A Day In Cybercrime with DERP delivers a daily cybercrime and threat intelligence overview: news, package manager malware, ransomware claims, C2 observations, and infrastructure.
News
TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO
The Hacker News (opens in new tab) | today at 2:01 AM Eastern
A coordinated cross-ecosystem supply chain attack called TrapDoor distributes credential-stealing malware through npm, PyPI, and CratesIO with over 34 malicious packages across 384 versions. Operators should audit their dependency trees for packages published after May 22, 2026, especially those targeting crypto, DeFi, Solana, and AI development workflows.
Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
Bleeping Computer (opens in new tab) | May 24 at 11:01 AM Eastern
A critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) is being exploited in a large-scale ClickFix campaign affecting over 700 domains, including university and major tech sites. Defenders should patch Ghost CMS instances immediately and monitor for injected JavaScript that triggers fake browser update prompts.
US and Canada arrest and charge suspected Kimwolf botnet admin
Bleeping Computer (opens in new tab) | today at 6:01 AM Eastern
US and Canadian authorities arrested and charged 23-year-old Jacob Butler with operating the KimWolf DDoS botnet that infected nearly two million devices worldwide. The arrest demonstrates that law enforcement can trace botnet administration through IP addresses, transaction records, and online messaging metadata.
The FBI Wants 'Near Real-Time' Access to US License Plate Readers
WIRED (opens in new tab) | today at 6:01 AM Eastern
The FBI is seeking near real-time access to US license plate reader data, while the Take It Down Act now allows individuals to demand removal of nonconsensual nudes from platforms. Organizations should review their data retention policies for automated license plate recognition systems and prepare for increased compliance obligations under the new law.
Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access
The Hacker News (opens in new tab) | today at 6:01 AM Eastern
Cisco patched a CVSS 10.0 vulnerability (CVE-2026-20223) in Secure Workload that allows unauthenticated remote attackers to read sensitive data and make configuration changes across tenant boundaries. Administrators should apply the update immediately as there are no workarounds for this REST API flaw.
Package Manager Malware
OSV reported 15 MAL advisories across repositories: PyPI: 9, npm: 6.
That covers 15 packages across 2 repositories.
1 promoted hosts were present in the OSV data.
All three promoted packages point to the same GitHub Pages host, suggesting a single operator pushing malware-infused PyPI packages under different names.
| OSV ID | Repository | Package | Feed Classes | Roles | Hosts |
|---|---|---|---|---|---|
| MAL-2026-4271 | PyPI | data-pipeline-check | malware_infra | malware_infra | ddjidd564[.]github.io |
| MAL-2026-4272 | PyPI | env-loader-cli | malware_infra | malware_infra | ddjidd564[.]github.io |
| MAL-2026-4273 | PyPI | git-config-sync | malware_infra | malware_infra | ddjidd564[.]github.io |
Ransomware Claims
19 ransomware claims posted across 4 groups, 11 countries, and 8 sectors in the past 24 hours.
Nightspire and Qilin together account for 16 of 19 claims, with Nightspire alone posting 9, indicating a concentrated two-group activity pattern.
| Group | Claims |
|---|---|
| Nightspire | 9 |
| Qilin | 7 |
| Nova | 2 |
| Incransom | 1 |
Countries hit: US (4), EG (2), AE (1), TR (1), BR (1), AU (1), NZ (1), CZ (1), GB (1), ES (1).
Targeted sectors: Business Services (5), Financial Services (2), Technology (1), Public Sector (1), Consumer Services (1), Healthcare (1), Hospitality and Tourism (1), Manufacturing (1).
C2 Observations
3,154 C2 observations landed across 164 malware families, with 2,595 unique hosts and 202 shared hosts.
CobaltStrike dominates with 834 of 3154 C2 observations, more than double the next family Remcos, and 202 shared hosts suggest multi-family infrastructure reuse.
| Family | C2s |
|---|---|
| cobaltstrike | 834 |
| remcos | 394 |
| lumma | 247 |
| asyncrat | 188 |
| adaptixc2 | 130 |
| clearfake | 114 |
| netwire | 92 |
| xorddos | 75 |
| havoc | 54 |
| evilginx | 48 |
| dcrat | 41 |
| nanocore | 40 |
Shared Hosts
Shared hosts like XNNET LLC and Hetzner IPs host up to 12 malware families each, indicating that operators are co-locating multiple C2 channels on single machines.
| Host | Family Count | Selected Families | AS / Country |
|---|---|---|---|
| 103[.]171.35.26 | 54 | 44caliber, ades_stealer, amadey, asyncrat, blackmoon, blankgrabber, chaos, cobaltstrike, dcrat, destiny_stealer, discordrat, donutloader | XNNET LLC / US |
| api[.]telegram.org | 54 | 44caliber, ades_stealer, agenttesla, amadey, angry_stealer, astasia, asyncrat, blackguard, blackmoon, chaos, cobaltstrike, darkcloud | Telegram Messenger Inc / VG |
| ow5dirasuek[.]com | 15 | blackmoon, cobaltstrike, cosmu, gink, lockbit, neconyd, quasar, ramnit, redline, sectoprat, stealc, umbral | Amazon.com, Inc. / US |
| mkkuei4kdsz[.]com | 15 | blackmoon, cobaltstrike, cosmu, gink, lockbit, neconyd, quasar, ramnit, redline, sectoprat, stealc, umbral | Amazon.com, Inc. / US |
| lousta[.]net | 15 | blackmoon, cobaltstrike, cosmu, gink, lockbit, neconyd, quasar, ramnit, redline, sectoprat, stealc, umbral | CSC - Tieteen tietotekniikan keskus Oy / FI |
| wfsdragon[.]ru | 12 | amadey, fabookie, glupteba, loaderbot, nullmixer, privateloader, raccoon, redline, smokeloader, socelars, vidar, xmrig | Team Internet AG / DE |
| 65[.]108.69.168 | 12 | amadey, fabookie, glupteba, loaderbot, nullmixer, privateloader, raccoon, redline, smokeloader, socelars, vidar, xmrig | Hetzner Online GmbH / DE |
| 23[.]88.118.113 | 12 | amadey, fabookie, glupteba, loaderbot, nullmixer, privateloader, raccoon, redline, smokeloader, socelars, vidar, xmrig | Hetzner Online GmbH / DE |
| 212[.]193.30.45 | 12 | amadey, fabookie, glupteba, loaderbot, nullmixer, privateloader, raccoon, redline, smokeloader, socelars, vidar, xmrig | JSC TIMEWEB / RU |
| 212[.]193.30.29 | 12 | amadey, fabookie, glupteba, loaderbot, nullmixer, privateloader, raccoon, redline, smokeloader, socelars, vidar, xmrig | JSC TIMEWEB / RU |
| 212[.]192.241.62 | 12 | amadey, fabookie, glupteba, loaderbot, nullmixer, privateloader, raccoon, redline, smokeloader, socelars, vidar, xmrig | - / - |
| 185[.]215.113.44 | 12 | amadey, fabookie, glupteba, loaderbot, nullmixer, privateloader, raccoon, redline, smokeloader, socelars, vidar, xmrig | - / - |
Quad9 DNS Activity
Lumma stealer domains account for the top four C2-blocked hosts by Quad9 events, with most queries originating from UAE, US, and Pakistan.
Top 10 New Quad9 C2 Blocks (24hour)
| Host | Families | Blocked Events | Top Countries |
|---|---|---|---|
| latchclan[.]shop | lumma | 4,948 | AE, CA, US, PK, DE |
| aa[.]hostasa.org | xorddos | 3,381 | US, ID, SE |
| downgradeload720fflie[.]duckdns.org | remcos | 2,520 | TH, CH, ID, JP, US |
| equatorf[.]run | lumma | 2,170 | AE, US, PK, CH, DE |
| latitudert[.]live | lumma | 2,138 | AE, US, PK, DE, CH |
| quilltayle[.]live | lumma | 2,092 | AE, US, PK, DE, CH |
| longitudde[.]digital | lumma | 2,085 | AE, US, PK, CH, DE |
| trfsgysu28opask02[.]duckdns.org | remcos | 1,985 | TH, CH, NZ, US, ID |
| honceybl[.]cyou | ghostsocks, lumma | 1,443 | US, CH, VE, RU, NL |
| globaltimecheck[.]live | remcos | 1,253 | UA, CH, US |
Top 10 All C2 DB Quad9 C2 Blocks (24hour)
| Host | Blocked Events | Top Countries |
|---|---|---|
| ff[.]vvbb321.com | 388,203 | DE, US |
| ff[.]aass654.com | 388,193 | DE |
| ff[.]nnmm234.com | 388,188 | DE, US |
| ff[.]jjkk567.com | 388,178 | DE, US |
| ff[.]xxcc789.com | 388,129 | DE, US |
| hh[.]aass654.com | 332,423 | LK, US |
| hh[.]jjkk567.com | 332,412 | LK, US |
| hh[.]xxcc789.com | 332,400 | LK, US |
| hh[.]nnmm234.com | 332,377 | LK, US |
| kinh[.]xmcxmr.com | 122,120 | CN, US, HK, JP, TW |
Infrastructure
Download-host infrastructure covered 2,772 hosts across 72 countries, 476 providers, and 6 infrastructure types.
US hosts 1259 of 2772 C2 servers, with Cloudflare, Alibaba, and Microsoft as the top providers, while hosting infrastructure accounts for 2349 of all C2 hosts.
| Provider | Download Hosts |
|---|---|
| Cloudflare | 267 |
| Hangzhou Alibaba Advertising Co.,Ltd. | 159 |
| Microsoft Corporation | 155 |
| Shenzhen Tencent Computer Systems Company | 140 |
| Amazon.com | 119 |
| DigitalOcean | 89 |
| HostPapa | 74 |
| SAKURA Internet | 72 |
| Amazon.com | 65 |
| 60 |