On April 5, 2026, threat intelligence sources identified a significant malware distribution campaign leveraging a single compromised server at IP address 103.130.214.71. The threat actor is actively distributing Mirai botnet variants and DDoS malware across 50 different URLs, targeting multiple CPU architectures including ARM, x86, MIPS, PowerPC, and RISC-V. This multi-architecture approach indicates an IoT-focused campaign designed to compromise diverse embedded devices, routers, and Linux-based systems.
The malware distribution infrastructure demonstrates sophisticated targeting of IoT ecosystems, with binaries compiled for platforms commonly found in routers, IP cameras, DVRs, and other Internet-connected devices. The campaign utilizes wget-based delivery mechanisms, a hallmark of automated botnet propagation. All indicators were sourced from URLhaus abuse feeds, confirming active malicious distribution at the time of detection.
Immediate defensive actions should include blocking the identified IP address (103.130.214.71) at network perimeters, implementing detection rules for the specific URL patterns and file names, and monitoring for wget-based download attempts on IoT devices. Organizations with exposed IoT infrastructure should conduct immediate vulnerability assessments and ensure default credentials have been changed across all devices.
Large-scale malware distribution campaign targeting IoT devices with Mirai variants and DDoS tools across 50+ malicious URLs from a single compromised server.
Threat actor distributing Mirai botnet variants compiled for multiple architectures (x86, MPSL, DBG) via compromised server at 103.130.214.71:4949. Binaries include mirai.x86, mirai.mpsl, and mirai.dbg, indicating targeting of diverse Linux-based IoT devices. Distribution uses wget user-agent, suggesting automated infection chains.
Comprehensive ARM architecture targeting observed with DDoS malware variants for ARM6, ARM7, ARMv4l, ARMv5l, ARMv6, ARMv7l, and ARM64 platforms. This broad ARM coverage indicates targeting of routers, IP cameras, NAS devices, and embedded systems from multiple manufacturers. File names include 'ovharm*', 'rstarm*', 'siackarm*', and 'library*' variants.
Multiple x86 and x86_64 architecture binaries detected including 'siackx86', 'siackx64', 'shandx86-64', 'libraryx64', and 'ovhamd64'. These variants target traditional Linux servers, virtual machines, and x86-based embedded systems, expanding the botnet's reach beyond IoT devices to include cloud and enterprise infrastructure.
Campaign includes malware compiled for MIPS (mipsel variants, tcimips, librarymips) and PowerPC (dropperppc) architectures, targeting older routers, network equipment, and embedded systems still widely deployed in enterprise and ISP environments. These legacy architectures often lack modern security controls.
Detection of RISC-V architecture binary (siriscv64) represents emerging threat to next-generation IoT and embedded devices adopting RISC-V processors. This indicates threat actor is actively developing capabilities for future device ecosystems and monitoring technology adoption trends.
Analysis of malware distribution infrastructure reveals automated delivery mechanisms and multi-stage infection techniques targeting vulnerable IoT devices.
All malware samples utilize wget user-agent strings, indicating automated exploitation and download chains typical of IoT botnet propagation. Attackers likely exploit weak credentials or vulnerabilities to execute wget commands remotely, downloading architecture-appropriate payloads. Organizations should monitor for unusual wget activity on embedded devices.
Single IP address (103.130.214.71) hosting 50+ malware variants suggests compromised legitimate server being repurposed for malware distribution. Server runs HTTP service on non-standard port 4949, potentially evading basic security controls. The 'bins' directory structure indicates organized malware staging infrastructure.
Malware binaries follow systematic naming patterns indicating automated build and deployment processes. Prefixes like 'ovh', 'rst', 'siack', 'shand', 'ssyn', 'sudp', 'tci', 'mtd', and 'mclibs2' with architecture suffixes suggest multiple malware families or variants compiled from common source code with different capabilities (DDoS attack types, persistence mechanisms).