On April 10, 2026, threat intelligence monitoring identified 49 malicious URLs actively distributing malware, with no CVE vulnerabilities, KEV entries, or infrastructure seizures reported for this date. The threat landscape shows sustained activity from IoT-targeting botnets and browser-based malware campaigns. ClearFake campaigns continue to leverage fake browser update social engineering to deliver NetSupport RAT, while Mozi and Mirai botnets maintain aggressive scanning and exploitation of IoT devices. Additionally, Amadey downloader infrastructure remains active, delivering secondary payloads including potentially information-stealing malware.
The predominant threats involve exploitation of weak IoT device security (likely targeting default credentials and unpatched vulnerabilities) and user-targeted social engineering attacks. Organizations should prioritize IoT device hardening, network segmentation, and user awareness training focused on fake update scams. The continued presence of Mozi botnet activity is notable given previous law enforcement disruptions, suggesting either residual infrastructure or reconstitution efforts.
Multiple malware families observed with active distribution infrastructure, targeting both end-users and IoT devices
At least 20 malicious URLs identified using ClearFake social engineering framework to deliver NetSupport remote access trojan. Domains follow pattern using 'dialectraflux.in.net', 'inferlogic.in.net', 'dreswaoaky.in.net', 'makemicrophone.in.net', and 'citizenconjunct.in.net' infrastructure. Attack chain likely involves fake browser update prompts on compromised websites.
18 URLs identified serving Mozi botnet variants targeting MIPS and ARM architectures. Infrastructure uses high-numbered ports (37162-60968) on compromised IoT devices across Asian IP ranges. Mozi continues operations despite previous takedown efforts, exploiting weak telnet credentials and unpatched vulnerabilities on routers and IoT devices.
Multiple payloads (96f9Qz3.exe, jagqzHE.exe, WjRZCsK.exe) hosted on IP 85.239.147.6 identified as Amadey downloader second-stage payloads. Tags include 'fbf543' (likely campaign identifier) and 'c2-monitor-auto'. Amadey typically delivers information stealers and other malware families.
7 URLs delivering Mirai malware variants via shell scripts and binary payloads. Distribution servers located on compromised infrastructure in Asian IP space. Targets vulnerable IoT devices for DDoS botnet recruitment.
Multiple Gafgyt (also known as BASHLITE) variants distributed from 94.156.152.67:83, including x86 ELF binaries (manji.x86, manji.dbg) and XML configuration file. Uses 'opendir' and 'ua-wget' techniques for propagation.
Observed tactics, techniques, and infrastructure patterns from active malware campaigns
ClearFake framework continues to be highly effective attack vector, using compromised legitimate websites to display fake Chrome/browser update prompts. Users tricked into downloading and executing NetSupport RAT. This technique bypasses many technical controls by relying on user interaction.
Botnet operators continue mass exploitation of IoT devices through automated scanning, brute-force credential attacks, and exploitation of known vulnerabilities. Compromised devices used for malware distribution, creating self-sustaining infrastructure. High-numbered ports suggest attempts to evade basic firewall rules.
Observed malware samples compiled for multiple architectures (MIPS, ARM, x86) indicating broad targeting of diverse IoT and embedded device types including routers, cameras, DVRs, and other network-connected devices.