Daily Threat Intelligence Report โ 2025-07-14
Today's threat landscape is dominated by active QakBot and Emotet C2 infrastructure confirmed across five IPs via Feodotracker, alongside a cluster of malware download URLs leveraging lookalike domains identified by URLhaus. CISA has added five critical vulnerabilities to the KEV catalog โ including an unauthenticated RCE in Palo Alto Networks PAN-OS (CVE-2026-0300) and an authentication bypass in cPanel & WHM (CVE-2026-41940) โ demanding immediate patching priority. GCleaner and Amadey dropper activity is confirmed through multiple MalwareBazaar samples, with RustyStealer payloads observed as downstream artifacts of Amadey infections. SOC teams should immediately block all five Feodotracker C2 IPs, apply available vendor patches for all CISA KEV entries, and hunt for GCleaner/Amadey dropper hashes across endpoints.
Active QakBot and Emotet C2 Infrastructure โ Multi-Region Botnet Operations with GCleaner/Amadey Dropper Chain
CRITICAL TA505Feodotracker has confirmed five actively beaconing C2 servers across US (162.243.103.246 for Emotet; 50.16.16.211 and 34.204.119.63 for QakBot), UK (178.62.3.223 for QakBot), and Japan (27.133.154.218 for QakBot), indicating a globally distributed botnet infrastructure in active use. Concurrent MalwareBazaar submissions show multiple executable samples tagged as 'dropped-by-GCleaner' and 'dropped-by-Amadey', including a confirmed RustyStealer payload (hash: 9f2ea59c627897be4ec0827992bcf23e7e276d75b5235ad85fc89be634012a4d), demonstrating a full initial-access-to-credential-theft kill chain. TA505, historically associated with both QakBot distribution campaigns and large-scale malspam operations, aligns with this multi-stage dropper-to-stealer pattern observed across Feodotracker and MalwareBazaar today. The combination of active botnet beaconing and fresh dropper samples indicates ongoing campaign operations requiring immediate defensive action.
Multi-Domain Malware Download Infrastructure โ linkdataproc.pics and datasrvhub.pics Serving Malicious Payloads
HIGH Unknown Threat ActorURLhaus has confirmed ten malicious URLs actively serving malware downloads across two primary domain clusters: linkdataproc.pics (hosting check.so via metal, api, dbinst, skyvpn, cmd subdomains) and datasrvhub.pics/webcfgbase.pics (hosting google.ocx via node, fix, cfg subdomains), all sharing the same UUID-based path structure indicating coordinated infrastructure. The use of .so (shared object) and .ocx (OLE control extension) file extensions is a deliberate attempt to masquerade as legitimate system files and evade file-type-based filtering. A third distinct URL (http://45.234.9.227:46365/bin.sh) serves a shell script payload over HTTP on a non-standard port, suggesting a Linux/Unix targeting component to this campaign. The clustered UUID path patterns (73922b30-d888-4af7-9bb4-e76054f7aa33 and c2cb43a1-3db9-486a-a707-ee88bcdb4813) across multiple subdomains indicate a shared backend infrastructure, likely a bulletproof hosting environment designed for resilience against takedown.
CISA KEV โ Five Critical Vulnerabilities Including PAN-OS Unauthenticated RCE and cPanel Authentication Bypass Added to Known Exploited Catalog
MEDIUM Unknown Threat ActorCISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalog, the most critical being CVE-2026-0300 in Palo Alto Networks PAN-OS โ an out-of-bounds write in the User-ID Authentication Portal enabling unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls. CVE-2026-41940 in WebPros cPanel & WHM and WP2 allows unauthenticated remote attackers to bypass login authentication and gain full control panel access, directly threatening web hosting infrastructure. CVE-2026-6973 in Ivanti EPMM enables authenticated RCE with administrative access, representing a high-value target given Ivanti's history of active exploitation in enterprise MDM environments. Additionally, CVE-2026-31431 in the Linux Kernel allows privilege escalation via incorrect resource transfer, and CVE-2026-42208 in BerriAI LiteLLM exposes a SQL injection vulnerability that could compromise AI proxy credentials โ a novel attack surface in AI infrastructure. All five vulnerabilities have confirmed active exploitation per CISA's KEV inclusion criteria, requiring immediate remediation action.