On April 4, 2026, threat intelligence monitoring identified significant IoT botnet malware distribution activity, with 49 malicious URLs actively distributing Mirai and Mozi malware variants. The attack infrastructure demonstrates a coordinated campaign targeting vulnerable IoT devices across multiple architectures including ARM, MIPS, x86, and PowerPC platforms. The observed malware distribution pattern indicates ongoing botnet recruitment efforts, with attackers leveraging compromised devices to host malware payloads and expand their botnets. Additionally, one instance of Amadey malware distribution was detected, suggesting commodity malware operations remain active. No critical vulnerabilities, honeypot activity, or infrastructure seizures were reported during this period, indicating this briefing focuses exclusively on malware distribution infrastructure observed through abuse feeds.
Widespread distribution of Mirai and Mozi botnet malware targeting IoT devices across multiple architectures, with 48 malicious URLs identified distributing payloads to vulnerable embedded systems.
Extensive Mozi botnet infrastructure identified with 30+ distribution URLs hosting malware payloads for ARM and MIPS architectures. Mozi continues to exploit IoT vulnerabilities through automated scanning and exploitation, targeting routers, DVRs, and network-attached storage devices. Distribution servers span residential and enterprise IP ranges across Asia-Pacific and EMEA regions.
Multiple Mirai variant distribution servers detected hosting ELF binaries for ARM, MIPS, x86, x86_64, PowerPC, and m68k architectures. Infrastructure at 212.64.201.57 demonstrates professional multi-architecture compilation indicating mature botnet operations. Targets include IoT devices with default credentials and unpatched vulnerabilities.
Several URLs identified distributing hybrid malware samples exhibiting characteristics of both Mirai and Mozi botnets. This convergence suggests threat actors are incorporating successful techniques from both malware families. Observed at multiple IP addresses including 105.186.163.239, 175.10.24.108, and 180.157.252.62.
Multiple distribution URLs configured to serve malware specifically to wget requests, indicating targeting of automated vulnerability scanning and exploitation scripts. Infrastructure at 37.48.254.120 and 179.43.182.70 employs this technique to evade sandbox detection.
Amadey malware dropper infrastructure identified, representing ongoing commodity malware operations targeting Windows systems.
Windows executable (IQEr4wy.exe) distributed via 85.239.147.6 identified as Amadey malware dropper component. Amadey is a commodity botnet and loader frequently used to deploy additional payloads including information stealers, ransomware, and banking trojans. The file identifier 'fbf543' suggests active campaign tracking by threat actors.
Analysis of malware distribution infrastructure reveals tactical patterns and operational security practices employed by botnet operators.
Distribution infrastructure employs dual payload strategy: shell scripts (bin.sh) for initial infection and architecture-specific binaries (/i endpoint) for persistent malware installation. This two-stage approach enables target reconnaissance and appropriate payload selection.
Malware distribution servers predominantly utilize high-numbered ports (30000-60000 range) to evade basic network monitoring and firewall rules. This technique reduces visibility to organizations monitoring only well-known ports and suggests operational security awareness by threat actors.
Malware distribution infrastructure heavily concentrated in Asia-Pacific region (China, India, Vietnam) with secondary presence in EMEA (Russia, Eastern Europe). This geographic clustering suggests either regional targeting priorities or exploitation of regions with high concentrations of vulnerable IoT devices.