dailyApril 13, 2026 — April 13, 2026

Daily Threat Briefing — 2026-04-13

7 findings4 sections

IOCs

high 3

medium 4

Executive
Summary

On April 13, 2026, the primary threat activity consisted of widespread malware distribution campaigns targeting IoT devices and end-user systems. Analysis of 51 malicious URLs reveals two distinct attack patterns: a large-scale Mirai botnet campaign distributing multi-architecture payloads from compromised infrastructure, and an ongoing ClearFake social engineering operation delivering remote access trojans. The Mirai activity demonstrates sophisticated cross-platform targeting with binaries compiled for 17 different architectures, indicating preparation for mass IoT device compromise. Additionally, the Mozi botnet variant continues to propagate through vulnerable network devices across multiple geographic regions.

The ClearFake campaign employed fake browser update prompts to distribute GuLoader and NetSupport RAT payloads through multiple rotating domains. This represents a continuation of established threat actor TTPs leveraging social engineering to bypass technical controls. No critical vulnerabilities, law enforcement actions, or significant policy changes were reported during this period. Organizations should prioritize IoT security hardening, network segmentation, and user awareness training focused on fake update scams.

Coordinated distribution of Mirai malware variants targeting diverse IoT device architectures from multiple command and control servers

HIGHabuse.ch

Mirai TitanJr Variant Multi-Architecture Distribution

Distribution server at 43.228.157.127 hosting Mirai 'TitanJr' variant compiled for 17 different architectures including ARM (5/6/7), MIPS, x86 (32/64-bit), i486, i686, m68k, ARC, and SPARC. Multiple download paths (/huhu/ and root) suggest redundancy for payload delivery.

T1059.004 T1105 T1583.001

MEDabuse.ch

CoinMiner Distribution via Compromised Infrastructure

Server at 46.151.182.82 distributing cryptocurrency mining malware targeting i686 architecture Linux systems, likely exploiting vulnerable IoT devices for cryptojacking operations.

T1496 T1105

Continued Mozi botnet expansion through vulnerable network devices across Asian and South American networks

HIGHabuse.ch

Widespread Mozi Botnet Infection Across Multiple Networks

Eight distinct IP addresses observed distributing Mozi botnet payloads targeting ARM and MIPS architectures. Geographic distribution includes IP ranges in China (110.37.x.x, 182.121.x.x, 223.151.x.x), South America (201.149.x.x), and other regions. Consistent use of high-numbered ports (33456-60492) and /bin.sh delivery mechanism indicates automated exploitation of known IoT vulnerabilities.

T1190 T1105 T1498

Active ClearFake operation utilizing fake browser update prompts to deliver remote access trojans through multiple rotating domains

HIGHabuse.ch

ClearFake Campaign Delivering GuLoader and NetSupport RAT

Fourteen malicious domains identified distributing GuLoader and NetSupport remote access trojans through fake browser update social engineering. Domains use multiple subdomain patterns (cash-guys.in.net, disas5embsilence.in.net, clean-sorted.in.net) with consistent URI path structure, indicating coordinated infrastructure. GuLoader serves as initial stage loader for deploying NetSupport RAT for persistent remote access.

T1204.001 T1566.002 T1105 T1219

Common tactics, techniques, and procedures observed across malware campaigns

MEDManual

Multi-Architecture Compilation for IoT Targeting

Threat actors compiled Mirai payloads for 17 distinct processor architectures, demonstrating sophisticated preparation for broad IoT device compromise. This approach maximizes infection potential across diverse embedded systems including routers, cameras, DVRs, and other connected devices with varying CPU architectures.

T1588.001 T1583.001

MEDManual

User-Agent Based Delivery via wget

Majority of Mirai and Mozi campaigns utilize wget user-agent for malware retrieval, indicating exploitation of command injection vulnerabilities or compromised credentials allowing remote command execution on target devices.

T1059.004 T1105

MEDManual

Domain Generation and Rotation for C2 Resilience

ClearFake campaign employs multiple rotating subdomains across several parent domains, providing infrastructure resilience against takedown efforts and complicating blocklist-based defenses.

T1568.002 T1583.001

End of briefing

Daily Threat Briefing — 2026-04-13

Mirai Botnet Multi-Architecture Campaign

Mozi Botnet Propagation Activity

ClearFake Social Engineering Campaign

Attack Methodology Analysis