On April 8, 2026, threat intelligence monitoring identified 50 malicious URLs actively distributing malware, representing a significant IoT botnet and information stealer campaign landscape. The dominant threats include Mozi botnet variants (28 URLs, 56%) targeting IoT devices across MIPS and ARM architectures, and a sophisticated ACRStealer/ClearFake campaign (18 URLs, 36%) leveraging deceptive infrastructure with systematic domain naming patterns. The remaining activity involves Mirai variants, Amadey dropper payloads, and NetSupport RAT distribution. The IoT-focused malware demonstrates continued exploitation of vulnerable edge devices, while the stealer campaigns employ social engineering tactics through fake verification pages. The geographic distribution of Mozi C2 infrastructure spans multiple regions including compromised devices in Asia and South America, indicating widespread botnet propagation. Organizations should prioritize IoT device hardening, monitoring for ClearFake-style social engineering attacks, and implementing network-based detection for these malware families.
Fifty malicious URLs actively distributing multiple malware families including Mozi botnet, ACRStealer, ClearFake, Mirai, and NetSupport RAT
18 URLs across four systematically named domain clusters (epistemegrid.in.net, ontogenesiscore.in.net, axiologyflux.in.net, dialectrixengine.in.net) distributing ACRStealer and ClearFake malware. All use HTTPS and follow pattern '/05fe317c-0981-4de2-bc8a-930d369db441/verification.google' suggesting sophisticated social engineering targeting users with fake Google verification pages. Later variants also distribute NetSupport RAT.
28 active URLs distributing Mozi botnet malware targeting MIPS and ARM architectures through compromised IoT devices. C2 infrastructure spans IP ranges in Asia (China, Taiwan, India) and South America (Brazil, Argentina). Payloads include shellscripts (bin.sh) and ELF binaries for multiple architectures, indicating automated propagation.
Multiple URLs distributing Mirai botnet variants including shellscripts and ARM ELF binaries. Infrastructure includes compromised devices and dedicated servers (176.65.139.x range) serving payloads via wget user-agent targeting. Some URLs overlap with Mozi distribution, indicating polyglot botnet activity on compromised devices.
Multiple URLs within the dialectrixengine.in.net and inferentiaforge.in.net domains distributing NetSupport RAT alongside ClearFake, indicating evolution of stealer campaign to include remote access capabilities. Additional standalone ClearFake URL at nexuspatronage.digital with query parameter obfuscation.
URL distributing Amadey botnet dropped payload (0kEEdMR.exe) from dedicated infrastructure (85.239.147.6). Amadey serves as initial access facilitator for additional malware deployment, representing multi-stage infection chain.
Analysis of adversary infrastructure patterns reveals organized campaigns with distinct operational characteristics
Threat actor operates at least 24 subdomains across four primary .in.net domains using highly systematic naming conventions (base-vault, sync-gate, grid-core, info-mesh, etc.) and identical URI paths. Infrastructure suggests automated domain generation or pre-registered infrastructure for resilience. Use of legitimate-appearing subdomains combined with 'verification.google' path indicates sophisticated social engineering targeting credential theft.
Mozi operators utilize compromised IoT devices globally as distribution infrastructure, with 28 distinct IPs serving malware on ephemeral high ports (32913-60516). Geographic distribution across Asia-Pacific and Latin America suggests automated exploitation of vulnerable IoT devices for propagation. This peer-to-peer-like distribution complicates takedown efforts.
Multiple MITRE ATT&CK techniques identified across malware distribution and social engineering campaigns
ACRStealer/ClearFake campaigns leverage HTTPS domains with 'verification.google' URI paths to impersonate legitimate Google authentication flows. This technique exploits user trust in Google branding and SSL certificates to deliver information stealers and RATs, targeting credentials and browser-stored sensitive data.
Mozi and Mirai campaigns distribute binaries compiled for multiple architectures (MIPS 32-bit, ARM 32-bit) enabling cross-platform IoT device compromise. Shell scripts (bin.sh) serve as initial droppers determining architecture and downloading appropriate binaries, demonstrating sophisticated payload delivery adaptation.
Multiple URLs tagged with 'ua-wget' indicator serve payloads specifically to wget requests, suggesting targeting of automated scripts, vulnerable services with wget capabilities, or other malware downloaders. This technique enables malware to avoid serving payloads to security researchers using standard browsers.