Intelligence Products

Threat Briefings

Curated intelligence distilled from RSS feeds, CVE databases, abuse.ch, honeypot telemetry, and OSINT sources.

20 reports

Daily Threat Briefing — 2026-04-07

On April 7, 2026, threat intelligence collection identified 50 malicious indicators from abuse.ch URLhaus, representing active malware distribution campaigns. The threat landscape is dominated by IoT botnet activity (Mozi and Mirai variants targeting MIPS and ARM architectures) and browser-based social engineering attacks (ClearFake campaigns delivering ACRStealer and NetSupport RAT). Additionally, Chinese-language malware campaigns were observed distributing advanced RATs including SilverFox, Gh0stRAT, and Kryplod through cloud storage services. The ClearFake campaign shows sophisticated infrastructure with multiple subdomain variations across semanticvector[.]in[.]net, abstractlogic[.]in[.]net, conceptmatrix[.]in[.]net, structuralcore[.]in[.]net, and exhortshelk[.]in[.]net domains, suggesting a well-resourced operation with rotation capabilities. IoT botnet operators continue targeting vulnerable devices through known exploitation vectors, with Mozi malware maintaining persistent distribution across Asian IP ranges. The Chinese-language RAT campaign leverages legitimate cloud infrastructure (Alibaba OSS, AWS S3) for malware hosting, indicating supply chain compromise or targeted regional attacks. Organizations should prioritize patching IoT devices, implementing network segmentation for operational technology environments, deploying browser isolation technologies, and monitoring for connections to the identified malicious domains and IP addresses. No critical vulnerabilities, KEV entries, or honeypot data were recorded for this period.

9 findings

50 IOCs

Read full briefing

Severity Breakdown

high 5

medium 4

MITRE ATT&CK

T1105T1566.002T1189T1553.005T1555.003T1095

Weekly

Mar 31

Weekly Threat Briefing — 2026-03-31 to 2026-04-06

This briefing covers the period from March 31 to April 6, 2026, revealing a significant surge in vulnerability disclosures and sustained botnet activity. CISA added two critical vulnerabilities to the Known Exploited Vulnerabilities catalog, including a zero-integrity update mechanism in TrueConf Client (CVE-2026-3502) and a use-after-free in Google Dawn (CVE-2026-5281) affecting Chromium-based browsers. The NVD disclosed 29 additional high-severity vulnerabilities spanning multiple product categories, with particular concern around legacy SQL injection flaws in Kados R10 GreenBee and a critical remote code execution vulnerability in Pegasus CMS (CVE-2019-25687). The threat landscape shows continued Mozi botnet dominance, with 44 of 50 malware distribution URLs attributed to this P2P botnet variant, primarily targeting MIPS and ARM-based IoT devices. Additionally, Mirai variants remain active with distribution infrastructure hosting multiple architecture-specific payloads. Organizations should prioritize patching the two KEV entries immediately, assess exposure to the 29 NVD-disclosed vulnerabilities (particularly the CRITICAL-rated Pegasus CMS RCE), and implement robust IoT device segmentation to mitigate botnet infection risks. No honeypot telemetry, enrichment alerts, or infrastructure seizure events were reported during this period, suggesting either a data collection gap or unusually quiet operational activity. Security teams should focus remediation efforts on the software update integrity issues highlighted in the TrueConf KEV entry, as these represent fundamental trust model failures that enable supply chain compromise scenarios.

Daily Threat Briefing — 2026-04-06

On April 6, 2026, the threat landscape was dominated by persistent IoT botnet activity targeting embedded devices and network infrastructure. URLhaus identified 50 malicious URLs distributing Mirai and Mozi malware variants across multiple architectures including ARM, MIPS, PowerPC, x86, and SH4. The threat actors demonstrate sophisticated multi-architecture targeting capabilities, deploying malware payloads optimized for diverse IoT and embedded Linux platforms. The Mozi botnet remains particularly active with 31 distinct malware distribution URLs detected, primarily targeting MIPS and ARM architectures through characteristic /bin.sh and /i payload delivery mechanisms. Mirai variants account for 19 distribution URLs, utilizing user-agent based delivery (ua-wget) across seven different processor architectures. Additionally, one Windows-based Amadey dropper was identified, indicating continued hybrid targeting of both traditional endpoints and IoT infrastructure. Organizations with exposed IoT devices, routers, IP cameras, and embedded Linux systems face elevated risk and should implement immediate defensive measures including credential hardening, network segmentation, and IoT device inventory management.

Daily Threat Briefing — 2026-04-05

On April 5, 2026, threat intelligence sources identified a significant malware distribution campaign leveraging a single compromised server at IP address 103.130.214.71. The threat actor is actively distributing Mirai botnet variants and DDoS malware across 50 different URLs, targeting multiple CPU architectures including ARM, x86, MIPS, PowerPC, and RISC-V. This multi-architecture approach indicates an IoT-focused campaign designed to compromise diverse embedded devices, routers, and Linux-based systems. The malware distribution infrastructure demonstrates sophisticated targeting of IoT ecosystems, with binaries compiled for platforms commonly found in routers, IP cameras, DVRs, and other Internet-connected devices. The campaign utilizes wget-based delivery mechanisms, a hallmark of automated botnet propagation. All indicators were sourced from URLhaus abuse feeds, confirming active malicious distribution at the time of detection. Immediate defensive actions should include blocking the identified IP address (103.130.214.71) at network perimeters, implementing detection rules for the specific URL patterns and file names, and monitoring for wget-based download attempts on IoT devices. Organizations with exposed IoT infrastructure should conduct immediate vulnerability assessments and ensure default credentials have been changed across all devices.

8 findings

T1583.001T1608.001T1105

Daily

Apr 4

Daily Threat Briefing — 2026-04-04

On April 4, 2026, threat intelligence monitoring identified significant IoT botnet malware distribution activity, with 49 malicious URLs actively distributing Mirai and Mozi malware variants. The attack infrastructure demonstrates a coordinated campaign targeting vulnerable IoT devices across multiple architectures including ARM, MIPS, x86, and PowerPC platforms. The observed malware distribution pattern indicates ongoing botnet recruitment efforts, with attackers leveraging compromised devices to host malware payloads and expand their botnets. Additionally, one instance of Amadey malware distribution was detected, suggesting commodity malware operations remain active. No critical vulnerabilities, honeypot activity, or infrastructure seizures were reported during this period, indicating this briefing focuses exclusively on malware distribution infrastructure observed through abuse feeds.

8 findings

T1190T1584.001T1105

Stay ahead of emerging threats

Subscribe to receive curated threat intelligence briefings — CVEs, malware trends, and MITRE ATT&CK insights delivered straight to your inbox.

No spam, everUnsubscribe anytimeFree forever

Threat Briefings

Daily Threat Briefing — 2026-04-07

Severity Breakdown

MITRE ATT&CK

Weekly Threat Briefing — 2026-03-31 to 2026-04-06

Daily Threat Briefing — 2026-04-06

Daily Threat Briefing — 2026-04-05

Daily Threat Briefing — 2026-04-04

Daily Threat Briefing — 2026-04-03

Daily Threat Briefing — 2026-04-01

Daily Threat Briefing — 2026-04-02

Daily Threat Briefing — 2026-03-22

Daily Threat Briefing — 2026-03-31

Daily Threat Briefing — 2026-03-30

Daily Threat Briefing — 2026-03-30

Daily Threat Briefing — 2026-03-28

Daily Threat Briefing — 2026-03-24

Daily Threat Briefing — 2026-03-23

Weekly Threat Briefing — 2026-03-16 to 2026-03-23

Daily Threat Briefing — 2026-03-21

Daily Threat Briefing — 2026-03-20

Daily Threat Briefing — 2026-03-19

Daily Threat Briefing — 2026-03-18

Stay ahead of emerging threats

Threat Briefings

Daily Threat Briefing — 2026-04-07

Severity Breakdown

MITRE ATT&CK

Weekly Threat Briefing — 2026-03-31 to 2026-04-06

Daily Threat Briefing — 2026-04-06

Daily Threat Briefing — 2026-04-05

Daily Threat Briefing — 2026-04-04

Daily Threat Briefing — 2026-04-03

Daily Threat Briefing — 2026-04-01

Daily Threat Briefing — 2026-04-02

Daily Threat Briefing — 2026-03-22

Daily Threat Briefing — 2026-03-31

Daily Threat Briefing — 2026-03-30

Daily Threat Briefing — 2026-03-30

Daily Threat Briefing — 2026-03-28

Daily Threat Briefing — 2026-03-24

Daily Threat Briefing — 2026-03-23

Weekly Threat Briefing — 2026-03-16 to 2026-03-23

Daily Threat Briefing — 2026-03-21

Daily Threat Briefing — 2026-03-20

Daily Threat Briefing — 2026-03-19

Daily Threat Briefing — 2026-03-18

Stay ahead of emerging threats