The 24-hour period from March 14-15, 2026 revealed significant supply-chain and infrastructure threats alongside ongoing botnet activity. A critical supply-chain attack compromised the AppsFlyer Web SDK to distribute cryptocurrency-stealing malware, highlighting the persistent risk of third-party JavaScript dependencies. Microsoft issued an out-of-band hotpatch for Windows 11 Enterprise to address a remote code execution vulnerability in the Routing and Remote Access Service (RRAS), indicating active exploitation concerns. URLhaus threat feeds identified 52 malicious URLs distributing multiple malware families, with SmartLoader campaigns heavily abusing GitHub repositories for malware hosting. The ClearFake/ACRStealer campaigns continued targeting users through fake verification pages, while Mozi and Mirai botnet variants maintained persistent IoT device targeting through various MIPS and ARM payloads.
Microsoft released emergency patches for Windows 11 Enterprise addressing remote code execution flaws
Microsoft issued an out-of-band update for Windows 11 Enterprise devices receiving hotpatch updates to fix a security vulnerability in the Routing and Remote Access Service (RRAS). The emergency nature of this release suggests potential active exploitation or high severity impact.
AppsFlyer SDK compromised in sophisticated supply-chain attack targeting cryptocurrency assets
The AppsFlyer Web SDK was temporarily hijacked with malicious JavaScript code designed to steal cryptocurrency in a supply-chain attack. This incident affects all websites and applications integrating the compromised SDK version, potentially exposing millions of users to credential and wallet theft.
34 malicious URLs identified hosting SmartLoader malware through GitHub repositories and raw content delivery. Threat actors are leveraging legitimate GitHub infrastructure to host ZIP archives containing malware payloads, evading traditional blocklists and detection mechanisms.
12 malicious URLs distributing ACRStealer and ClearFake malware through fake verification pages hosted on grandevision.in.net, metallocielo.in.net, and petitnuage.in.net domains. These campaigns impersonate legitimate service verification processes to trick users into downloading information-stealing malware.
7 active malware distribution URLs serving Mozi and Mirai botnet payloads targeting IoT devices. Payloads include 32-bit ELF binaries for MIPS and ARM architectures, indicating continued exploitation of vulnerable routers, IP cameras, and embedded devices.
Analysis of malware distribution methods and adversary infrastructure patterns
Threat actors are systematically creating throwaway GitHub accounts and repositories to host malware payloads. This technique exploits GitHub's trusted reputation, free hosting, and high-availability CDN infrastructure. Repositories observed include fake development tools, bot frameworks, and AI assistants, all containing SmartLoader payloads disguised as legitimate software packages.
ClearFake/ACRStealer campaigns employ dynamic subdomain generation across multiple parent domains (grandevision.in.net, metallocielo.in.net, petitnuage.in.net) to evade domain-based blocking. Subdomains follow patterns like 'rock-core-v2', 'sat-uplink-5', 'infra-web-01', mimicking legitimate infrastructure naming conventions.
Multiple Chinese IP ranges (110.37.95.41, 115.53.216.150, 115.55.244.62, 115.57.232.2, 120.84.215.13, 123.189.138.204, 222.141.43.157) serving Mozi botnet payloads on high ports (35500-55261), indicating compromised residential or small business routers being weaponized as malware distribution nodes.