This briefing covers the 24-hour period from April 1-2, 2026, highlighting critical vulnerabilities and active malware distribution campaigns. The threat landscape is dominated by multiple critical-severity vulnerabilities requiring immediate attention, particularly affecting CI4MS content management systems and Mbed TLS cryptographic libraries. A Google Dawn use-after-free vulnerability (CVE-2026-5281) was added to CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
Malware distribution activity remains significant with 50 malicious URLs identified, primarily distributing Mirai/Mozi botnet variants targeting IoT devices and the ACRStealer/ClearFake campaigns using Google verification lures. The Mozi botnet continues aggressive propagation across Asia-Pacific regions with multiple command-and-control nodes active. Additionally, Amadey dropper infrastructure on IP 85.239.147.6 is actively distributing secondary payloads.
Organizations should prioritize patching the ten critical-severity CVEs disclosed during this period, particularly those affecting CI4MS (CVE-2026-34571, CVE-2026-34569, CVE-2026-34568) and Mbed TLS (CVE-2026-34875, CVE-2026-34872). Network defenders should block the identified malicious infrastructure and monitor for indicators associated with Mirai/Mozi propagation attempts and ClearFake social engineering campaigns.
Eleven critical-severity vulnerabilities identified, including widespread XSS and injection flaws in CI4MS, cryptographic weaknesses in Mbed TLS, and a known-exploited Chrome vulnerability
Use-after-free vulnerability in Google Dawn allows remote code execution via crafted HTML in compromised renderer processes. Affects Chromium-based browsers including Chrome and Microsoft Edge. Active exploitation confirmed by CISA KEV inclusion.
Improper input sanitization in CI4MS blog post creation allows attackers to embed malicious JavaScript, affecting all users viewing compromised blog content.
Six additional critical XSS vulnerabilities (CVE-2026-34567, CVE-2026-34566, CVE-2026-34565, CVE-2026-34564, CVE-2026-34563, CVE-2026-34560, CVE-2026-34559) affect CI4MS menu management, backup handling, and logging interfaces with CVSS scores of 9.1.
Eighteen high-severity vulnerabilities identified across multiple products including IBM Verify Access, File Browser, V-SFT industrial software, and Payload CMS
Authenticated users with write access can inject malicious content that executes when viewed by other users in the Payload CMS admin panel.
Five high-severity vulnerabilities (CVE-2026-32929, CVE-2026-32928, CVE-2026-32927, CVE-2026-32926, CVE-2026-32925) in V-SFT versions 6.2.10.0 and prior enable arbitrary code execution and information disclosure via crafted V7 files. CVSS 7.8.
NULL pointer dereference in distinguished name parsing allows attackers to write to address 0, potentially causing denial of service or exploitation on certain systems.
Cryptographic weakness in Mbed TLS and TF-PSA-Crypto pseudo-random number generation due to improper seed handling, potentially compromising cryptographic operations.
Buffer overflow in x509_inet_pton_ipv6() function affects Mbed TLS versions 3.5.0 to 3.6.5, potentially enabling remote code execution during IPv6 address parsing.
50 malicious URLs identified distributing Mirai/Mozi botnet variants, ACRStealer/ClearFake campaigns, and Amadey dropper payloads targeting diverse victim populations
31 domains identified hosting ACRStealer and ClearFake malware disguised as Google verification pages. Domains use infrastructure-themed subdomains (cyberlattice.in.net, nanostream.in.net, pixelengine.in.net, signalvector.in.net, infodynamics.in.net) to appear legitimate. Social engineering campaign targets users with fake security verification prompts.
17 active C2 nodes distributing Mirai and Mozi botnet variants across Asia-Pacific IP ranges. Malware samples target multiple architectures (ARM, MIPS, 32-bit ELF) indicating widespread IoT device exploitation. Active IPs include Chinese, Australian, and South American infrastructure.
Five unique payloads distributed from IP 85.239.147.6 via Amadey botnet dropper. Secondary payloads include various malware families. Infrastructure actively compromising systems to deploy additional malicious tools.
Multiple Mirai botnet binaries hosted on infrastructure at 91.92.243.209 (ARM, MIPS, ARMv7l variants) and 87.121.84.45 (debug.dbg). User-agent wget-based propagation indicates automated exploitation and lateral movement across vulnerable IoT devices.
Analysis of malware distribution methods reveals sophisticated social engineering, multi-architecture IoT targeting, and dropper-based payload delivery
Threat actors distributing Mirai/Mozi variants compiled for ARM, MIPS, ARMv7l, and 32-bit ELF architectures to maximize IoT device infection rates. This approach ensures compatibility across routers, cameras, DVRs, and embedded systems from multiple manufacturers.
ACRStealer/ClearFake campaigns employ technical-sounding subdomain patterns (pulse-svc, drift-core, frame-buffer, radio-freq) to impersonate legitimate technology services. Combined with Google verification theming, this increases victim trust and reduces suspicion during initial compromise.
Amadey botnet infrastructure demonstrates modular malware deployment capability with multiple secondary payloads delivered post-compromise. This approach enables threat actors to customize victim exploitation based on system characteristics and campaign objectives.