A Day In Cybercrime with DERP delivers a daily cybercrime and threat intelligence overview covering news, package manager malware, ransomware claims, C2 observations, and infrastructure.
News
Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
The Hacker News (opens in new tab) | May 25 at 10:38 AM Eastern
A weekly recap highlights Linux flaws, Microsoft Defender zero-days, router botnets, and supply chain issues. Operators should prioritize patching known exploited vulnerabilities in internet-facing systems.
Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
The Hacker News (opens in new tab) | today at 8:38 AM Eastern
Microsoft patched CVE-2026-45659, an 8.8 CVSS SharePoint RCE flaw exploitable by any authenticated attacker. Organizations running SharePoint should apply the update immediately.
CISA orders feds to patch actively exploited Drupal vulnerability
Bleeping Computer (opens in new tab) | today at 5:38 AM Eastern
CISA ordered federal agencies to patch CVE-2026-9082, an actively exploited Drupal SQL injection vulnerability. The flaw requires no authentication and targets Drupal's database abstraction API.
Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning
The Hacker News (opens in new tab) | today at 3:38 AM Eastern
Iranian state-sponsored group Nimbus Manticore deployed MiniFast and MiniJunk V2 backdoors via phishing and SEO poisoning. Defenders should monitor for AppDomain hijacking and AI-assisted malware delivery.
KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike
The Hacker News (opens in new tab) | today at 1:38 AM Eastern
A hard-coded ASP.NET machine key vulnerability (CVE-2026-5426) in KnowledgeDeliver LMS was exploited to deploy Godzilla and Cobalt Strike. Organizations using this LMS should verify they are on patched versions.
Package Manager Malware
OSV reported 59 MAL advisories across repositories: npm: 59.
That covers 59 packages across 1 repositories.
Ransomware Claims
21 ransomware claims posted across 9 groups, 9 countries, and 9 sectors in the past 24 hours.
Play dominated with 6 claims, followed by Safepay at 4 and Spacebears at 3, while the remaining 6 groups each posted 2 or fewer claims.
| Group | Claims |
|---|---|
| Play | 6 |
| Safepay | 4 |
| Spacebears | 3 |
| Incransom | 2 |
| Nova | 2 |
| Cmdorganization | 1 |
| Lamashtu | 1 |
| Nightspire | 1 |
| Rhysida | 1 |
Countries hit: US (8), DE (2), NL (2), JP (2), CH (1), IE (1), IT (1), EG (1), CA (1).
Targeted sectors: Consumer Services (3), Business Services (3), Technology (2), Agriculture and Food Production (2), Transportation/Logistics (2), Manufacturing (1), Hospitality and Tourism (1), Telecommunication (1), Healthcare (1).
C2 Observations
400 C2 observations landed across 47 malware families, with 380 unique hosts and 16 shared hosts.
Clearfake accounted for 130 of 400 C2 observations, with Asyncrat, Purerat, and Vidar rounding out the top four. 16 shared hosts were observed.
| Family | C2s |
|---|---|
| clearfake | 130 |
| asyncrat | 57 |
| purerat | 35 |
| vidar | 27 |
| nanocore | 18 |
| remcos | 16 |
| cobaltstrike | 15 |
| acrstealer | 10 |
| remus_stealer | 10 |
| quasar | 9 |
| danabot | 7 |
| xworm | 6 |
Shared Hosts
16 hosts were shared by multiple C2 families, indicating infrastructure reuse across campaigns, often on Cloudflare or Hetzner.
| Host | Family Count | Selected Families | AS / Country |
|---|---|---|---|
| www[.]bong88.co.com | 3 | asyncrat, nanocore, quasar | Amazon.com, Inc. / US |
| moocow[.]my | 3 | asyncrat, nanocore, quasar | Cloudflare, Inc. / US |
| tulsa[.]mywire.org | 3 | asyncrat, quasar, vjw0rm | IONOS SE / DE |
| twart[.]myfirewall.org | 3 | quasar, xpertrat, xworm | Omegatech LTD / SC |
| 123b-mb1[.]com | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| ga888vn[.]codes | 2 | asyncrat, quasar | Cloudflare, Inc. / US |
| shbet[.]id | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| opdfgsjkldfgsijkldsfg-54253[.]portmap.host | 2 | customerloader, quasar | OOO GETWIFI / RU |
| yunded[.]com | 2 | lumma, stealc | Google LLC / US |
| ablackb[.]shop | 2 | lumma, remus_stealer | Contabo GmbH / DE |
| goldenscissoreindhoven[.]nl | 2 | nanocore, remcos | Cloudflare, Inc. / US |
| 193[.]233.19.233 | 2 | purerat, xworm | GTHost / US |
Quad9 DNS Activity
Quad9 blocked 25 C2 hosts, with Asyncrat and Clearfake domains generating the most events, primarily from Germany, the US, and Russia.
Top 10 New Quad9 C2 Blocks (24hour)
| Host | Families | Blocked Events | Top Countries |
|---|---|---|---|
| legalreads[.]monster | - | 1,512 | BD, PK, TZ, ZA, RU |
| envinewrat1[.]duckdns.org | asyncrat | 1,494 | CO, EC, CH |
| phimsexhayvailoz[.]com | asyncrat | 417 | VN, RU, CH, US, DE |
| coffeeclass[.]io | asyncrat | 368 | US, SG, BR, MX, RU |
| xemphim69[.]com | asyncrat | 342 | US, BR, DE, RU, AU |
| vnsex[.]cc | asyncrat | 315 | VN, US, RU, CH, CA |
| ti[.]twilight.zip | valleyrat_s2 | 239 | HK, KR, TW, JP, IE |
| neypx[.]bmz.hu | clearfake | 195 | DE, CH, US, EE, RU |
| ptnza[.]bni-ai.com | clearfake | 149 | DE, US, CH, RU, FR |
| julya[.]bmz.hu | clearfake | 135 | DE, CH, EE, RU, US |
Top 10 All C2 DB Quad9 C2 Blocks (24hour)
| Host | Blocked Events | Top Countries |
|---|---|---|
| ff[.]nnmm234.com | 342,846 | DE, US |
| ff[.]aass654.com | 342,834 | DE, US |
| ff[.]vvbb321.com | 342,740 | DE |
| ff[.]xxcc789.com | 342,716 | DE, FR |
| ff[.]jjkk567.com | 342,676 | DE, US |
| hh[.]aass654.com | 302,048 | LK, IN, US |
| hh[.]jjkk567.com | 302,018 | LK, IN, US |
| hh[.]xxcc789.com | 302,017 | LK, US |
| hh[.]nnmm234.com | 302,016 | LK |
| topbannersun[.]com | 194,346 | ID, ET, MU, BD, ZA |
Infrastructure
Download-host infrastructure covered 408 hosts across 34 countries, 116 providers, and 4 infrastructure types.
US hosted 263 of 408 C2 hosts, with Cloudflare accounting for 204. Germany and Russia followed with 40 and 19 hosts respectively.
| Provider | Download Hosts |
|---|---|
| Cloudflare | 204 |
| Hetzner Online GmbH | 21 |
| Omegatech LTD | 12 |
| Amazon.com | 9 |
| 5 | |
| HostPapa | 5 |
| OOO GETWIFI | 5 |
| Hetzner Online GmbH | 4 |
| Hostinger International | 4 |
| 1337 Services GmbH | 3 |