News
A 9-year-old Linux kernel vulnerability went undetected until now. The flaw allows root command execution on major distributions. The Hacker News (opens in new tab) (2026-05-21 08:00 UTC)
GitHub traced the TanStack npm supply-chain attack back to a breached repository. Attackers gained access through a malicious Nx Console VS Code extension. Bleeping Computer (opens in new tab) (2026-05-21 08:00 UTC)
TeamPCP is poisoning open-source code at an unprecedented scale. The group has hit hundreds of organizations through software supply-chain attacks, and GitHub was just the latest victim. WIRED (opens in new tab) (2026-05-21 10:00 UTC)
Microsoft patched two Defender zero-day vulnerabilities that were already being exploited in attacks. Bleeping Computer (opens in new tab) (2026-05-21 09:00 UTC)
A highly critical Drupal core flaw exposes PostgreSQL-backed sites to remote code execution. Updates are available. The Hacker News (opens in new tab) (2026-05-21 05:00 UTC)
Ransomware Claims
16 claims posted across 6 groups in the past 24 hours.
| Group | Claims |
|---|---|
| Qilin | 7 |
| Pure Extraction And Ransom | 4 |
| Shadowbyt3$ | 2 |
| bashe | 1 |
| Akira | 1 |
| Dragonforce | 1 |
Countries hit: US (8), GB (2), DE, IN, CZ, AR, CA.
Targeted sectors: Consumer Services (3), Hospitality and Tourism (2), Business Services (2), Construction (2), Agriculture and Food Production (2), Public Sector (1), Financial Services (1).
C2 Observations
769 C2 endpoints observed in the last 24 hours, spanning 129 malware families. Top families by C2 count:
| Family | C2 Endpoints |
|---|---|
| Remcos | 80 |
| AsyncRAT | 79 |
| NanoCore | 38 |
| XWorm | 34 |
| MeshAgent | 29 |
| Vidar | 23 |
| StealC | 21 |
| Quasar | 21 |
| ValleyRAT S2 | 21 |
| Remus Stealer | 19 |
| DonutLoader | 19 |
| Remus | 18 |
Shared Hosts
Several infrastructure hosts served as concentration points for multiple malware families.
| Host | Families | AS / Country |
|---|---|---|
| api[.]telegram[.]org | 53 family labels, including AsyncRAT, Cobalt Strike, DonutLoader, Quasar, RedLine, Remcos, Vidar, XWorm | Telegram Messenger Inc, VG |
| 209[.]145[.]51[.]44 | 16 family labels, including AsyncRAT, Cobalt Strike, DonutLoader, Koiloader, Lumma, Quasar, XWorm | Private Layer Inc, US |
| 193[.]242[.]166[.]48 | 14 family labels, including Danabot, DarkComet, Modiloader, Remcos, WarzoneRAT | We Have The Solution (ISP), US |
| firewai[.]biz | 8 family labels, including DonutLoader, HijackLoader, Phantom Stealer, Remcos, Remus, Vidar | Private Layer Inc, US |
| 196[.]251[.]107[.]130 | 7 family labels, including Amadey, RedLine, Remus Stealer, StealC, XWorm | Orange Cote D'Ivoire, CI |
| mascard[.]biz | 6 family labels, including DonutLoader, HijackLoader, Remcos, Remus, Vidar | Private Layer Inc, US |
| gowayofficemee[.]in[.]net | 3 family labels, including AsyncRAT, Quasar, Remcos | Namecheap, US |
Quad9 DNS Activity
Derp C2 intelligence helps protect Quad9 users. The blocked C2 events below represent infected systems attempting to reach command-and-control infrastructure, with Quad9 blocking the connection.
Top 10 New Quad9 C2 Blocks (24hour)
| Host | Families | Blocked C2 events | Top countries |
|---|---|---|---|
| 69sexy[.]duckdns[.]org | Mirai | 1,858 | DE, CH, US, RU, IE |
| f***er1[.]duckdns[.]org | Mirai | 1,539 | DE, CH, US, RU, CZ |
| gowayofficemee[.]in[.]net | AsyncRAT, Quasar, Remcos | 1,139 | US, CH, GB, SG, PT |
| honeypotresearchteam[.]duckdns[.]org | Remcos | 1,015 | BH, JO, BR, US |
| firewai[.]biz | DonutLoader, HijackLoader, Phantom Stealer, Remcos, Remus, Remus Stealer, StealC, Vidar | 998 | US, CH, RU, LV, BD |
| viet69z[.]me | AsyncRAT | 794 | VN, US, CH, DE, KH |
| lazystax[.]ru | Tofsee | 577 | US, ID, BR, DO, IE |
| mascard[.]biz | DonutLoader, HijackLoader, Phantom Stealer, Remcos, Remus, Remus Stealer, Vidar | 264 | CH, RU, BD, US, TH |
| u888n[.]info | NanoCore, Remcos | 234 | CH, US, DE, ES, NZ |
| losslvs[.]surf | Remus, Remus Stealer, StealC | 207 | DE, CH, NL, US, CA |
Top 10 All C2 DB Quad9 C2 Blocks (24hour)
| Host | Blocked C2 events | Top countries |
|---|---|---|
| ff[.]aass654[.]com | 394,575 | DE, US |
| ff[.]jjkk567[.]com | 394,540 | DE |
| ff[.]nnmm234[.]com | 394,533 | DE, US |
| ff[.]vvbb321[.]com | 394,530 | DE, US |
| ff[.]xxcc789[.]com | 394,472 | DE, US |
| hh[.]jjkk567[.]com | 327,817 | LK, US |
| hh[.]aass654[.]com | 327,803 | LK, US |
| hh[.]nnmm234[.]com | 327,803 | LK, US |
| hh[.]xxcc789[.]com | 327,799 | LK, US |
| v1[.]op17[.]ru | 171,883 | RU, VE, LA, CO, MX |
Infrastructure
446 malware download hosts mapped across 41 countries, 144 providers, and 5 infrastructure types. Remcos (80) and AsyncRAT (79) dominated the download-host landscape, followed by NanoCore (38), XWorm (34), and MeshAgent (29).
| Provider | Download Hosts |
|---|---|
| Cloudflare | 110 |
| DigitalOcean | 22 |
| Hetzner | 17 |
| 15 | |
| Omegatech | 11 |
| Amazon | 10 |
| HostPapa | 9 |
| CTG Server | 7 |
| Great Flower | 7 |
The US led with 251 download hosts, followed by Germany at 32, the UK at 26, Russia at 14, and Seychelles at 11. Hosting accounted for 384 hosts, ISP space held 42, with business, sinkhole, and unknown rounding out the rest.