A Day In Cybercrime with DERP delivers daily cybercrime and threat intelligence: news, package manager malware, ransomware claims, C2 observations, and infrastructure.
News
Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
The Hacker News (opens in new tab) | today at 6:02 AM Eastern
A weekly recap highlights Linux flaws, Microsoft Defender zero-days, router botnets, and supply chain attacks. Old bugs resurfaced and security products needed patching themselves. Phishing crews are targeting with more realistic lures.
KnowledgeDeliver flaw exploited as a zero-day to install web shells
Bleeping Computer (opens in new tab) | May 26 at 5:02 PM Eastern
A critical deserialization zero-day in KnowledgeDeliver LMS, CVE-2026-5426, is being exploited without authentication to deploy Godzilla web shells. The flaw stems from a shared hardcoded machine key across all customer deployments. Operators should audit any KnowledgeDeliver instances for signs of ViewState tampering.
Charter confirms data breach after ShinyHunters extortion threat
Bleeping Computer (opens in new tab) | May 26 at 4:02 PM Eastern
Charter Communications confirmed a data breach after ShinyHunters threatened to leak stolen data. The company stated no sensitive personal customer information was taken. This incident underscores the importance of verifying extortion claims before assuming data scope.
Protected: The State of AI Risk Management in 2026
Heimdal Security (opens in new tab) | May 26 at 11:02 AM Eastern
A protected post on AI risk management in 2026 is behind a login wall. No actionable details are available from the excerpt.
How Varonis Atlas integrates Claude Compliance API for AI governance
Bleeping Computer (opens in new tab) | May 26 at 11:02 AM Eastern
Varonis Atlas integrates with Claude Compliance API to monitor AI tool usage and investigate misuse across sessions. The integration aims to give security teams visibility into how AI interacts with enterprise data. This is a vendor announcement, not a threat event.
Package Manager Malware
OSV reported 431 MAL advisories across repositories: PyPI: 57, npm: 374.
That covers 431 packages across 2 repositories.
41 promoted hosts were present in the OSV data.
Promoted hosts are present across both PyPI and npm, indicating active infrastructure for malware delivery and C2.
| OSV ID | Repository | Package | Feed Classes | Roles | Hosts |
|---|---|---|---|---|---|
| MAL-2026-4810 | PyPI | binproto | malware_infra | malware_infra | duketools[.]vercel.app |
| MAL-2026-4271 | PyPI | data-pipeline-check | c2_config | config_or_webhook | ddjidd564[.]github.io |
| MAL-2026-4820 | PyPI | datapipe-util | malware_infra | malware_infra | duketools[.]vercel.app |
| MAL-2026-4174 | PyPI | durabletask | c2, malware_infra | c2, malware_infra | 160[.]119.64.3, 185[.]95.159.32, check[.]git-service.com, git-service[.]com, m-kosche[.]com, t[.]m-kosche.com |
| MAL-2026-4272 | PyPI | env-loader-cli | c2_config | config_or_webhook | ddjidd564[.]github.io |
| MAL-2026-4273 | PyPI | git-config-sync | c2_config | config_or_webhook | ddjidd564[.]github.io |
| MAL-2026-4752 | PyPI | gt-tester-exp-profiler-exp-00000015 | exfil_endpoint | exfil_endpoint | 104[.]131.173.16 |
| MAL-2026-4357 | PyPI | helu | malware_infra | malware_infra | tranquil-lollipop-6e2f41[.]netlify.app |
| MAL-2026-4227 | PyPI | lognest | malware_infra | malware_infra | pypkg[.]dev |
| MAL-2026-4231 | PyPI | pylogfmt | malware_infra | malware_infra | pypkg[.]dev |
Ransomware Claims
11 ransomware claims posted across 6 groups, 5 countries, and 6 sectors in the past 24 hours.
Dragonforce and Nova each posted 3 claims, accounting for over half of the 24-hour total. The remaining claims are spread across four other groups.
| Group | Claims |
|---|---|
| Dragonforce | 3 |
| Nova | 3 |
| Spacebears | 2 |
| Akira | 1 |
| Krybit | 1 |
| Qilin | 1 |
Countries hit: US (3), DE (2), ES (1), TW (1), RU (1).
Targeted sectors: Business Services (3), Technology (2), Financial Services (1), Manufacturing (1), Education (1), Hospitality and Tourism (1).
C2 Observations
345 C2 observations landed across 35 malware families, with 323 unique hosts and 18 shared hosts.
Clearfake dominates with 131 C2s, followed by AsyncRAT at 80. The top two families account for 61% of all observations.
| Family | C2s |
|---|---|
| clearfake | 131 |
| asyncrat | 80 |
| nanocore | 16 |
| remcos | 16 |
| meshagent | 11 |
| lumma | 10 |
| cobaltstrike | 9 |
| vidar | 9 |
| xworm | 8 |
| donutloader | 5 |
| latentbot | 5 |
| kongtuke | 4 |
Shared Hosts
18 shared hosts were observed, with several hosting three families simultaneously. M247 Europe SRL in Romania hosts a cluster of donutloader, latentbot, and remcos on multiple domains.
| Host | Family Count | Selected Families | AS / Country |
|---|---|---|---|
| research[.]cloud-ip.cc | 3 | donutloader, latentbot, remcos | M247 Europe SRL / RO |
| research[.]abrdns.com | 3 | donutloader, latentbot, remcos | M247 Europe SRL / RO |
| bioresearch[.]bumbleshrimp.com | 3 | donutloader, latentbot, remcos | M247 Europe SRL / RO |
| 173[.]211.106.14 | 3 | donutloader, latentbot, remcos | Colocation America Corporation / US |
| www[.]mobility-aids.in | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| mobility-aids[.]in | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| www[.]dutchgp2020.com | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| dutchgp2020[.]com | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| allma[.]io | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| www[.]rijschool-geduld.nl | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| rijschool-geduld[.]nl | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| 178[.]16.55.121 | 2 | asyncrat, xworm | Omegatech LTD / SC |
Quad9 DNS Activity
Quad9 blocking data shows clearfake and kongtuke domains generating the most C2-related events, with clearfake hosts spread across Hungarian and Swiss infrastructure.
Top 10 New Quad9 C2 Blocks (24hour)
| Host | Families | Blocked Events | Top Countries |
|---|---|---|---|
| eegelhardt[.]lol | kongtuke | 626 | US, NL, FR, AR, BR |
| julya[.]bmz.hu | clearfake | 230 | DE, CH, EE, RU, US |
| acuon[.]bni-ai.com | clearfake | 225 | DE, CH, US, RU, EE |
| swhbk[.]bohochal.hu | clearfake | 179 | DE, CH, EE, US, CO |
| hartunh[.]lol | kongtuke | 176 | US, GB, EE, ES, NL |
| nveth[.]brandbuilder.hu | clearfake | 104 | DE, NZ, CH, US, GH |
| lsikjsns[.]beer | - | 78 | RO, US, BD, BF, PT |
| phimdam69[.]com | asyncrat | 66 | BR, US, VN, AR, BD |
| sexkhung[.]net | asyncrat | 56 | VN, US, DE, KH, SG |
| kbjqa[.]wpsmart.app | clearfake | 37 | DE, EE, GR, FR, US |
Top 10 All C2 DB Quad9 C2 Blocks (24hour)
| Host | Blocked Events | Top Countries |
|---|---|---|
| ff[.]nnmm234.com | 312,322 | DE, US |
| ff[.]vvbb321.com | 312,301 | DE, US |
| ff[.]jjkk567.com | 312,239 | DE, US |
| ff[.]aass654.com | 312,226 | DE, US |
| ff[.]xxcc789.com | 312,221 | DE, US |
| hh[.]aass654.com | 217,326 | LK, RU, US |
| hh[.]nnmm234.com | 217,316 | LK, US |
| hh[.]jjkk567.com | 217,312 | LK |
| hh[.]xxcc789.com | 217,305 | LK, US |
| topbannersun[.]com | 175,401 | ID, ET, MU, BD, ZA |
Infrastructure
Download-host infrastructure covered 361 hosts across 21 countries, 82 providers, and 3 infrastructure types.
Cloudflare hosts 202 of the 361 C2 hosts, more than half. The US accounts for 250 hosts, far ahead of any other country.
| Provider | Download Hosts |
|---|---|
| Cloudflare | 202 |
| OVH SAS | 15 |
| DigitalOcean | 11 |
| Datacamp | 10 |
| Emil Vitukhnovskii trading as Great Flower | 10 |
| Omegatech LTD | 8 |
| Hetzner Online GmbH | 6 |
| M247 Europe SRL | 5 |
| Hangzhou Alibaba Advertising Co.,Ltd. | 4 |
| Amazon.com | 3 |