During the 24-hour period from March 15-16, 2026, threat intelligence monitoring identified 49 malicious URLs actively distributing multiple malware families. The threat landscape was dominated by two primary campaigns: a large-scale ClearFake/ACRStealer operation leveraging compromised domains with fake Google verification pages, and ongoing Mirai/Mozi botnet activity targeting IoT devices through malicious ELF binaries. The absence of honeypot telemetry and enrichment alerts during this period limits visibility into active exploitation attempts, but the volume and variety of malware distribution infrastructure indicates sustained threat actor activity.
The ClearFake campaign accounts for 35 malicious URLs across multiple domains (pontesicuro.in.net, altolivello.in.net, silberstromx.in.net, schnellestat.in.net, petitreseauv.in.net, starkewolke.in.net, and mondolucente.in.net), suggesting a coordinated infrastructure setup designed to evade detection through domain rotation. Meanwhile, the Mirai/Mozi botnet infrastructure continues targeting Linux-based IoT devices with architecture-specific payloads (MIPS, ARM, PPC) deployed from compromised systems, primarily located in Asian IP ranges.
Organizations should prioritize blocking the identified malicious domains and IP addresses, implement enhanced monitoring for fake browser update social engineering attempts, and ensure IoT devices are properly secured with default credential changes and network segmentation. The prevalence of dropper malware (Amadey) and remote access tools (RatonRAT) indicates multi-stage infection chains that warrant investigation for potential data exfiltration or ransomware precursor activity.
Widespread social engineering campaign distributing information stealers through fake Google verification pages
35 malicious URLs identified across 7 domains (pontesicuro.in.net, altolivello.in.net, silberstromx.in.net, schnellestat.in.net, petitreseauv.in.net, starkewolke.in.net, mondolucente.in.net) hosting fake Google verification pages to distribute ACRStealer and ClearFake malware. Campaign uses subdomain rotation patterns (node-x91, bridge-00, sync-z1, etc.) to evade detection.
ACRStealer credential harvesting malware distributed through fake verification pages targeting browser credentials, cookies, and authentication tokens. All distribution URLs use HTTPS to appear legitimate to victims.
Active distribution of Mirai and Mozi botnet malware targeting Linux-based IoT devices with architecture-specific payloads
20+ malicious URLs distributing Mozi botnet payloads targeting MIPS and ARM architectures. Distribution servers primarily located in Asian IP ranges (China: 115.x, 110.x, 42.x, 59.x, 60.x; others: 200.59.83.67, 46.163.181.104). Both shell scripts (bin.sh) and compiled binaries targeting specific architectures observed.
Mirai malware distribution observed from 2.58.82.231 and 182.240.3.9 with payloads compiled for PPC, ARC, ARM, and MIPS architectures. Multi-architecture approach indicates broad targeting of various IoT device types including routers, cameras, and embedded systems.
Additional malware families including cryptocurrency miners, droppers, and remote access tools
Two URLs (api.wewpwsw.su/gate.exe, 158.94.208.7/files/7460962853/qZGuNez.exe) identified distributing payloads dropped by Amadey botnet. Secondary payload at 158.94.208.7 identified as RatonRAT remote access trojan, indicating multi-stage infection chain for persistent access.
Cryptocurrency mining malware distributed through Android APK package hosted at cc-a89.pages.dev (duanj.me.apk). CloudFlare Pages infrastructure abuse for malware distribution suggests compromised developer accounts or purposefully created infrastructure.
Malicious shell script (w_a.sh) distributed from 5.175.223.124, likely serving as initial infection vector or dropper for additional payloads on compromised Linux systems.
Analysis of tactics, techniques, and procedures observed across identified malware campaigns
Threat actors utilizing multiple .in.net domains with systematic subdomain rotation patterns (v1, v2, x9, z1, etc.) to maintain operational resilience and evade domain-based blocking. Suggests organized infrastructure management.