A Day In Cybercrime with DERP delivers daily cybercrime and threat intelligence overviews, covering news, package manager malware, ransomware claims, C2 observations, and infrastructure.
News
Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks
Bleeping Computer (opens in new tab) | May 30 at 3:02 PM Eastern
Palo Alto Networks warned that CVE-2026-0257, a PAN-OS GlobalProtect authentication bypass flaw, is now under active exploitation. Operators should verify that their GlobalProtect portals and gateways are patched against unauthorized VPN connections.
ChatGPT share links abused to host fake outage pages to deliver malware
Bleeping Computer (opens in new tab) | today at 6:02 AM Eastern
Threat actors are abusing ChatGPT's share link feature to host fake OpenAI outage pages that deliver malware via Google ads. The LLMShare campaign uses legitimate chatgpt.com URLs to bypass security filters.
California AG sues 23andMe over 2023 breach exposing health data
Bleeping Computer (opens in new tab) | today at 6:02 AM Eastern
California's Attorney General sued 23andMe over the 2023 breach that exposed nearly 7 million customers' sensitive data, including 855,541 Californians. The lawsuit highlights the long tail of regulatory consequences from credential theft and data leaks.
New Russia-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks
The Hacker News (opens in new tab) | today at 6:02 AM Eastern
A new Russian-linked threat actor, GREYVIBE, is targeting Ukrainian entities with AI-powered spear-phishing, fake captcha pages, and fraudulent adult websites. The group's custom obfuscators and loaders show overlap with the broader Russian cybercrime ecosystem.
BTMOB Android malware service generates custom phishing payloads
Bleeping Computer (opens in new tab) | today at 6:02 AM Eastern
BTMOB, an Android RAT sold as a malware-as-a-service platform, includes a builder interface for generating custom phishing payloads without coding. Operators should watch for APKs requesting excessive permissions and disabling Google Play Protect.
Package Manager Malware
OSV reported 48 MAL advisories across repositories: PyPI: 3, npm: 45.
That covers 48 packages across 2 repositories.
4 promoted hosts were present in the OSV data.
| OSV ID | Repository | Package | Feed Classes | Roles | Hosts |
|---|---|---|---|---|---|
| MAL-2026-5086 | PyPI | polymarket-data | malware_infra | malware_infra | bold-river-456[.]onrender.com, ideal-octo-spoon[.]onrender.com, quiet-sky-123[.]onrender.com |
| MAL-2026-5031 | npm | @capibar.chat/ui-kit | c2, exfil_endpoint | c2, exfil_endpoint | oob[.]moika.tech |
| MAL-2026-4882 | npm | @cloudplatform-single-spa/administration | c2_config | config_or_webhook | oob[.]moika.tech |
| MAL-2026-4888 | npm | @cloudplatform-single-spa/arenadata-db | c2_config | config_or_webhook | oob[.]moika.tech |
| MAL-2026-4891 | npm | @cloudplatform-single-spa/base-static-page | c2_config | config_or_webhook | oob[.]moika.tech |
| MAL-2026-4893 | npm | @cloudplatform-single-spa/business-solutions | c2_config | config_or_webhook | oob[.]moika.tech |
| MAL-2026-4896 | npm | @cloudplatform-single-spa/cloud-dns | c2_config | config_or_webhook | oob[.]moika.tech |
| MAL-2026-4898 | npm | @cloudplatform-single-spa/cnapp-ui | c2_config | config_or_webhook | oob[.]moika.tech |
| MAL-2026-4901 | npm | @cloudplatform-single-spa/cp-api-gw | c2_config | config_or_webhook | oob[.]moika.tech |
| MAL-2026-4902 | npm | @cloudplatform-single-spa/datagrid | c2_config | config_or_webhook | oob[.]moika.tech |
Ransomware Claims
15 ransomware claims posted across 7 groups, 6 countries, and 8 sectors in the past 24 hours.
Genesis dominated with 5 claims, followed by Coinbasecartel with 3, while the remaining 5 groups each posted 1-2 claims, showing moderate spread across 7 groups.
| Group | Claims |
|---|---|
| Genesis | 5 |
| Coinbasecartel | 3 |
| Nova | 2 |
| Termite | 2 |
| Cmdorganization | 1 |
| Gunra | 1 |
| Krybit | 1 |
Countries hit: US (9), IN (1), FR (1), GB (1), VN (1), BR (1).
Targeted sectors: Business Services (3), Technology (3), Manufacturing (2), Healthcare (1), Energy (1), Financial Services (1), Education (1), Transportation/Logistics (1).
C2 Observations
828 C2 observations landed across 31 malware families, with 824 unique hosts and 3 shared hosts.
AsyncRAT accounted for 656 of 828 C2 observations, a 79% concentration, with 3 shared hosts hosting multiple families.
| Family | C2s |
|---|---|
| asyncrat | 656 |
| clearfake | 88 |
| vshell | 16 |
| mirai | 12 |
| iclickfix | 6 |
| cobaltstrike | 5 |
| quasar | 5 |
| remcos | 4 |
| valleyrat_s2 | 4 |
| redtail | 3 |
| sectoprat | 3 |
| xworm | 3 |
Shared Hosts
Three hosts each served multiple C2 families, indicating shared infrastructure reuse: one German host ran AsyncRAT, HijackLoader, and Remcos; an Indian host ran CustomerLoader and Quasar; a Hong Kong host ran DonutLoader and ValleyRAT.
| Host | Family Count | Selected Families | AS / Country |
|---|---|---|---|
| olayaligia1458[.]loseyourip.com | 3 | asyncrat, hijackloader, remcos | 1337 Services GmbH / DE |
| 103[.]165.11.137 | 2 | customerloader, quasar | SOFTERINT TECHNOLOGY (OPC) PRIVATE LIMITED / IN |
| 143[.]92.34.163 | 2 | donutloader, valleyrat_s2 | CTG Server Limited / HK |
Quad9 DNS Activity
Quad9 blocked 2 C2 hosts in the last 24 hours, with AsyncRAT and Clearfake domains drawing queries from multiple countries including Switzerland, Vietnam, and Germany.
Top 10 New Quad9 C2 Blocks (24hour)
| Host | Families | Blocked Events | Top Countries |
|---|---|---|---|
| z[.]phimtoico.blog | asyncrat | 55 | CH, VN, KE, US, PH |
| e0vt7hv0[.]saostar.biz | clearfake | 13 | DE, CH, JP, US |
Top 10 All C2 DB Quad9 C2 Blocks (24hour)
| Host | Blocked Events | Top Countries |
|---|---|---|
| 1[.]hikvision-cctv.su | 394,613 | PK, OM, BR, US, FR |
| ff[.]xxcc789.com | 202,170 | DE |
| ff[.]nnmm234.com | 202,110 | DE |
| ff[.]aass654.com | 202,092 | DE |
| ff[.]jjkk567.com | 202,086 | DE |
| ff[.]vvbb321.com | 202,082 | DE |
| filev2[.]getsession.org | 198,181 | DE, NL, SG, GB, AE |
| topbannersun[.]com | 119,971 | ID, ET, MU, BD, CH |
| hh[.]jjkk567.com | 116,639 | LK, US |
| hh[.]nnmm234.com | 116,634 | LK, US |
Infrastructure
Download-host infrastructure covered 851 hosts across 25 countries, 84 providers, and 4 infrastructure types.
C2 hosting concentrated in the US (392 hosts) and France (136), with Cloudflare (346) and OVH (135) as top providers. Hosting infrastructure accounted for 819 of 851 C2 hosts.
| Provider | Download Hosts |
|---|---|
| Cloudflare | 346 |
| OVH SAS | 135 |
| DataWeb Global Group B.V. | 51 |
| velia.net Internetdienste GmbH | 41 |
| Akamai Connected Cloud | 37 |
| Scalaxy B.V. | 31 |
| Datacamp | 27 |
| Team Internet AG | 21 |
| Viettel Group | 19 |
| Trellian Pty. | 14 |