A Day In Cybercrime with DERP delivers daily cybercrime and threat intelligence: news, package manager malware, ransomware claims, C2 observations, and infrastructure.
News
Laravel Lang packages hijacked to deploy credential-stealing malware
Bleeping Computer (opens in new tab) | May 23 at 5:40 PM Eastern
Attackers hijacked Laravel Lang localization packages by rewriting GitHub tags across four repositories to deploy credential-stealing malware. Operators should audit GitHub tag integrity and monitor for unexpected repository changes.
Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
Bleeping Computer (opens in new tab) | today at 10:40 AM Eastern
A large-scale ClickFix campaign exploits CVE-2026-26980, a critical SQL injection in Ghost CMS, impacting over 700 domains including university and tech sites. Defenders should patch Ghost CMS and watch for injected JavaScript on public-facing sites.
US and Canada arrest and charge suspected Kimwolf botnet admin
Bleeping Computer (opens in new tab) | today at 11:40 AM Eastern
US and Canadian authorities arrested Jacob Butler, the suspected operator of the KimWolf DDoS botnet that infected nearly two million devices. The arrest highlights the value of IP and transaction records in dismantling botnet infrastructure.
The FBI Wants 'Near Real-Time' Access to US License Plate Readers
WIRED (opens in new tab) | today at 11:40 AM Eastern
The FBI is seeking near real-time access to US license plate reader data, raising privacy and surveillance concerns. Organizations using such systems should review data-sharing policies and legal frameworks.
Trend Micro warns of Apex One zero-day exploited in the wild
Bleeping Computer (opens in new tab) | today at 11:40 AM Eastern
Trend Micro patched CVE-2026-34926, a directory traversal in Apex One (on-premises) that allows local attackers with admin privileges to inject malicious code. Enterprises should apply the update and restrict local admin access.
Package Manager Malware
OSV reported 8 MAL advisories across repositories: PyPI: 1, npm: 7.
That covers 8 packages across 2 repositories.
Ransomware Claims
15 ransomware claims posted across 4 groups, 10 countries, and 9 sectors in the past 24 hours.
Thegentlemen dominates with 9 of 15 claims, while Dragonforce, Bravox, and Ailock account for the rest across 10 countries and 9 sectors.
| Group | Claims |
|---|---|
| Thegentlemen | 9 |
| Dragonforce | 3 |
| Bravox | 2 |
| Ailock | 1 |
Countries hit: US (2), GB (2), CA (2), TR (2), AU (1), FR (1), AR (1), PL (1), AT (1), JP (1).
Targeted sectors: Transportation/Logistics (3), Business Services (2), Manufacturing (2), Agriculture and Food Production (1), Construction (1), Healthcare (1), Technology (1), Energy (1), Consumer Services (1).
C2 Observations
2,738 C2 observations landed across 191 malware families, with 2,176 unique hosts and 169 shared hosts.
CobaltStrike leads with 806 of 2738 C2 observations, followed by Remcos and AsyncRAT. Shared hosts concentrate multiple families, with 169 hosts reused across families.
| Family | C2s |
|---|---|
| cobaltstrike | 806 |
| remcos | 258 |
| asyncrat | 188 |
| adaptixc2 | 130 |
| clearfake | 90 |
| havoc | 54 |
| vidar | 49 |
| evilginx | 48 |
| dcrat | 41 |
| netsupportmanagerrat | 28 |
| vshell | 28 |
| remus_stealer | 27 |
Shared Hosts
Shared hosts indicate multi-family C2 reuse: 20 hosts serve 8 to 55 families each, often on hosting infrastructure in the US, RU, and DE.
| Host | Family Count | Selected Families | AS / Country |
|---|---|---|---|
| 193[.]161.193.99 | 55 | 44caliber, ades_stealer, amadey, ammyyadmin, asyncrat, blackmoon, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat | OOO GETWIFI / RU |
| 103[.]171.35.26 | 54 | 44caliber, ades_stealer, amadey, asyncrat, blackmoon, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat, donutloader | XNNET LLC / US |
| api[.]telegram.org | 54 | 44caliber, ades_stealer, agenttesla, amadey, angry_stealer, astasia, asyncrat, blackguard, blackmoon, chaos, cobaltstrike, darkcloud | Telegram Messenger Inc / VG |
| ow5dirasuek[.]com | 15 | blackmoon, cobaltstrike, cosmu, gink, lockbit, neconyd, quasar, ramnit, redline, sectoprat, stealc, umbral | Amazon.com, Inc. / US |
| mkkuei4kdsz[.]com | 15 | blackmoon, cobaltstrike, cosmu, gink, lockbit, neconyd, quasar, ramnit, redline, sectoprat, stealc, umbral | Amazon.com, Inc. / US |
| lousta[.]net | 15 | blackmoon, cobaltstrike, cosmu, gink, lockbit, neconyd, quasar, ramnit, redline, sectoprat, stealc, umbral | CSC - Tieteen tietotekniikan keskus Oy / FI |
| 193[.]242.166.48 | 15 | crimsonrat, danabot, darkcomet, dridex, hiddentear, killmbr, modiloader, mydoom, njrat, remcos, revengerat, sasser | - / - |
| 51[.]77.7.204 | 13 | danabot, darkcomet, dridex, hiddentear, killmbr, modiloader, mydoom, njrat, remcos, revengerat, rms, sasser | OVH SAS / FR |
| 51[.]222.39.81 | 13 | danabot, darkcomet, dridex, hiddentear, killmbr, modiloader, mydoom, njrat, remcos, revengerat, rms, sasser | OVH SAS / FR |
| 51[.]178.195.151 | 13 | danabot, darkcomet, dridex, hiddentear, killmbr, modiloader, mydoom, njrat, remcos, revengerat, rms, sasser | OVH SAS / FR |
| 38[.]68.50.179 | 13 | danabot, darkcomet, dridex, hiddentear, killmbr, modiloader, mydoom, njrat, remcos, revengerat, rms, sasser | Cogent Communications, LLC / US |
| 149[.]255.35.125 | 13 | danabot, darkcomet, dridex, hiddentear, killmbr, modiloader, mydoom, njrat, remcos, revengerat, rms, sasser | HIVELOCITY, Inc. / US |
Quad9 DNS Activity
Quad9 blocked 25 C2 hosts in the last 24 hours, with top blocks targeting domains linked to loaders and stealers, primarily from US, RU, and CH.
Top 10 New Quad9 C2 Blocks (24hour)
| Host | Families | Blocked Events | Top Countries |
|---|---|---|---|
| totalads[.]monster | - | 5,320 | ZA, BD, KE, TZ, PK |
| woodfez[.]biz | hijackloader, remus, remus_stealer, stealc, vidar | 1,423 | US, RU, CH, DE, VN |
| mascard[.]biz | donutloader, hijackloader, phantom_stealer, remcos, remus, remus_stealer, vidar | 1,249 | US, CH, RU, JP, DE |
| supfoundrysettlers[.]us | cleanuploader | 1,245 | ES, CL, GR, BG, CH |
| whereverhomebe[.]com | cleanuploader | 1,245 | ES, CL, BG, GR, CH |
| firewai[.]biz | donutloader, hijackloader, phantom_stealer, remcos, remus, remus_stealer, stealc, vidar | 1,082 | US, RU, CH, DE, FR |
| honeypotresearchteam[.]duckdns.org | remcos | 983 | BH, JO, US |
| bong88[.]com.ng | asyncrat, quasar, remcos | 763 | VN, CH, RU, US, DE |
| api[.]cloudservicecon.com | - | 694 | ES, US, FR, PL, GB |
| missubeautynetwork[.]com | asyncrat | 644 | VN, US, FR, GB, NL |
Top 10 All C2 DB Quad9 C2 Blocks (24hour)
| Host | Blocked Events | Top Countries |
|---|---|---|
| ff[.]nnmm234.com | 415,133 | DE, US |
| ff[.]aass654.com | 415,131 | DE, US |
| ff[.]vvbb321.com | 415,089 | DE, US |
| ff[.]jjkk567.com | 415,083 | DE, US |
| ff[.]xxcc789.com | 415,029 | DE, US |
| hh[.]aass654.com | 356,339 | LK, US |
| hh[.]nnmm234.com | 356,331 | LK |
| hh[.]xxcc789.com | 356,318 | LK, US |
| hh[.]jjkk567.com | 356,296 | LK, US |
| kinh[.]xmcxmr.com | 129,691 | CN, US, HK, TW, JP |
Infrastructure
Download-host infrastructure covered 2,349 hosts across 67 countries, 470 providers, and 6 infrastructure types.
C2 hosting concentrates in the US (909 hosts), CN (417), and HK (118), with Cloudflare, Alibaba, and Tencent as top providers.
| Provider | Download Hosts |
|---|---|
| Cloudflare | 212 |
| Hangzhou Alibaba Advertising Co.,Ltd. | 157 |
| Shenzhen Tencent Computer Systems Company | 138 |
| DigitalOcean | 88 |
| Amazon.com | 80 |
| SAKURA Internet | 72 |
| Omegatech LTD | 60 |
| HostPapa | 50 |
| Amazon.com | 40 |
| Alibaba (US) Technology Co. | 33 |