On April 9, 2026, threat intelligence sources detected 50 malicious URLs associated with active malware distribution campaigns. The dominant threats observed include Mozi botnet activity targeting IoT devices, ClearFake social engineering campaigns distributing NetSupport RAT and ACRStealer, and commodity malware delivery infrastructure. The majority of malicious activity involves IoT-focused botnet operations exploiting MIPS and ARM architectures, indicating continued targeting of vulnerable routers, cameras, and embedded devices. Additionally, a sophisticated ClearFake campaign leveraging multiple subdomain infrastructure across several domains (excellsadarma.in.net, noospherecore.in.net, gnosticvector.in.net, epistemiconflux.in.net, assyrfantasy.in.net) demonstrates organized phishing operations designed to deliver remote access tools and credential stealers.
The Mozi botnet remains highly active with 33 distinct URLs serving ELF binaries for MIPS and ARM architectures, representing a persistent threat to unpatched IoT infrastructure. The ClearFake campaign demonstrates advanced social engineering tactics, likely mimicking legitimate software update prompts to trick users into downloading NetSupport RAT and ACRStealer. One Amadey dropper instance was also detected, indicating commodity malware-as-a-service operations continue to leverage compromised infrastructure for secondary payload delivery.
Organizations should prioritize patching IoT devices, implementing network segmentation for embedded systems, and enhancing user awareness training focused on fake update prompts. Network defenders should monitor for connections to the identified malicious domains and implement blocking at perimeter security controls.
Multiple active malware families detected with distinct distribution infrastructure, including IoT botnets, remote access tools, and credential stealers.
33 URLs detected serving Mozi botnet payloads compiled for MIPS and ARM architectures. Targets include routers, IP cameras, and other IoT devices. Distribution uses compromised devices as hosting infrastructure on various ISPs primarily in Asia-Pacific region.
17 URLs across five domains (excellsadarma.in.net, noospherecore.in.net, gnosticvector.in.net, epistemiconflux.in.net, assyrfantasy.in.net) hosting ClearFake social engineering infrastructure. Campaign delivers NetSupport RAT for remote access and ACRStealer for credential harvesting. Infrastructure uses subdomain patterns suggesting automated generation and rotation.
Amadey malware dropper detected at 85.239.147.6 serving executable payload (fbf543). Amadey is a commodity malware loader often used to deploy additional payloads including ransomware, stealers, and banking trojans.
Analysis of observed adversary behaviors and technical methods employed in today's malware campaigns.
Mozi botnet operators continue exploiting known vulnerabilities in IoT devices to build distributed botnets. The use of architecture-specific ELF binaries (MIPS, ARM) demonstrates targeted compilation for maximum device compatibility. Shell script downloaders facilitate multi-stage infection chains.
ClearFake campaigns use sophisticated fake update prompts to deceive users into executing malicious payloads. The technique exploits user trust in legitimate software update processes. Multi-domain infrastructure provides redundancy and complicates takedown efforts.
Assessment of adversary infrastructure patterns and operational behaviors observed during the reporting period.
Five domains with similar subdomain naming patterns (best-node, test-svc, story-gate, magic-hub, mind-sync, etc.) suggest centrally managed infrastructure. Operational security indicates organized threat actor or affiliate network with resources for domain registration and DNS management. UUID-based URL paths provide session tracking and victim identification.
Compromised IoT devices serving malware payloads indicates peer-to-peer distribution model typical of Mozi operations. Geographic distribution across multiple ISPs suggests successful propagation and persistence within consumer and small business networks.
Actionable guidance for security teams to detect, investigate, and respond to observed threats.
Implement DNS and web proxy blocks for identified malicious domains: excellsadarma.in.net, noospherecore.in.net, gnosticvector.in.net, epistemiconflux.in.net, assyrfantasy.in.net. Monitor for similar subdomain patterns in DNS logs. Enhance email and web gateway filtering for fake update social engineering.
Implement network segmentation isolating IoT devices from critical systems. Deploy firmware updates for routers and IP cameras. Monitor for unusual outbound connections from IoT devices to random high ports. Block ELF binary downloads on IoT network segments.
Hunt for unauthorized NetSupport Manager installations. Review application whitelisting policies to prevent execution of unexpected remote administration tools. Monitor for NetSupport network connections to non-corporate infrastructure. Investigate processes communicating with identified malicious domains.