News
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
Cybersecurity researchers have disclosed details of a vulnerability in the Linux kernel that remained undetected for nine years. (Source: The Hacker News (opens in new tab), 2026-05-21 08:02 UTC)
Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access
Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. (Source: The Hacker News (opens in new tab), 2026-05-22 06:02 UTC)
Announcing Claude Compliance API support with Cloudflare CASB
Today, Cloudflare extended its cloud access security broker (CASB) to support the Claude Compliance API. (Source: Cloudflare (opens in new tab), 2026-05-21 17:02 UTC)
Police seize "First VPN" service used in ransomware, data theft attacks
A virtual private network service called 'First VPN,' used in ransomware and data theft attacks, has been taken offline in a joint international law enforcement operation. (Source: Bleeping Computer (opens in new tab), 2026-05-21 14:02 UTC)
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender have come under active exploitation in the wild. (Source: The Hacker News (opens in new tab), 2026-05-21 11:02 UTC)
Content Delivery Exploit Opens Websites to Brand Hijacking
Dark Reading reported on Underminr, a domain-fronting-style content delivery issue that can let traffic resolve through a trusted domain while a CDN serves a different site behind the same edge IP. (Source: Dark Reading (opens in new tab), 2026-05-21 13:06 UTC)
Ransomware Claims
In the last 24 hours, Derp observed 18 ransomware claims across 7 groups, targeting 10 countries and 10 sectors. The affected countries include US (5), DE (2), AT, AR, TH, AU, MK, SG, EC, and IN. Sectors hit include Manufacturing (2), Agriculture and Food Production (2), Healthcare (2), Technology (2), Consumer Services (2), Construction, Public Sector, Business Services, Transportation/Logistics, and Hospitality and Tourism.
| Group | Claims |
|---|---|
| bashe | 4 |
| Payload | 4 |
| Qilin | 3 |
| Thegentlemen | 3 |
| Nova | 2 |
| Braincipher | 1 |
| Shadowbyt3$ | 1 |
C2 Observations
Derp's C2 tracker recorded 1,182 C2 observations across 118 malware families, with 297 unique C2 hosts and 84 shared hosts.
| Family | C2s |
|---|---|
| asyncrat | 93 |
| remcos | 63 |
| cobaltstrike | 36 |
| vidar | 32 |
| quasar | 26 |
| nanocore | 25 |
| gh0strat | 24 |
| xworm | 22 |
| donutloader | 20 |
| sectoprat | 20 |
Shared Hosts
Shared hosts are C2 hosts observed across multiple malware families. The following table lists the top shared hosts by family count.
| Host | Family Count | Selected Families | AS / Country |
|---|---|---|---|
| 120[.]79[.]181[.]138 | 55 | 44caliber, ades_stealer, amadey, asyncrat, blackmoon, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat, donutloader | Hangzhou Alibaba Advertising Co.,Ltd. (AS37963) / CN |
| 94[.]154[.]35[.]25 | 54 | 44caliber, ades_stealer, amadey, asyncrat, blackmoon, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat, donutloader | Omegatech LTD (AS202412) / SC |
| 154[.]91[.]34[.]165 | 54 | 44caliber, ades_stealer, amadey, asyncrat, blackmoon, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat, donutloader | ChangLian Network Technology Co., Limited (AS137443) / HK |
| 103[.]171[.]35[.]26 | 54 | 44caliber, ades_stealer, amadey, asyncrat, blackmoon, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat, donutloader | XNNET LLC (AS932) / US |
| 193[.]161[.]193[.]99 | 54 | 44caliber, ades_stealer, amadey, ammyyadmin, asyncrat, blackmoon, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat | OOO GETWIFI (AS198134) / RU |
| api[.]telegram[.]org | 53 | 44caliber, ades_stealer, agenttesla, amadey, angry_stealer, astasia, asyncrat, blackmoon, chaos, cobaltstrike, darkcloud, dcrat | Telegram Messenger Inc (AS62041) / VG |
| 165[.]227[.]31[.]192 | 49 | 44caliber, ades_stealer, amadey, asyncrat, blackmoon, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat, donutloader | DigitalOcean, LLC (AS14061) / US |
| 86[.]54[.]42[.]197 | 47 | 44caliber, ades_stealer, amadey, asyncrat, blackmoon, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat, donutloader | N/A / N/A |
| 45[.]200[.]148[.]216 | 47 | 44caliber, ades_stealer, amadey, asyncrat, blackmoon, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat, donutloader | Wave Broadband (AS11404) / US |
| 51[.]77[.]77[.]161 | 47 | ades_stealer, amadey, asyncrat, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat, donutloader, dragonforce, gcleaner | OVH SAS (AS16276) / FR |
Quad9 DNS Activity
Blocked C2 events are infected systems attempting to reach command-and-control infrastructure, with Quad9 blocking that connection path.
Top 10 New Quad9 C2 Blocks (24hour)
| Host | Events | Families | Top Countries |
|---|---|---|---|
| bartnovo2026[.]duckdns[.]org | 2346 | remcos | PY, AR |
| novobart2026[.]duckdns[.]org | 2345 | remcos | PY, AR, US |
| novobart2026[.]ddns[.]net | 2060 | remcos | PY, AR, CH, RU, US |
| bartnovo2026[.]ddns[.]net | 1997 | remcos | PY, AR, US, RU |
| jahour7lamo1[.]duckdns[.]org | 1251 | remcos | BR, CH, CA, US |
| firewai[.]biz | 931 | donutloader, hijackloader, phantom_stealer, remcos, remus, remus_stealer, stealc, vidar | US, TR, RU, CH, ZA |
| callmechina[.]co | 719 | asyncrat | VN, US, CH, RU, CA |
| woodfez[.]biz | 624 | hijackloader, remus, remus_stealer, stealc, vidar | TR, RU, CH, BR, US |
| cryptosmartnow[.]io | 616 | asyncrat | US, CH, RU, FR, ES |
| vn88[.]co[.]com | 313 | nanocore, remcos | CO, CH, US, JP, NZ |
Top 10 All C2 DB Quad9 C2 Blocks (24hour)
| Host | Events | Top Countries |
|---|---|---|
| ff[.]nnmm234[.]com | 185451 | DE, US |
| ff[.]jjkk567[.]com | 185442 | DE, US |
| ff[.]aass654[.]com | 185407 | DE |
| ff[.]vvbb321[.]com | 185366 | DE |
| ff[.]xxcc789[.]com | 185358 | DE |
| hh[.]xxcc789[.]com | 154011 | LK, US |
| hh[.]jjkk567[.]com | 153985 | LK, US |
| hh[.]nnmm234[.]com | 153950 | LK |
| hh[.]aass654[.]com | 153940 | LK, US |
| v1[.]op17[.]ru | 74482 | RU, VE, CO, LA, MX |
Infrastructure
304 malware download hosts mapped across 33 countries, 98 providers, and 5 infrastructure types. AsyncRAT (93) and Remcos (63) dominated the download-host footprint, followed by Cobalt Strike (36), Vidar (32), and Quasar (26).
| Provider | Download Hosts |
|---|---|
| Cloudflare | 91 |
| DigitalOcean | 19 |
| Great Flower | 10 |
| 10 | |
| Alibaba | 9 |
| Omegatech | 8 |
| Amazon | 6 |
| Contabo | 6 |
| OVH | 6 |
| RouterHosting | 6 |
The US led with 183 download hosts, followed by Germany at 14, China at 13, the UK at 11, and Israel at 10. Hosting accounted for 270 hosts, ISP space held 23, with business, sinkhole, and unknown rounding out the rest.