โ† Back to Dashboard
May 09, 2026

Daily Threat Intelligence Report โ€” 2025-07-14

27
IOCs
10
TTPs
11
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet C2 infrastructure confirmed across five IPs via Feodotracker, alongside a cluster of malware download URLs leveraging lookalike domains identified by URLhaus. CISA has added five critical vulnerabilities to the KEV catalog โ€” including an unauthenticated RCE in Palo Alto Networks PAN-OS (CVE-2026-0300) and an authentication bypass in cPanel & WHM (CVE-2026-41940) โ€” demanding immediate patching priority. GCleaner and Amadey dropper activity is confirmed through multiple MalwareBazaar samples, with RustyStealer payloads observed as downstream artifacts of Amadey infections. SOC teams should immediately block all five Feodotracker C2 IPs, apply available vendor patches for all CISA KEV entries, and hunt for GCleaner/Amadey dropper hashes across endpoints.

#1

Active QakBot and Emotet C2 Infrastructure โ€” Multi-Region Botnet Operations with GCleaner/Amadey Dropper Chain

CRITICAL TA505

Feodotracker has confirmed five actively beaconing C2 servers across US (162.243.103.246 for Emotet; 50.16.16.211 and 34.204.119.63 for QakBot), UK (178.62.3.223 for QakBot), and Japan (27.133.154.218 for QakBot), indicating a globally distributed botnet infrastructure in active use. Concurrent MalwareBazaar submissions show multiple executable samples tagged as 'dropped-by-GCleaner' and 'dropped-by-Amadey', including a confirmed RustyStealer payload (hash: 9f2ea59c627897be4ec0827992bcf23e7e276d75b5235ad85fc89be634012a4d), demonstrating a full initial-access-to-credential-theft kill chain. TA505, historically associated with both QakBot distribution campaigns and large-scale malspam operations, aligns with this multi-stage dropper-to-stealer pattern observed across Feodotracker and MalwareBazaar today. The combination of active botnet beaconing and fresh dropper samples indicates ongoing campaign operations requiring immediate defensive action.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server hosted in US โ€” Feodotracker confirmed active
IP 50.16.16.211 QakBot C2 server hosted in US โ€” Feodotracker confirmed active
IP 34.204.119.63 QakBot C2 server hosted in US โ€” Feodotracker confirmed active
IP 178.62.3.223 QakBot C2 server hosted in GB โ€” Feodotracker confirmed active
IP 27.133.154.218 QakBot C2 server hosted in JP โ€” Feodotracker confirmed active
HASH 9f2ea59c627897be4ec0827992bcf23e7e276d75b5235ad85fc89be634012a4d RustyStealer credential-theft payload โ€” dropped by Amadey, tagged d52f85 โ€” MalwareBazaar confirmed
HASH 3339def7f554fc59bbf2658e323167188d579e379502f2c508c04bf3656a9e6e Executable dropper โ€” dropped by Amadey, UPX-packed, tagged d52f85 โ€” MalwareBazaar confirmed
HASH c7fd854a95f0e1c678a4fa9562c6099d7d8053abe15cab6e7129390dd69d7e0c Executable dropper โ€” dropped by Amadey, tagged d52f85 โ€” MalwareBazaar confirmed
HASH 4a1dd2bf737357ff4c32df5b739cc5d8bb0003bcb35fbacc3174d36b2ef77cc0 Executable dropper โ€” dropped by GCleaner, tagged MIX4.file โ€” MalwareBazaar confirmed
HASH 64901be5d14f453599de1caa6b5e7a9d1a4c4f8b99c519bab58cb2108a8a7221 Executable dropper โ€” dropped by GCleaner, tagged MIX8.file โ€” MalwareBazaar confirmed
HASH 9812b46aaa2535f26907820655d781cf9fc31ef19f5bc5a794d3b4caddae9667 Signed executable dropper โ€” dropped by GCleaner, tagged MIX1.file โ€” MalwareBazaar confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol โ€” Web Protocols MITRE โ†’
T1027.002 Obfuscated Files or Information โ€” Software Packing MITRE โ†’
T1555 Credentials from Password Stores MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 connections to Emotet and QakBot infrastructure

Detects outbound connections to all five Feodotracker-confirmed Emotet and QakBot C2 servers. Any successful connection from an endpoint indicates active botnet infection.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, LocalIP, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect GCleaner and Amadey dropper execution by SHA256 hash

Searches for execution of known GCleaner-dropped and Amadey-dropped malware samples confirmed in MalwareBazaar across all enrolled endpoints.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '9f2ea59c627897be4ec0827992bcf23e7e276d75b5235ad85fc89be634012a4d',
    '3339def7f554fc59bbf2658e323167188d579e379502f2c508c04bf3656a9e6e',
    'c7fd854a95f0e1c678a4fa9562c6099d7d8053abe15cab6e7129390dd69d7e0c',
    '4a1dd2bf737357ff4c32df5b739cc5d8bb0003bcb35fbacc3174d36b2ef77cc0',
    '64901be5d14f453599de1caa6b5e7a9d1a4c4f8b99c519bab58cb2108a8a7221',
    '9812b46aaa2535f26907820655d781cf9fc31ef19f5bc5a794d3b4caddae9667'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by TimeGenerated desc
SENTINEL Detect network connections to QakBot and Emotet C2 servers across all log sources

Correlates firewall, proxy, and DNS logs against all five Feodotracker-confirmed C2 IP addresses to identify any host communicating with active QakBot or Emotet infrastructure.

let C2IPs = dynamic(['162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218']);
union CommonSecurityLog, NetworkAccessPolicies, AzureNetworkAnalytics_CL
| where TimeGenerated > ago(24h)
| where DestinationIP in (C2IPs) or SourceIP in (C2IPs)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, DeviceAction
| order by TimeGenerated desc
MDE Detect credential access behaviour consistent with RustyStealer payload

Identifies processes accessing browser credential stores, consistent with RustyStealer (SHA256: 9f2ea59c627897be4ec0827992bcf23e7e276d75b5235ad85fc89be634012a4d) post-Amadey-drop credential theft behaviour.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FolderPath has_any ('\\Login Data', '\\Cookies', '\\Local State', '\\Web Data')
| where InitiatingProcessFileName !in~ ('chrome.exe', 'msedge.exe', 'firefox.exe', 'brave.exe', 'opera.exe')
| where ActionType in ('FileRead', 'FileCopied')
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessCommandLine, FolderPath, FileName, AccountName
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker-confirmed C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, proxy, and DNS sinkholes
โ†’ IMMEDIATE: Submit all six MalwareBazaar hashes (GCleaner-dropped and Amadey-dropped samples including RustyStealer) to EDR/AV platforms for immediate blocking โ€” prioritise 9f2ea59c627897be4ec0827992bcf23e7e276d75b5235ad85fc89be634012a4d (RustyStealer)
โ†’ IMMEDIATE: Run MDE process event KQL query for all six malware hashes across all enrolled endpoints and escalate any hits as active incident response
โ†’ SHORT-TERM: Execute the Sentinel C2 connection hunt across firewall and proxy logs for the past 7 days to identify any prior beaconing activity
โ†’ SHORT-TERM: Alert SOC L1/L2 analysts to monitor for UPX-packed binary execution in user-writable directories and browser credential store access by non-browser processes
โ†’ SHORT-TERM: Ingest all five Feodotracker C2 IPs and six MalwareBazaar hashes into SIEM threat intelligence feeds and SOAR blocking playbooks
โ†’ LONG-TERM: Review email gateway policies to block executable attachments from external senders; consider mandatory sandboxing for all inbound executables
โ†’ LONG-TERM: Implement network segmentation to restrict workstation-to-internet direct connections and enforce proxy inspection for all outbound HTTP/HTTPS traffic
#2

Multi-Domain Malware Download Infrastructure โ€” linkdataproc.pics and datasrvhub.pics Serving Malicious Payloads

HIGH Unknown Threat Actor

URLhaus has confirmed ten malicious URLs actively serving malware downloads across two primary domain clusters: linkdataproc.pics (hosting check.so via metal, api, dbinst, skyvpn, cmd subdomains) and datasrvhub.pics/webcfgbase.pics (hosting google.ocx via node, fix, cfg subdomains), all sharing the same UUID-based path structure indicating coordinated infrastructure. The use of .so (shared object) and .ocx (OLE control extension) file extensions is a deliberate attempt to masquerade as legitimate system files and evade file-type-based filtering. A third distinct URL (http://45.234.9.227:46365/bin.sh) serves a shell script payload over HTTP on a non-standard port, suggesting a Linux/Unix targeting component to this campaign. The clustered UUID path patterns (73922b30-d888-4af7-9bb4-e76054f7aa33 and c2cb43a1-3db9-486a-a707-ee88bcdb4813) across multiple subdomains indicate a shared backend infrastructure, likely a bulletproof hosting environment designed for resilience against takedown.

๐Ÿ”ด Indicators of Compromise
URL https://metal.linkdataproc.pics/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so Active malware download URL serving .so payload โ€” URLhaus confirmed
URL https://api.linkdataproc.pics/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so Active malware download URL serving .so payload โ€” URLhaus confirmed
URL https://dbinst.linkdataproc.pics/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so Active malware download URL serving .so payload โ€” URLhaus confirmed
URL https://skyvpn.linkdataproc.pics/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so Active malware download URL serving .so payload โ€” URLhaus confirmed
URL https://cmd.linkdataproc.pics/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so Active malware download URL serving .so payload โ€” URLhaus confirmed (HTTPS and HTTP variants active)
URL https://node.datasrvhub.pics/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx Active malware download URL serving .ocx payload masquerading as Google component โ€” URLhaus confirmed
URL https://fix.datasrvhub.pics/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx Active malware download URL serving .ocx payload โ€” URLhaus confirmed
URL https://cfg.webcfgbase.pics/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx Active malware download URL serving .ocx payload โ€” URLhaus confirmed
URL http://45.234.9.227:46365/bin.sh Active malware download URL serving shell script payload over non-standard port โ€” URLhaus confirmed
IP 45.234.9.227 Malware download server hosting bin.sh shell script on port 46365 โ€” URLhaus confirmed
HASH 47b9224be12dd456d2748203e49a92d3e7e02663bb8914059b0ec410e98410c5 Shell script (.sh) malware sample โ€” corroborating shell-based malware delivery observed in URLhaus โ€” MalwareBazaar confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1105 Ingress Tool Transfer MITRE โ†’
T1036.007 Masquerading โ€” Double File Extension MITRE โ†’
T1059.004 Command and Scripting Interpreter โ€” Unix Shell MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect DNS queries and connections to malicious malware download domains

Identifies any endpoint resolving or connecting to the URLhaus-confirmed malware download domains linkdataproc.pics, datasrvhub.pics, and webcfgbase.pics, and direct IP connection to 45.234.9.227.

union DeviceNetworkEvents, DeviceDnsEvents
| where TimeGenerated > ago(24h)
| where RemoteIP == '45.234.9.227'
    or RemoteUrl has_any ('linkdataproc.pics', 'datasrvhub.pics', 'webcfgbase.pics')
    or DnsQueryString has_any ('linkdataproc.pics', 'datasrvhub.pics', 'webcfgbase.pics')
| project TimeGenerated, DeviceName, RemoteIP, RemoteUrl, RemotePort, DnsQueryString, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType
| order by TimeGenerated desc
MDE Detect .ocx and .so file downloads and execution from external sources

Hunts for download and execution of .ocx OLE control files and .so shared object files from external URLs, consistent with the google.ocx and check.so payloads confirmed by URLhaus.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where (FileName endswith '.ocx' or FileName endswith '.so')
| where InitiatingProcessFileName has_any ('chrome.exe', 'msedge.exe', 'firefox.exe', 'curl.exe', 'wget.exe', 'powershell.exe', 'cmd.exe', 'wscript.exe', 'mshta.exe')
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType
| order by TimeGenerated desc
SENTINEL Detect proxy/firewall connections to URLhaus-confirmed malware download infrastructure

Searches proxy and web gateway logs for any connections to the full set of URLhaus-confirmed malware download URLs including all linkdataproc.pics and datasrvhub.pics subdomains.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (
    'linkdataproc.pics',
    'datasrvhub.pics',
    'webcfgbase.pics',
    '73922b30-d888-4af7-9bb4-e76054f7aa33',
    'c2cb43a1-3db9-486a-a707-ee88bcdb4813',
    'check.so',
    'google.ocx',
    'bin.sh'
)
or DestinationIP == '45.234.9.227'
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, DeviceAction, RequestClientApplication
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all three malicious domains (linkdataproc.pics, datasrvhub.pics, webcfgbase.pics) and all subdomains at DNS resolver, web proxy, and firewall egress rules
โ†’ IMMEDIATE: Block outbound connections to 45.234.9.227 on all ports at perimeter firewall โ€” this IP is actively serving shell script malware on port 46365
โ†’ IMMEDIATE: Add all ten URLhaus-confirmed malicious URLs to web proxy block lists and SIEM alerting rules
โ†’ SHORT-TERM: Run the MDE DNS/network events KQL query to identify any endpoints that have already connected to this infrastructure and initiate incident response for any hits
โ†’ SHORT-TERM: Search proxy and web gateway logs for the UUID strings (73922b30-d888-4af7-9bb4-e76054f7aa33 and c2cb43a1-3db9-486a-a707-ee88bcdb4813) which are unique to this campaign
โ†’ SHORT-TERM: Submit the .sh MalwareBazaar sample hash (47b9224be12dd456d2748203e49a92d3e7e02663bb8914059b0ec410e98410c5) to EDR for blocking
โ†’ LONG-TERM: Implement DNS security filtering (e.g., Cisco Umbrella, Infoblox) with automatic URLhaus feed integration for real-time domain blocking
โ†’ LONG-TERM: Consider blocking the entire .pics TLD at DNS if it is not required for business operations, as this TLD has demonstrated sustained abuse in this campaign
#3

CISA KEV โ€” Five Critical Vulnerabilities Including PAN-OS Unauthenticated RCE and cPanel Authentication Bypass Added to Known Exploited Catalog

MEDIUM Unknown Threat Actor

CISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog, the most critical being CVE-2026-0300 in Palo Alto Networks PAN-OS โ€” an out-of-bounds write in the User-ID Authentication Portal enabling unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls. CVE-2026-41940 in WebPros cPanel & WHM and WP2 allows unauthenticated remote attackers to bypass login authentication and gain full control panel access, directly threatening web hosting infrastructure. CVE-2026-6973 in Ivanti EPMM enables authenticated RCE with administrative access, representing a high-value target given Ivanti's history of active exploitation in enterprise MDM environments. Additionally, CVE-2026-31431 in the Linux Kernel allows privilege escalation via incorrect resource transfer, and CVE-2026-42208 in BerriAI LiteLLM exposes a SQL injection vulnerability that could compromise AI proxy credentials โ€” a novel attack surface in AI infrastructure. All five vulnerabilities have confirmed active exploitation per CISA's KEV inclusion criteria, requiring immediate remediation action.

๐Ÿ”ด Indicators of Compromise
CVE CVE-2026-0300 Palo Alto Networks PAN-OS โ€” Out-of-bounds write in User-ID Authentication Portal โ€” Unauthenticated RCE with root privileges on PA-Series and VM-Series firewalls โ€” CISA KEV confirmed actively exploited
CVE CVE-2026-41940 WebPros cPanel & WHM and WP2 โ€” Authentication bypass in login flow โ€” Unauthenticated remote access to control panel โ€” CISA KEV confirmed actively exploited
CVE CVE-2026-6973 Ivanti Endpoint Manager Mobile (EPMM) โ€” Improper input validation โ€” Authenticated RCE with administrative access โ€” CISA KEV confirmed actively exploited
CVE CVE-2026-31431 Linux Kernel โ€” Incorrect resource transfer between spheres โ€” Local privilege escalation โ€” CISA KEV confirmed actively exploited
CVE CVE-2026-42208 BerriAI LiteLLM โ€” SQL injection vulnerability โ€” Unauthorized access to proxy and managed credentials โ€” CISA KEV confirmed actively exploited
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1068 Exploitation for Privilege Escalation MITRE โ†’
T1078 Valid Accounts MITRE โ†’
๐ŸŸข Hunt Queries
SENTINEL Detect PAN-OS User-ID Authentication Portal exploitation attempts (CVE-2026-0300)

Hunts for anomalous or malformed requests targeting the Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal service) that may indicate exploitation of CVE-2026-0300.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor == 'Palo Alto Networks' or DeviceProduct has 'PAN-OS'
| where Activity has_any ('captive-portal', 'user-id', 'auth-portal', 'Authentication Portal')
| where DeviceAction != 'allow'
    or Message has_any ('out-of-bounds', 'segfault', 'crash', 'core dump')
| project TimeGenerated, SourceIP, DestinationIP, Activity, DeviceAction, Message, LogSeverity
| order by TimeGenerated desc
SENTINEL Detect cPanel authentication bypass exploitation attempts (CVE-2026-41940)

Identifies suspicious cPanel and WHM authentication events consistent with CVE-2026-41940 exploitation โ€” specifically sessions that bypassed normal authentication flow.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any ('cpanel', 'whm', ':2082', ':2083', ':2086', ':2087', ':2095', ':2096')
| where DeviceAction == 'allow'
| summarize RequestCount=count(), UniqueURLs=dcount(RequestURL) by SourceIP, bin(TimeGenerated, 5m)
| where RequestCount > 10
| order by RequestCount desc
MDE Detect Linux kernel privilege escalation attempts (CVE-2026-31431)

Hunts for process behaviour on Linux endpoints consistent with kernel privilege escalation exploitation of CVE-2026-31431 โ€” unexpected privilege elevation of non-root processes.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where Platform == 'Linux'
| where AccountName != 'root'
| where ProcessIntegrityLevel == 'High' or ProcessIntegrityLevel == 'System'
| where InitiatingProcessAccountName != 'root'
| where FileName !in ('sudo', 'su', 'pkexec', 'newgrp')
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName, ProcessIntegrityLevel
| order by TimeGenerated desc
SENTINEL Detect LiteLLM SQL injection exploitation attempts (CVE-2026-42208)

Identifies SQL injection patterns in requests to LiteLLM proxy endpoints that may indicate active exploitation of CVE-2026-42208.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any ('litellm', '/v1/', '/chat/completions', '/models')
| where RequestURL has_any ("'", '--', '/*', 'UNION', 'SELECT', 'DROP', 'INSERT', 'OR 1=1', 'AND 1=1', 'xp_', 'EXEC(')
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, RequestMethod, Activity, DeviceAction
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE (Federal/CISA BOD 22-01 compliance deadline applies): Apply vendor patches for all five CVEs โ€” CVE-2026-0300, CVE-2026-41940, CVE-2026-6973, CVE-2026-31431, CVE-2026-42208
โ†’ IMMEDIATE (CVE-2026-0300 โ€” PAN-OS): If patch is unavailable, implement CISA-specified workaround โ€” restrict User-ID Authentication Portal access to only trusted zones and disable if not required
โ†’ IMMEDIATE (CVE-2026-41940 โ€” cPanel): Audit all cPanel/WHM instances for signs of unauthorised access since CISA KEV listing; review access logs for authentication anomalies
โ†’ IMMEDIATE (CVE-2026-6973 โ€” Ivanti EPMM): Verify administrative access to Ivanti EPMM is restricted to trusted IP ranges and MFA is enforced; review device enrollment logs for rogue device registration
โ†’ SHORT-TERM: Run all four SENTINEL/MDE KQL detection queries to identify any exploitation attempts in the past 24 hours
โ†’ SHORT-TERM (CVE-2026-31431 โ€” Linux Kernel): Inventory all Linux systems and prioritise kernel updates; implement SELinux/AppArmor policies to limit privilege escalation attack surface
โ†’ SHORT-TERM (CVE-2026-42208 โ€” LiteLLM): Rotate all API keys and credentials managed by any LiteLLM proxy instances; review database access logs for unauthorised queries
โ†’ LONG-TERM: Integrate CISA KEV feed into vulnerability management platform for automatic prioritisation of actively-exploited vulnerabilities; target remediation SLA of 24-72 hours for all KEV additions