A Day In Cybercrime with DERP delivers daily cybercrime and threat intelligence overviews, covering news, package manager malware, ransomware claims, C2 observations, and infrastructure.
News
CISA gives feds 4 days to patch actively exploited cPanel plugin flaw
Bleeping Computer (opens in new tab) | today at 6:30 AM Eastern
CISA ordered federal agencies to patch an actively exploited privilege escalation vulnerability in the LiteSpeed cPanel plugin within four days. Tracked as CVE-2026-48172, the flaw involves mishandling of Redis enable/disable features. Operators should prioritize patching this plugin on any exposed cPanel servers.
GPU mining malware spreads via SEO poisoning, AI chatbots
Bleeping Computer (opens in new tab) | May 27 at 6:30 PM Eastern
A cryptojacking campaign uses SEO poisoning to distribute GPU mining malware through fake download pages for utilities like CrystalDiskInfo and HWMonitor. The attacker deploys ScreenConnect for persistent access, which can later be used to install additional malware. Defenders should monitor for unauthorized ScreenConnect installations on high-performance systems.
JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware
The Hacker News (opens in new tab) | today at 4:30 AM Eastern
A previously undocumented threat actor tracked as JINX-0164 targets cryptocurrency firms using fake recruiter lures and custom macOS malware. The campaign has been active since mid-2025 and includes supply chain attacks via compromised CI/CD infrastructure. Security teams in crypto organizations should review recruitment communication channels and CI/CD pipeline access.
Report 'phone hack' to police or I will do it for you, Labour chair tells Farage
The Guardian (opens in new tab) | May 27 at 5:30 PM Eastern
Labour chair Anna Turley gave Nigel Farage 24 hours to report his phone hacking claims to police, citing public and national interest. The claims involve alleged Russian hacking. This story is developing and may have broader implications for cyber threat attribution.
Iran's Internet is partially restored, Cloudflare Radar data shows
Cloudflare (opens in new tab) | May 27 at 2:30 PM Eastern
Iran's internet access is partially restored after nearly three months of disruption, according to Cloudflare Radar data. The restoration follows an announcement by Iran's vice president. Organizations with operations in Iran should monitor connectivity changes and adjust risk assessments accordingly.
Package Manager Malware
OSV reported 179 MAL advisories across repositories: PyPI: 16, npm: 163.
That covers 179 packages across 2 repositories.
14 promoted hosts were present in the OSV data.
npm dominates with 163 of 179 total MAL advisories, while PyPI accounts for 16. The 14 promoted hosts include C2, exfiltration, and infrastructure endpoints, indicating active abuse of package registries for multi-stage attacks.
| OSV ID | Repository | Package | Feed Classes | Roles | Hosts |
|---|---|---|---|---|---|
| MAL-2026-4829 | PyPI | quatres | malware_infra | malware_infra | tranquil-lollipop-6e2f41[.]netlify.app |
| MAL-2026-4787 | npm | @autofleet/rabbit | c2_config | config_or_webhook | 35[.]240.13.28 |
| MAL-2026-4366 | npm | @autoheal/setup | c2_config | config_or_webhook | autoheal-4p4q[.]onrender.com, creativekulhad[.]onrender.com |
| MAL-2026-4395 | npm | @inetafrica/open-claudia | exfil_endpoint | exfil_endpoint | api[.]telegram.org |
| MAL-2026-4229 | npm | @luke-101141/nobody | exfil_endpoint | exfil_endpoint | frgthyujiouyh[.]requestcatcher.com |
| MAL-2026-3482 | npm | @tanstack/solid-router-devtools | malware_infra | malware_infra | api[.]masscan.cloud, filev2[.]getsession.org, git-tanstack[.]com, seed1[.]getsession.org |
| MAL-2026-3492 | npm | @tanstack/start-storage-context | malware_infra | malware_infra | api[.]masscan.cloud, filev2[.]getsession.org, git-tanstack[.]com, seed1[.]getsession.org |
| MAL-2026-4469 | npm | @zaamx/netme | c2_config | config_or_webhook | n8n[.]lidxi.com |
| MAL-2026-4485 | npm | atel-mcp-openclaw | c2 | c2 | api[.]telegram.org |
| MAL-2026-4512 | npm | chai-as-repaired | c2 | c2 | api[.]jsonstorage.net |
Ransomware Claims
42 ransomware claims posted across 12 groups, 19 countries, and 11 sectors in the past 24 hours.
Dragonforce accounts for nearly half of all claims with 20 of 42, concentrating activity in a single group. The remaining 22 claims are spread across 11 other groups, with Qilin and 0day syndicate as secondary actors.
| Group | Claims |
|---|---|
| Dragonforce | 20 |
| Qilin | 5 |
| 0day syndicate | 4 |
| Akira | 2 |
| Incransom | 2 |
| Krybit | 2 |
| Nova | 2 |
| Anubis | 1 |
| Auditteam | 1 |
| Chaos | 1 |
| M3rx | 1 |
| Shinyhunters | 1 |
Countries hit: US (10), GB (5), MX (2), CA (2), NL (2), DE (2), BR (1), GH (1), ES (1), RU (1).
Targeted sectors: Business Services (9), Consumer Services (6), Technology (4), Manufacturing (4), Agriculture and Food Production (3), Healthcare (2), Transportation/Logistics (2), Construction (2), Energy (2), Education (1).
C2 Observations
422 C2 observations landed across 49 malware families, with 393 unique hosts and 24 shared hosts.
Clearfake dominates with 132 of 422 C2 observations, more than four times the next family. The 24 shared hosts indicate infrastructure reuse across multiple malware families, complicating attribution.
| Family | C2s |
|---|---|
| clearfake | 132 |
| asyncrat | 30 |
| nanocore | 30 |
| stealc | 29 |
| vidar | 24 |
| remcos | 21 |
| quasar | 16 |
| vshell | 13 |
| adaptixc2 | 12 |
| cobaltstrike | 9 |
| lumma | 8 |
| netsupportmanagerrat | 8 |
Shared Hosts
24 C2 hosts serve multiple malware families, with one host handling four families including AsyncRAT and Stealc. This reuse suggests shared infrastructure providers or multi-tool operators.
| Host | Family Count | Selected Families | AS / Country |
|---|---|---|---|
| 45[.]93.20.151 | 4 | asyncrat, redline, stealc, svcstealer | - / - |
| 45[.]93.20.28 | 3 | amadey, lumma, stealc | - / - |
| 176[.]113.115.6 | 3 | amadey, lumma, stealc | - / - |
| pandabearz[.]no-ip.biz | 3 | darkcomet, neshta, xred | Charter Communications Inc / US |
| 202[.]95.8.98 | 2 | adaptixc2, quasar | CTG Server Limited / HK |
| 88i-mobile[.]com | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| www[.]123bca.com | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| www[.]88i-mobile.com | 2 | asyncrat, nanocore | Cloudflare, Inc. / US |
| 64[.]188.67.222 | 2 | destiny_stealer, stormkitty | PLAY2GO INTERNATIONAL LIMITED / GB |
| 104[.]239.66.86 | 2 | donutloader, xworm | Stellar Group SAS / FR |
| 62[.]60.178.9 | 2 | donutloader, stealc | - / - |
| 138[.]124.108.212 | 2 | donutloader, stealc | AEZA GROUP LLC / RU |
Quad9 DNS Activity
Quad9 blocked 25 C2 hosts in the last 24 hours, with the top blocked host oraxdata.monster generating 947 events. Clearfake-related domains appear frequently in the top blocked list, consistent with its C2 dominance.
Top 10 New Quad9 C2 Blocks (24hour)
| Host | Families | Blocked Events | Top Countries |
|---|---|---|---|
| oraxdata[.]monster | - | 947 | ZA, IN, HK, TZ, PK |
| gulgosski[.]lol | kongtuke | 453 | US, EE, FR, GB, ES |
| kerluku[.]lol | kongtuke | 379 | US, EE, NL, GB, SG |
| tukwp[.]bni-ai.com | clearfake | 143 | DE, RU, CH, US, EE |
| nova[.]podril1ak2.online | mirai | 137 | DE, CH, EE, NL |
| api[.]ddenv.site | mirai | 124 | DE, CH, EE |
| xdsop[.]v-vill.hu | clearfake | 117 | DE, CH, NL, EE, RU |
| eujvn[.]business360.hu | clearfake | 114 | DE, RU, CH, US, EE |
| jawdedmirror[.]run | lumma | 102 | AE, US, CH |
| lonfgshadow[.]live | lumma | 98 | AE, US |
Top 10 All C2 DB Quad9 C2 Blocks (24hour)
| Host | Blocked Events | Top Countries |
|---|---|---|
| ff[.]xxcc789.com | 282,555 | DE, US |
| ff[.]aass654.com | 282,537 | DE, US |
| ff[.]vvbb321.com | 282,454 | DE, US |
| ff[.]jjkk567.com | 282,406 | DE |
| ff[.]nnmm234.com | 282,404 | DE, US |
| topbannersun[.]com | 159,886 | ID, ET, MU, ZA, BD |
| cc[.]aass654.com | 97,558 | US |
| v1[.]op17.ru | 97,396 | RU, VE, LA, MX, CO |
| cc[.]vvbb321.com | 97,069 | US |
| cc[.]nnmm234.com | 97,057 | US |
Infrastructure
Download-host infrastructure covered 414 hosts across 32 countries, 106 providers, and 5 infrastructure types.
US hosts account for 266 of 414 C2 hosts, with Cloudflare as the top provider at 210 hosts. Hosting infrastructure dominates at 378 hosts, while ISP and business types are minimal.
| Provider | Download Hosts |
|---|---|
| Cloudflare | 210 |
| Hetzner Online GmbH | 11 |
| unknown | 11 |
| DigitalOcean | 8 |
| OVH SAS | 6 |
| 5 | |
| Microsoft Corporation | 5 |
| NesterTelecom | 5 |
| Shenzhen Tencent Computer Systems Company | 5 |
| Contabo | 4 |