribution of QakBot C2 infrastructure โ€” spanning 50.16.16.211 and 34.204.119.63 in the US, 178.62.3.223 in the UK, and 27.133.154.218 in Japan โ€” suggests a globally distributed botnet operation actively maintaining redundant command channels. Any endpoint beaconing to these IPs should be treated as a high-priority incident requiring immediate isolation, full forensic triage, and credential reset across the affected environment.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server โ€” US-hosted, Feodotracker confirmed active within 24h
IP 50.16.16.211 QakBot C2 server โ€” US-hosted, Feodotracker confirmed active within 24h
IP 34.204.119.63 QakBot C2 server โ€” US-hosted, Feodotracker confirmed active within 24h
IP 178.62.3.223 QakBot C2 server โ€” UK-hosted, Feodotracker confirmed active within 24h
IP 27.133.154.218 QakBot C2 server โ€” JP-hosted, Feodotracker confirmed active within 24h
URL http://222.139.91.177:48286/i Active malware download URL โ€” likely payload staging for banking trojan campaign
URL http://222.139.91.177:48286/bin.sh Active malware download URL (shell script) โ€” same host as /i endpoint, likely botnet loader
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol โ€” Web Protocols MITRE โ†’
T1105 Ingress Tool Transfer MITRE โ†’
T1078 Valid Accounts MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 connections to QakBot and Emotet infrastructure

Detects outbound connections to all five confirmed QakBot and Emotet C2 servers identified by Feodotracker within the last 24 hours.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect malware download activity from URLhaus-confirmed staging servers

Identifies HTTP connections to URLhaus-confirmed malware download infrastructure, including both endpoints hosted on 222.139.91.177.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('222.139.91.177', '221.15.189.197', '216.129.184.213', '115.55.167.203', '61.54.253.107', '110.39.246.84', '162.255.251.91', '123.11.8.174', '123.4.239.180')
| where ActionType in ('ConnectionSuccess', 'HttpConnectionInspected')
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDI Detect lateral movement patterns associated with post-QakBot credential abuse

Hunts for suspicious NTLM authentication bursts from single accounts โ€” a common indicator of credential harvesting and lateral movement following QakBot/Emotet infection.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| summarize LogonCount=count(), DistinctDevices=dcount(DeviceName), IPList=make_set(IPAddress) by AccountDisplayName
| where LogonCount > 5 or DistinctDevices > 3
| order by LogonCount desc
SENTINEL Detect outbound connections to Feodotracker-confirmed C2 IPs across all log sources

Broad Sentinel query correlating firewall, proxy, and network flow logs against all five active Feodotracker C2 IPs for QakBot and Emotet.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| project TimeGenerated, SourceIP, SourceUserName, DestinationIP, DestinationPort, RequestURL, Activity, DeviceProduct
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, NGFW, and web proxy โ€” apply deny-all outbound rules
โ†’ IMMEDIATE: Block URLhaus-confirmed download URLs and their host IPs (222.139.91.177, 221.15.189.197, 216.129.184.213, 115.55.167.203, 61.54.253.107, 110.39.246.84, 162.255.251.91, 123.11.8.174, 123.4.239.180) at network egress points
โ†’ IMMEDIATE: Execute MDE KQL hunt for connections to all five C2 IPs โ€” any positive hit should trigger immediate host isolation and IR process
โ†’ IMMEDIATE: Search SIEM for any DNS resolution or HTTP traffic to C2 IPs over the past 72 hours to identify potential dwell time
โ†’ SHORT-TERM: Run MDI query for NTLM authentication anomalies โ€” escalate any accounts with >5 NTLM logons for credential reset
โ†’ SHORT-TERM: Update IDS/IPS signatures with Feodotracker C2 IPs and URLhaus download URLs; validate blocking is active on all network segments
โ†’ SHORT-TERM: Notify email security team to increase scrutiny on macro-enabled Office attachments and OneNote files delivered via email
โ†’ LONG-TERM: Evaluate network segmentation to limit lateral movement post-compromise; enforce NTLM restrictions via Group Policy where feasible
โ†’ LONG-TERM: Ingest Feodotracker and URLhaus threat feeds into SIEM/SOAR for automated IOC-based alerting
#2

RemcosRAT Multi-Sample Proliferation via Phorpiex Dropper and StealC โ€” Active RAT Campaign

HIGH Unknown Threat Actor

MalwareBazaar has confirmed four distinct RemcosRAT executable samples (tagged exe, rat, remcos, remote-access, trojan) uploaded within the last 24 hours, alongside three Phorpiex-dropped executables โ€” including one confirmed CoinMiner payload โ€” and one StealC-dropped sample. The volume and diversity of RemcosRAT samples indicates an active distribution campaign; RemcosRAT provides full remote access capability including keylogging, screen capture, webcam access, file exfiltration, and shell execution. The presence of Phorpiex-dropped samples alongside RemcosRAT is significant as Phorpiex (Trik) botnet is known to deliver multiple second-stage payloads, and the CoinMiner sample (9c514030372c500dfd81832beac9eb15ccd47f8ec1716b18fb30fcac5ddee908) confirms active financial motivation. The StealC-dropped sample (9511ac1a00c40e879a726eed9a549adc725faff959b218011d3ed1c66f478674) tagged '06x05x2026' suggests a timestamped campaign with potential operational planning.

๐Ÿ”ด Indicators of Compromise
HASH 26879111dbeee579e23b748b15a5d6d4343fced64122dcada6937a206acb2c40 RemcosRAT executable โ€” MalwareBazaar confirmed, tagged exe/rat/remcos/remote-access/trojan
HASH 61f8aa4feb16589c09b0583d18307a7a28d0ce4de829e89b9c4349f946aadca8 RemcosRAT executable โ€” MalwareBazaar confirmed, tagged exe/rat/remcos/remote-access/trojan
HASH 5f9017462fd23d247b4008c86b944b3aaa604c860436d75ba6b08c69b2fb3a55 RemcosRAT executable โ€” MalwareBazaar confirmed, tagged exe/rat/remcos/remote-access/trojan
HASH e21ea0851c36a4509b9d90509caa8f55ae56409decbc72c804458db5720f8288 RemcosRAT executable โ€” MalwareBazaar confirmed, tagged exe/rat/remcos/remote-access/trojan
HASH 9c514030372c500dfd81832beac9eb15ccd47f8ec1716b18fb30fcac5ddee908 CoinMiner โ€” dropped by Phorpiex botnet, MalwareBazaar confirmed
HASH 9511ac1a00c40e879a726eed9a549adc725faff959b218011d3ed1c66f478674 Payload dropped by StealC โ€” tagged 06x05x2026 indicating campaign timestamp, MalwareBazaar confirmed
HASH 29d7a5bd296d3b765fdea6c024aee98d2de9d826a10a46156acec399104d42b4 Unknown payload dropped by Phorpiex โ€” MalwareBazaar confirmed
HASH 76d059135aee89d9873771dbfc06d9639e4b20c49e7936179710ef6a4b26735a Unknown payload dropped by Phorpiex โ€” MalwareBazaar confirmed
URL https://appleservice.sviluppo.host/Login/510515CEERT0I12UO12QSDR000008U41SDC0SDVDF0BF005TYYJ1510D5FV1ZE51F04/ Active Apple credential phishing URL โ€” likely used as lure for RAT delivery, OpenPhish confirmed
URL https://business-secure-login.vercel.app/olb/app/logon-web Active financial services phishing URL hosted on Vercel โ€” credential harvesting lure, OpenPhish confirmed
URL http://61.54.253.107:44366/i Active malware download URL โ€” URLhaus confirmed staging server
๐ŸŸฃ MITRE ATT&CK TTPs
T1059.001 Command and Scripting Interpreter โ€” PowerShell MITRE โ†’
T1219 Remote Access Software MITRE โ†’
T1176 Browser Extensions MITRE โ†’
T1566.002 Spearphishing Link MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for RemcosRAT and Phorpiex-related file hashes

Detects presence of all confirmed RemcosRAT, Phorpiex-dropped, and StealC-dropped samples from MalwareBazaar on any endpoint in the environment.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '26879111dbeee579e23b748b15a5d6d4343fced64122dcada6937a206acb2c40',
    '61f8aa4feb16589c09b0583d18307a7a28d0ce4de829e89b9c4349f946aadca8',
    '5f9017462fd23d247b4008c86b944b3aaa604c860436d75ba6b08c69b2fb3a55',
    'e21ea0851c36a4509b9d90509caa8f55ae56409decbc72c804458db5720f8288',
    '9c514030372c500dfd81832beac9eb15ccd47f8ec1716b18fb30fcac5ddee908',
    '9511ac1a00c40e879a726eed9a549adc725faff959b218011d3ed1c66f478674',
    '29d7a5bd296d3b765fdea6c024aee98d2de9d826a10a46156acec399104d42b4',
    '76d059135aee89d9873771dbfc06d9639e4b20c49e7936179710ef6a4b26735a',
    '73c67a176d337a809555043d4189bbeea8d753d5770b7cb759243ebfcf718333'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect RemcosRAT process behaviour โ€” LOLBin abuse and regsvr32 execution

Hunts for regsvr32 and cmdkey abuse consistent with the ClickFix variant and RemcosRAT delivery chains observed in today's AlienVault OTX and MalwareBazaar data.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (FileName == 'regsvr32.exe' and ProcessCommandLine has_any ('http://', 'https://', 'AppData', 'Temp', 'scrobj'))
    or (FileName == 'cmdkey.exe' and ProcessCommandLine has_any ('/add', '/generic'))
    or (InitiatingProcessFileName in~ ('WINWORD.EXE', 'EXCEL.EXE', 'POWERPNT.EXE', 'outlook.exe') and FileName in~ ('powershell.exe', 'wscript.exe', 'mshta.exe', 'cmd.exe'))
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Detect access to confirmed phishing infrastructure from OpenPhish

Identifies web proxy or DNS logs showing user navigation to OpenPhish-confirmed phishing URLs targeting Apple, financial services, and gaming credentials.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    'appleservice.sviluppo.host',
    'business-secure-login.vercel.app',
    'www-robloxk.com',
    'acc.partner-credit-submission.com',
    'gamefrenzy180.info',
    'portallogin-pchincha.zya.me',
    'mipchincha-2026.zya.me',
    'cn-hht-web-whatsapp.com.cn',
    'estudiocils.com.ar'
)
| project TimeGenerated, SourceIP, SourceUserName, RequestURL, DestinationIP, Activity, DeviceProduct
| order by TimeGenerated desc
MDE Detect StealC credential harvesting โ€” browser data access by non-browser processes

Identifies potential StealC infostealer activity based on non-browser processes accessing browser credential stores and cryptocurrency wallet directories.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FolderPath has_any ('Chrome\\User Data', 'Firefox\\Profiles', 'Edge\\User Data', 'Brave-Browser\\User Data', 'Exodus\\exodus.wallet', 'Electrum\\wallets')
| where InitiatingProcessFileName !in~ ('chrome.exe', 'firefox.exe', 'msedge.exe', 'brave.exe', 'MicrosoftEdgeUpdate.exe')
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Submit all nine MalwareBazaar hashes to EDR platform for immediate hash-based blocking โ€” prioritize the four RemcosRAT samples
โ†’ IMMEDIATE: Block all 15 OpenPhish-confirmed phishing URLs at web proxy and DNS filtering; add appleservice.sviluppo.host, business-secure-login.vercel.app, and www-robloxk.com as high-priority blocks
โ†’ IMMEDIATE: Block all nine URLhaus malware download IPs and URLs at perimeter firewall; prioritize 222.139.91.177 which hosts two active download endpoints
โ†’ IMMEDIATE: Run MDE hash hunt query across all endpoints โ€” any match should trigger immediate isolation and IR engagement
โ†’ SHORT-TERM: Alert SOC analysts to the StealC campaign tagged '06x05x2026' โ€” review email gateway and web proxy logs for delivery vectors; check for credential compromise indicators
โ†’ SHORT-TERM: Run browser credential access hunt query to identify potential StealC infections with dwell time
โ†’ SHORT-TERM: Issue user awareness notification warning of active phishing campaigns targeting Apple ID, banking, and gaming credentials
โ†’ SHORT-TERM: Validate that macro execution is disabled in Office applications via Group Policy / ADMX templates across all managed endpoints
โ†’ LONG-TERM: Implement application allowlisting to prevent execution of unknown PE files from user-writable directories (AppData, Temp)
โ†’ LONG-TERM: Establish automated hash ingestion pipeline from MalwareBazaar into EDR and SIEM for daily IOC updates
#3

CISA KEV: Critical Vulnerabilities in Drupal Core, Langflow, and Trend Micro Apex One Actively Exploited

MEDIUM Unknown Threat Actor

CISA has added three new vulnerabilities to the Known Exploited Vulnerabilities catalog, indicating confirmed active exploitation in the wild. CVE-2026-9082 (Drupal Core SQL injection) allows unauthenticated privilege escalation and remote code execution via the database abstraction API โ€” any internet-facing Drupal instance is at immediate risk. CVE-2025-34291 (Langflow origin validation error) combines a permissive CORS misconfiguration with SameSite=None cookie handling to enable cross-origin credential theft and arbitrary code execution, representing a significant risk for AI/ML pipeline infrastructure using Langflow. CVE-2026-34926 (Trend Micro Apex One directory traversal) allows a pre-authenticated local attacker to modify server-side tables and push malicious code to all managed Apex One agents, effectively weaponizing the endpoint security platform itself against the enterprise. Additionally, legacy vulnerabilities CVE-2008-4250 (MS08-067 Windows Server Service RPC buffer overflow) and CVE-2009-1537 (DirectX QuickTime parser RCE) remain in the KEV catalog, indicating continued exploitation โ€” these affect unpatched legacy Windows systems.

๐Ÿ”ด Indicators of Compromise
URL https://acc.partner-credit-submission.com/__;!!Bt8R... Phishing URL potentially used in social engineering preceding vulnerability exploitation โ€” OpenPhish confirmed
URL http://216.129.184.213:55587/bin.sh Active shell script download URL โ€” potential post-exploitation payload delivery following CVE exploitation, URLhaus confirmed
URL http://110.39.246.84:42281/i Active malware download URL โ€” potential post-exploitation implant staging, URLhaus confirmed
HASH 73c67a176d337a809555043d4189bbeea8d753d5770b7cb759243ebfcf718333 Mirai ELF binary โ€” MalwareBazaar confirmed; Mirai commonly exploits web application and IoT vulnerabilities post-exploitation
HASH 3421883fa3fde01697dea21d7c0b5072d2a5b600edf0cb6f32fa6507d6b422fd Unknown payload tagged 'enthec' โ€” MalwareBazaar confirmed; potential post-exploitation tool
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1068 Exploitation for Privilege Escalation MITRE โ†’
T1072 Software Deployment Tools MITRE โ†’
T1203 Exploitation for Client Execution MITRE โ†’
๐ŸŸข Hunt Queries
SENTINEL Detect potential Drupal SQL injection exploitation attempts โ€” CVE-2026-9082

Identifies anomalous web requests targeting Drupal endpoints that may indicate SQL injection exploitation consistent with CVE-2026-9082.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceProduct has_any ('WAF', 'Firewall', 'IDS', 'IPS', 'Apache', 'Nginx')
| where RequestURL has_any ('/node', '/api', '/jsonapi', '/?q=')
| where RequestURL has_any ("'", 'UNION', 'SELECT', 'DROP', '--', 'OR 1=1', 'SLEEP(', 'WAITFOR')
    or AdditionalExtensions has_any ("'", 'UNION', 'SELECT')
| project TimeGenerated, SourceIP, RequestURL, RequestMethod, Activity, DeviceProduct, DestinationIP
| order by TimeGenerated desc
MDE Detect suspicious process execution from web server processes โ€” post-exploitation indicator

Hunts for child processes spawned by web server or application processes, which may indicate successful exploitation of CVE-2026-9082 (Drupal) or CVE-2025-34291 (Langflow) leading to RCE.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ('apache2', 'nginx', 'php', 'php-fpm', 'php8.0', 'php8.1', 'php8.2', 'httpd', 'w3wp.exe', 'python3', 'node')
| where FileName in~ ('bash', 'sh', 'cmd.exe', 'powershell.exe', 'python3', 'perl', 'wget', 'curl', 'nc', 'ncat')
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect Trend Micro Apex One server table modification โ€” CVE-2026-34926

Identifies unexpected file modifications to Apex One server directories that may indicate exploitation of CVE-2026-34926 directory traversal vulnerability.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FolderPath has_any ('Trend Micro', 'Apex One', 'OfficeScan')
| where ActionType in ('FileCreated', 'FileModified', 'FileRenamed')
| where InitiatingProcessFileName !in~ ('NTRTScan.exe', 'PccNTMon.exe', 'TmListen.exe', 'CNTAoSMgr.exe')
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Detect MS08-067 exploitation attempts โ€” CVE-2008-4250

Identifies potential exploitation of the Windows Server Service RPC buffer overflow (MS08-067) via anomalous inbound RPC traffic patterns on legacy systems.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort in (445, 135, 139)
| where DeviceAction !in ('Allow', 'Permit')
| where Activity has_any ('buffer overflow', 'exploit', 'MS08-067', 'NetpwPathCanonicalize', 'RPC')
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, Activity, DeviceProduct
| union (
    SecurityAlert
    | where TimeGenerated > ago(24h)
    | where AlertName has_any ('MS08-067', 'CVE-2008-4250', 'Server Service', 'NetpwPathCanonicalize')
    | project TimeGenerated, AlertName, Description, Entities
)
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Identify all internet-facing Drupal Core instances and apply vendor patches for CVE-2026-9082; if patching cannot be completed within 24h, implement WAF rules to block SQL metacharacters in Drupal API requests
โ†’ IMMEDIATE: Identify all Langflow deployments and apply mitigations for CVE-2025-34291; restrict CORS origins to trusted domains and review SameSite cookie configuration; consider taking internet-facing Langflow instances offline until patched
โ†’ IMMEDIATE: Audit all Trend Micro Apex One (on-premise) servers for CVE-2026-34926; apply vendor patches and review server access logs for unauthorized modifications to agent configuration tables
โ†’ IMMEDIATE: Block Mirai ELF sample hash (73c67a176d337a809555043d4189bbeea8d753d5770b7cb759243ebfcf718333) in EDR โ€” Mirai actively exploits web application vulnerabilities post-exploitation
โ†’ SHORT-TERM: Run Sentinel KEV detection queries for Drupal SQL injection and MS08-067 exploitation attempts across all log sources
โ†’ SHORT-TERM: Audit environment for any Windows systems lacking MS08-067 (KB958644) โ€” legacy OT/ICS and isolated network segments are high-risk; apply emergency patching or network isolation
โ†’ SHORT-TERM: Review web server process execution logs for any child shell or interpreter processes that may indicate successful RCE exploitation of Drupal or Langflow
โ†’ SHORT-TERM: Notify Apex One administrators to verify agent policy integrity โ€” compare current agent policies against known-good baselines for any unauthorized modifications
โ†’ LONG-TERM: Implement a CISA KEV tracking workflow to ensure all KEV additions are triaged within 24 hours per BOD 22-01 requirements
โ†’ LONG-TERM: Evaluate replacement or air-gapping strategy for legacy Windows systems vulnerable to CVE-2008-4250 and CVE-2009-1537; these should not exist on modern enterprise networks