On April 6, 2026, the threat landscape was dominated by persistent IoT botnet activity targeting embedded devices and network infrastructure. URLhaus identified 50 malicious URLs distributing Mirai and Mozi malware variants across multiple architectures including ARM, MIPS, PowerPC, x86, and SH4. The threat actors demonstrate sophisticated multi-architecture targeting capabilities, deploying malware payloads optimized for diverse IoT and embedded Linux platforms.
The Mozi botnet remains particularly active with 31 distinct malware distribution URLs detected, primarily targeting MIPS and ARM architectures through characteristic /bin.sh and /i payload delivery mechanisms. Mirai variants account for 19 distribution URLs, utilizing user-agent based delivery (ua-wget) across seven different processor architectures. Additionally, one Windows-based Amadey dropper was identified, indicating continued hybrid targeting of both traditional endpoints and IoT infrastructure. Organizations with exposed IoT devices, routers, IP cameras, and embedded Linux systems face elevated risk and should implement immediate defensive measures including credential hardening, network segmentation, and IoT device inventory management.
Widespread distribution of Mirai and Mozi botnet malware targeting IoT devices across multiple architectures
31 malicious URLs distributing Mozi botnet malware primarily targeting MIPS and ARM-based IoT devices. Distribution servers utilize high-numbered ports (35619-59871) and deploy both /bin.sh shell scripts and /i binaries for device compromise. Affected IP ranges span Asia-Pacific and European networks.
19 malicious URLs from hosts 45.156.87.253, 38.60.216.39, and 185.208.159.132 distributing Mirai malware for ARM, ARM5, ARM6, ARM7, MIPS, MPSL, PPC, SH4, x86, x86_64, and M68K architectures. Deployment uses wget-based user-agent targeting (ua-wget), indicating automated exploitation of command injection vulnerabilities in IoT devices.
Windows executable (KVJUXwl.exe) identified as Amadey dropper payload hosted at 85.239.147.6. This represents a departure from the day's dominant IoT targeting, indicating parallel campaigns against traditional Windows endpoints for follow-on payload delivery and potential lateral movement capabilities.
Analysis of distribution infrastructure and exploitation techniques employed in IoT botnet campaigns
Threat actors maintain comprehensive architecture support targeting ARM (variants 4-7), MIPS (big and little endian), PowerPC, SH4, x86 (32/64-bit), and M68K processors. This extensive coverage ensures maximum infection potential across router, camera, DVR, and NAS device ecosystems regardless of underlying hardware architecture.
Mozi campaigns extensively utilize /bin.sh shell script droppers followed by compiled binary payloads (/i files). This two-stage delivery enables initial compromise via command injection vulnerabilities followed by architecture-specific binary execution, complicating detection and enabling persistent foothold establishment.
Mirai distribution infrastructure employs user-agent detection (ua-wget) to deliver architecture-appropriate payloads. This technique fingerprints victim devices during exploitation, automatically serving compatible binaries and improving infection success rates while reducing detection through targeted delivery.
Identification of key distribution servers and infrastructure patterns supporting IoT botnet operations
Host 45.156.87.253 serves as central distribution point for Mirai malware across 10 different architectures (main_ppc, main_mips, main_arm, main_arm5, main_arm7, main_x86, main_x86_64, main_sh4, main_m68k, main_mpsl). This concentration suggests coordinated infrastructure under single threat actor or affiliate control.
26 compromised IoT devices across Asia-Pacific region (China, likely) functioning as peer distribution nodes for Mozi malware. High-numbered ephemeral ports (35619-59871) indicate dynamic P2P network operation characteristic of Mozi's DHT-based command infrastructure, complicating takedown efforts.
Hosts 38.60.216.39 and 185.208.159.132 provide redundant Mirai distribution capability across multiple architectures. This infrastructure redundancy demonstrates operational resilience planning and suggests well-resourced threat actors with capacity for sustained campaigns despite potential disruptions.