A Day In Cybercrime with DERP delivers a daily cybercrime and threat intelligence overview covering news, package manager malware, ransomware claims, C2 observations, and infrastructure.
News
Charter Communications data breach affects 4.9 million accounts
Bleeping Computer (opens in new tab) | today at 5:02 AM Eastern
The ShinyHunters extortion gang stole personal information from 4.9 million accounts after hacking Charter Communications in early April. Operators should monitor for exposed customer data and potential follow-on phishing campaigns targeting affected users.
BTMOB Android malware service generates custom phishing payloads
Bleeping Computer (opens in new tab) | May 28 at 6:02 PM Eastern
An Android remote access trojan named BTMOB is offered as a malware-as-a-service platform with a builder interface for generating custom phishing payloads. Defenders should watch for APK files requesting excessive permissions and review sideloading policies on managed devices.
Hackers exploit FortiClient EMS flaw to push infostealer malware
Bleeping Computer (opens in new tab) | May 28 at 2:02 PM Eastern
Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient EMS to deliver an undocumented infostealer disguised as a Fortinet update. Organizations running FortiClient EMS should prioritize patching and inspect VPN scripting workflows for unauthorized execution.
VU#780781: Casdoor contains multiple authentication bypass and access management vulnerabilities
CERT/CC (opens in new tab) | May 28 at 1:02 PM Eastern
Casdoor versions 2.362.0 and earlier contain multiple authentication bypass and access management vulnerabilities in SAML processing, account binding, and token exchange. Teams using Casdoor for identity federation should audit SAML configurations and apply updates immediately.
GPU mining malware spreads via SEO poisoning, AI chatbots
Bleeping Computer (opens in new tab) | today at 6:02 AM Eastern
Threat actors are targeting high-performance systems with cryptojacking malware spread through SEO-poisoned download pages for utilities like CrystalDiskInfo and HWMonitor. Operators should verify software download sources and monitor for unauthorized ScreenConnect remote management tool installations.
Package Manager Malware
OSV reported 91 MAL advisories across repositories: PyPI: 56, npm: 35.
That covers 91 packages across 2 repositories.
1 promoted hosts were present in the OSV data.
One promoted host was observed hosting an npm package with exfil_endpoint behavior, indicating active payload delivery infrastructure tied to the MAL advisory.
| OSV ID | Repository | Package | Feed Classes | Roles | Hosts |
|---|---|---|---|---|---|
| MAL-2026-4404 | npm | @loans/vehicles-api | exfil_endpoint | exfil_endpoint | oob[.]moika.tech |
Ransomware Claims
42 ransomware claims posted across 12 groups, 13 countries, and 9 sectors in the past 24 hours.
Qilin and Everest together account for over half of the 42 claims, with manufacturing and healthcare as the most targeted sectors.
| Group | Claims |
|---|---|
| Qilin | 14 |
| Everest | 9 |
| Thegentlemen | 6 |
| Akira | 4 |
| Chaos | 2 |
| Ailock | 1 |
| Auditteam | 1 |
| Cmdorganization | 1 |
| Genesis | 1 |
| Incransom | 1 |
| leakeddata | 1 |
| Worldleaks | 1 |
Countries hit: US (22), DE (3), MX (2), JP (2), AU (2), GB (1), IT (1), CL (1), RU (1), KW (1).
Targeted sectors: Manufacturing (10), Healthcare (9), Business Services (7), Agriculture and Food Production (3), Technology (2), Transportation/Logistics (2), Consumer Services (1), Financial Services (1), Education (1).
C2 Observations
391 C2 observations landed across 45 malware families, with 349 unique hosts and 24 shared hosts.
Clearfake dominates with 119 C2s, more than double the next family, while 24 shared hosts indicate multi-family infrastructure reuse.
| Family | C2s |
|---|---|
| clearfake | 119 |
| smokeloader | 45 |
| magecart | 41 |
| asyncrat | 29 |
| nanocore | 17 |
| latrodectus | 11 |
| redline | 9 |
| remcos | 9 |
| cobaltstrike | 8 |
| meshagent | 8 |
| vidar | 8 |
| xworm | 8 |
Shared Hosts
Shared hosts in this run show five families co-located on the same IPs and domains, suggesting a common operator or bulletproof hosting provider supporting multiple malware strains.
| Host | Family Count | Selected Families | AS / Country |
|---|---|---|---|
| sa-us-bucket[.]s3.us-east-2.amazonaws.com | 5 | fabookie, gcleaner, redline, smokeloader, socelars | Amazon.com, Inc. / US |
| esmic[.]at | 5 | fabookie, gcleaner, redline, smokeloader, socelars | Hetzner Online GmbH / DE |
| cittrans[.]ru | 5 | fabookie, gcleaner, redline, smokeloader, socelars | Hetzner Online GmbH / DE |
| channelpi[.]com | 5 | fabookie, gcleaner, redline, smokeloader, socelars | Hetzner Online GmbH / DE |
| 37[.]0.8.39 | 5 | fabookie, gcleaner, redline, smokeloader, socelars | CoreISP Group Limited / GB |
| 203[.]159.80.49 | 5 | fabookie, gcleaner, redline, smokeloader, socelars | Gamers Club Ltda / BR |
| marden[.]com.co | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| plon[.]io | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| 12rw[.]io | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| www[.]gdssic.in.net | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| gdssic[.]in.net | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| mediax[.]africa | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
Quad9 DNS Activity
Quad9 resolver blocking data shows clearfake-related domains generating the highest event counts among C2-tagged hosts, with top query origins in Germany and the US.
Top 10 New Quad9 C2 Blocks (24hour)
| Host | Families | Blocked Events | Top Countries |
|---|---|---|---|
| megamegalodon[.]click | - | 108 | DE, RU, US, CH, VN |
| remolsoeiez[.]shop | remcos | 94 | US, CH, RU |
| smoothcompass[.]top | smartapesg | 93 | US, GB, ZA, EC, SE |
| dvzzer4n[.]parossag.hu | clearfake | 85 | DE, US, AE, CH, FR |
| fjtdm[.]sm188wing.cyou | clearfake | 81 | DE, CH |
| gzhcn[.]sm188login.sbs | clearfake | 81 | DE, CH, CA, US |
| nzaqn[.]sm188login.cyou | clearfake | 48 | DE, CH, RU, US |
| xqorxfh1[.]seresniki.com | clearfake | 34 | DE, IL, US, RU, CH |
| styleussles[.]com | magecart | 29 | DE, SG, NL, MV, PK |
| bhulekh[.]co.com | nanocore | 27 | US, GB, NL, DE, ES |
Top 10 All C2 DB Quad9 C2 Blocks (24hour)
| Host | Blocked Events | Top Countries |
|---|---|---|
| ff[.]xxcc789.com | 306,030 | DE, US |
| ff[.]jjkk567.com | 306,024 | DE, US |
| ff[.]aass654.com | 306,011 | DE |
| ff[.]nnmm234.com | 305,971 | DE |
| ff[.]vvbb321.com | 305,819 | DE |
| topbannersun[.]com | 188,907 | ID, ET, MU, BD, BR |
| cc[.]xxcc789.com | 107,692 | US |
| cc[.]jjkk567.com | 107,593 | US, IN |
| cc[.]aass654.com | 107,469 | US |
| cc[.]nnmm234.com | 107,259 | US |
Infrastructure
Download-host infrastructure covered 370 hosts across 26 countries, 75 providers, and 5 infrastructure types.
Cloudflare hosts 224 of 370 C2s, with the US accounting for 291 hosts, indicating heavy reliance on CDN-based hosting and US-based providers for command-and-control infrastructure.
| Provider | Download Hosts |
|---|---|
| Cloudflare | 224 |
| 22 | |
| Hetzner Online GmbH | 17 |
| HostPapa | 6 |
| Amazon.com | 5 |
| DataWeb Global Group B.V. | 4 |
| DigitalOcean | 4 |
| OVH SAS | 4 |
| CenturyLink Communications | 3 |
| Paradise Networks | 3 |