On April 11, 2026, malware distribution infrastructure remained highly active with 52 malicious URLs identified across multiple threat categories. The threat landscape was dominated by two primary campaigns: widespread abuse of ConnectWise ScreenConnect remote management tools and ClearFake/NetSupport social engineering attacks. Additionally, cryptocurrency mining operations, Mozi botnet activity, and Amadey dropper campaigns were observed. The concentration of ScreenConnect abuse across multiple IP addresses suggests coordinated infrastructure for remote access trojan deployment, while the ClearFake campaign demonstrates continued evolution of browser-based social engineering tactics. Organizations should prioritize detection of unauthorized remote management tool installations and strengthen browser security controls.
Thirteen malicious URLs distributing ConnectWise ScreenConnect installers were identified across multiple IP addresses, indicating systematic abuse of legitimate remote management software for unauthorized access.
Attackers are distributing ScreenConnect client installers (.exe and .msi) from IP addresses 94.154.32.x, 195.177.94.x, and 104.249.10.37. This pattern indicates abuse of legitimate remote management software for establishing persistent remote access to compromised systems.
Seventeen URLs identified distributing NetSupport RAT via ClearFake fake browser update social engineering framework across multiple domains.
Multiple subdomains under predestincent.in.net, flamesre5ent.in.net, and particulscoop.in.net are hosting ClearFake infrastructure distributing NetSupport remote access tools. This campaign uses fake browser update prompts to trick users into downloading malware.
Active cryptomining campaign distributing miners and scanner tools from open directory server.
Open directory at 77.110.96.200 hosting cryptocurrency mining malware (lmm.gz, xmr.gz), deployment scripts (ghost.sh, min1.sh), and Python scanning tools. The presence of scanner tools suggests automated victim identification capabilities.
Multiple IP addresses distributing Mozi botnet payloads targeting MIPS-based IoT devices.
Six distinct IP addresses (182.119.69.113, 42.235.80.228, 123.4.144.180, 110.37.120.17, 125.44.254.245) distributing 32-bit MIPS ELF binaries associated with Mozi botnet. Targets include routers and other IoT devices with vulnerable architectures.
Infrastructure at 85.239.147.6 distributing secondary payloads via Amadey botnet dropper.
Server at 85.239.147.6 hosting executable payloads (Ew8thEw.exe, random.exe, z69rt8Z.exe) delivered by Amadey botnet. These represent second-stage malware installations following initial compromise.
Analysis of observed delivery techniques and infrastructure patterns.
Both ConnectWise ScreenConnect and NetSupport represent legitimate remote management tools being systematically abused for malicious purposes. Organizations should implement strict whitelisting for remote administration tools and monitor for unauthorized installations.
Threat actors continue leveraging open directories for malware hosting, enabling automated deployment scripts and providing attackers with visibility into download attempts. The 77.110.96.200 server exemplifies this technique with multiple tools and payloads accessible.