News
Microsoft released a mitigation for YellowKey (CVE-2026-45585), a BitLocker bypass vulnerability that was publicly disclosed last week. The Hacker News (opens in new tab)
GitHub confirmed 3,800 internal repositories were breached after an employee installed a malicious VS Code extension. Bleeping Computer (opens in new tab)
A new Shai-Hulud supply-chain wave published more than 600 malicious npm packages. Bleeping Computer (opens in new tab)
Developer workstations are now squarely part of the software supply chain. Package registries and CI pipelines matter, but the SSH keys, PATs, and tokens sitting on local machines are still an entry path. The Hacker News (opens in new tab)
Microsoft also confirmed non-dismissible Teams location prompts on macOS after a macOS update. Bleeping Computer (opens in new tab)
Ransomware Claims
14 claims posted across 9 groups, covering 11 countries and 5 sectors over the past 24 hours.
Most active groups: Krybit (3), Nova (2), Dragonforce (2), Akira (2).
Targeted sectors: Business Services (4), Manufacturing (3), Technology (1), Education (1), Financial Services (1).
Countries hit: PL (2), AT (2), ES, TW, CY, US, GB, DE, and several others.
C2 Observations
1,242 family-host pairs were observed in the last 24 hours, spanning 159 malware families across 561 unique C2 hosts. Top families by C2 count:
| Family | C2 Endpoints |
|---|---|
| AsyncRAT | 149 |
| Remcos | 80 |
| NanoCore | 63 |
| Quasar | 63 |
| XWorm | 60 |
| Remus Stealer | 47 |
| Vidar | 36 |
| RedLine | 29 |
| Cobalt Strike | 28 |
| Remus | 26 |
| SmokeLoader | 26 |
| DonutLoader | 23 |
Shared Hosts
Several infrastructure hosts served as concentration points for multiple malware families.
| Host | Families | AS / Country |
|---|---|---|
| 176[.]46[.]152[.]46 | 63 family labels, including Amadey, Cobalt Strike, Lumma, NanoCore, Quasar, Remcos, RedLine, SmokeLoader, Vidar, XWorm | Farahoosh Dena PLC, IR |
| api[.]telegram[.]org | 51 family labels, including AgentTesla, Amadey, AsyncRAT, Cobalt Strike, DonutLoader, Quasar, RedLine, Remcos, Vidar, XWorm | Telegram Messenger Inc, VG |
| 193[.]161[.]193[.]99 | 48 family labels, including Amadey, AsyncRAT, Cobalt Strike, Lumma, Quasar, RedLine, Remcos, Vidar, XWorm | OOO GETWIFI, RU |
| 5[.]101[.]82[.]4 | 40 family labels, including Amadey, AsyncRAT, Cobalt Strike, DonutLoader, Quasar, RedLine, Remcos, Vidar, XWorm | GTHost, US |
| 51[.]77[.]77[.]161 | 34 family labels, including Amadey, AsyncRAT, Cobalt Strike, Dragonforce, Quasar, RedLine, StealC, Vidar, XWorm | OVH SAS, FR |
Quad9 DNS Activity
25 of the 561 unique C2 hosts triggered Quad9 blocking in the past 24 hours.
Top 10 New Quad9 C2 Blocks (24hour)
| Host | Families | Blocked C2 events | Top countries |
|---|---|---|---|
| sunwin[.]ke | Quasar | 2,357 | VN, DE, US, GB, CH |
| 69sexy[.]duckdns[.]org | Mirai | 1,746 | DE, AT, US, NZ, GH |
| f****er1[.]duckdns[.]org | Mirai | 1,546 | DE, US, SE, IE, NL |
| popit[.]io | AsyncRAT, NanoCore | 1,354 | US, VN, FR, RU, CH |
| doctopus[.]io | AsyncRAT | 1,230 | US, DE, BR, FR, SG |
| honeypotresearchteam[.]duckdns[.]org | Remcos | 1,004 | BH, JO, IN, US |
| qtumeco[.]io | AsyncRAT | 979 | US, ES, CH, FR, RU |
| www[.]echodex[.]io | AsyncRAT | 733 | US, FR, DE, VN, NL |
| component-warehouse[.]co[.]uk | AsyncRAT | 715 | VN, US, CH, RU, DE |
| kolt[.]io | AsyncRAT | 598 | US, IN, FR, CH, RU |
Top 10 All C2 DB Quad9 C2 Blocks (24hour)
| Host | Blocked C2 events | Top countries |
|---|---|---|
| ff[.]vvbb321[.]com | 413,137 | DE, US |
| ff[.]aass654[.]com | 413,132 | DE, US |
| ff[.]nnmm234[.]com | 413,126 | DE |
| ff[.]jjkk567[.]com | 413,121 | DE, US |
| ff[.]xxcc789[.]com | 413,119 | DE, US |
| hh[.]jjkk567[.]com | 357,727 | LK, IN, US, RU |
| hh[.]nnmm234[.]com | 357,721 | LK, CH, RU, US |
| hh[.]aass654[.]com | 357,719 | LK, US, CH, RU |
| hh[.]xxcc789[.]com | 357,716 | LK, IN, US |
| cc[.]nnmm234[.]com | 134,176 | US |
Infrastructure
561 unique C2 hosts mapped across 37 countries, 151 providers, and 5 infrastructure types.
| Provider | C2 hosts |
|---|---|
| Cloudflare | 184 |
| DigitalOcean | 36 |
| Alibaba Advertising | 17 |
| Amazon | 12 |
| Great Flower | 11 |
| Hetzner | 11 |
| Omegatech | 11 |
| unknown | 10 |
| OOO GETWIFI | 8 |
| 7 |
The US led with 309 C2 hosts, followed by China at 35, Germany at 31, the UK at 24, and Russia at 23. Hosting carried 484 hosts, ISP space held 52, unknown infrastructure held 10, business networks held 9, and sinkholes held 6.