On April 12, 2026, threat intelligence monitoring detected 50 malicious URLs actively distributing multiple malware families, with no CVE disclosures, KEV additions, or law enforcement actions reported. The threat landscape was dominated by ClearFake social engineering campaigns delivering NetSupport RAT, IoT-targeted botnets (Mozi, Mirai, Kaiji), and cryptomining operations. ClearFake campaigns utilized multiple domains across infrastructure clusters (brinoxal.in.net, vexu3larn.in.net, dravonix.in.net, plor9vexi.in.net), indicating coordinated distribution infrastructure.
The IoT malware distribution infrastructure exhibited characteristics of automated exploitation frameworks targeting embedded Linux systems across multiple architectures (ARM, MIPS, x86_64, aarch64). Mozi botnet activity remained persistent with active command-and-control nodes, while Kaiji botnet infrastructure expanded with new distribution servers. Cryptomining campaigns leveraged CVE-2017-6074 exploits and targeted diverse processor architectures, suggesting attempts to maximize infected device coverage.
Organizations should prioritize detection of ClearFake social engineering tactics, implement network-level blocking of identified malicious domains, and ensure IoT/embedded devices are segregated with appropriate access controls. The absence of public vulnerability disclosures suggests threat actors are leveraging existing attack vectors rather than zero-day exploits during this period.
Coordinated ClearFake campaign distributing NetSupport RAT through fake browser update pages across multiple domains
Multiple domains on brinoxal.in.net infrastructure delivering ClearFake fake update pages leading to NetSupport RAT installation. Domains include solcoreal9, velv0-sync, 7mpydp, and va1ue-hinge, all serving identical payload paths.
Five malicious domains on vexu3larn.in.net infrastructure (vor-coreum, stolively, rnacro-layer, brandquo, zencore2en, y26me) serving ClearFake social engineering pages with NetSupport RAT payloads.
Seven domains on dravonix.in.net and plor9vexi.in.net infrastructure continuing ClearFake campaign operations. Consistent payload structure indicates centrally managed distribution infrastructure.
Active distribution of Mozi, Mirai, and Kaiji botnet malware targeting Linux-based IoT devices across multiple architectures
Multiple IP addresses (182.116.112.142, 125.160.188.11, 115.48.19.207, 123.132.157.222, 180.244.9.195) actively distributing Mozi botnet payloads via bin.sh scripts. Targeting ARM and MIPS architectures on IoT devices.
Two distribution servers (176.65.149.237, s3.mgirbvre.top:8888) hosting Kaiji botnet binaries for 10+ architectures including AMD64, ARM variants, MIPS variants, and aarch64. Comprehensive targeting of diverse embedded systems.
wzjc.ipwz.online domain distributing Melofee ELF malware with accompanying shell script installer targeting Linux systems.
Active cryptomining operations leveraging CVE-2017-6074 exploits and multi-architecture coinminer distribution
Server 64.89.163.182 distributing ELF payload exploiting CVE-2017-6074 (Linux kernel use-after-free vulnerability) for privilege escalation and persistent access.
Server 46.151.182.82 hosting cryptominer ELF binaries for aarch64, ARM7, and x86_64 architectures, enabling broad device compromise for cryptocurrency mining operations.
Server 85.239.147.6 distributing executable payloads identified as dropped by Amadey malware loader, indicating ongoing infection chain from previously compromised systems.
Multiple servers (103.232.213.24, wzjc.ipwz.online) distributing shell scripts for automated malware deployment and system reconnaissance.