On April 7, 2026, threat intelligence collection identified 50 malicious indicators from abuse.ch URLhaus, representing active malware distribution campaigns. The threat landscape is dominated by IoT botnet activity (Mozi and Mirai variants targeting MIPS and ARM architectures) and browser-based social engineering attacks (ClearFake campaigns delivering ACRStealer and NetSupport RAT). Additionally, Chinese-language malware campaigns were observed distributing advanced RATs including SilverFox, Gh0stRAT, and Kryplod through cloud storage services.
The ClearFake campaign shows sophisticated infrastructure with multiple subdomain variations across semanticvector[.]in[.]net, abstractlogic[.]in[.]net, conceptmatrix[.]in[.]net, structuralcore[.]in[.]net, and exhortshelk[.]in[.]net domains, suggesting a well-resourced operation with rotation capabilities. IoT botnet operators continue targeting vulnerable devices through known exploitation vectors, with Mozi malware maintaining persistent distribution across Asian IP ranges. The Chinese-language RAT campaign leverages legitimate cloud infrastructure (Alibaba OSS, AWS S3) for malware hosting, indicating supply chain compromise or targeted regional attacks.
Organizations should prioritize patching IoT devices, implementing network segmentation for operational technology environments, deploying browser isolation technologies, and monitoring for connections to the identified malicious domains and IP addresses. No critical vulnerabilities, KEV entries, or honeypot data were recorded for this period.
Large-scale ClearFake campaign delivering ACRStealer credential harvester and NetSupport remote access trojan through fake browser update prompts across multiple malicious domains.
Multiple subdomains under semanticvector[.]in[.]net hosting ClearFake fake update pages delivering ACRStealer malware. Subdomains include word-map, term-index, meaning-svc, tag-portal, link-trace, and meta-point, all serving verification.google paths.
Seven malicious subdomains under conceptmatrix[.]in[.]net distributing ClearFake payloads (ACRStealer). Infrastructure includes entity-hub, root-source, cloud-draft, view-port, sketch-node, and master-index subdomains.
Additional ClearFake infrastructure identified across structuralcore[.]in[.]net (delivering NetSupport RAT), abstractlogic[.]in[.]net, and exhortshelk[.]in[.]net domains. The NetSupport RAT variant indicates advanced remote access capabilities beyond credential theft.
Continued distribution of Mozi and Mirai botnet malware targeting IoT devices with MIPS and ARM architectures, primarily from Asian IP ranges.
Multiple Chinese IP addresses distributing Mozi botnet malware via HTTP on high ports (48828-55488). Targets include MIPS and ARM architectures with ELF binaries. Source IPs: 124.129.91.47, 219.156.28.216, 222.137.23.43, 42.232.176.25, 182.117.122.124, 117.223.142.255, 113.233.117.15.
Active Mirai botnet distribution from multiple sources including 60.215.22.234, 123.11.171.85, 123.11.203.83, and 85.11.167.101. The 85.11.167.101 infrastructure serves multiple architecture variants (x86_64, ARM, MIPS) suggesting loader/dropper capabilities.
IP 85.11.167.101 hosting comprehensive Mirai variant distribution with binaries for x86_64, arm, arm5, arm6, arm7, mips, and mipsel architectures. User-agent filtering (ua-wget) suggests automated infection chains.
Advanced persistent threat activity distributing multiple remote access trojans through cloud storage providers, likely targeting Chinese-speaking users or organizations.
SilverFox malware hosted on Alibaba Cloud OSS (yifanyisetup32.oss-cn-hongkong.aliyuncs.com) and AWS S3 (maiqiaqia1.s3.ap-east-1.amazonaws.com). Filenames suggest disguise as legitimate translation software (yifanyi).
Gh0stRAT (yifanyi-67349x32.oss-cn-hongkong.aliyuncs.com) and Kryplod/Kryptik variants (youdownload.oss-cn-hongkong.aliyuncs.com, 2026yifanyi.oss-cn-hongkong.aliyuncs.com) distributed via Alibaba Cloud infrastructure. All packages masquerade as legitimate software installers.
Secondary payload distribution associated with Amadey botnet loader infrastructure.
Executable payload (aREfDTa.exe) hosted at 85.239.147.6/files/7362035837/ identified as dropped-by-amadey with hash fbf543. Amadey loaders typically deliver additional malware families including stealers and ransomware.