On April 16, 2026, threat intelligence monitoring detected 51 malicious indicators across multiple campaigns, with no critical vulnerabilities or infrastructure seizures reported. The dominant threat vector identified was malware distribution through compromised GitHub repositories and direct download URLs. Two primary malware families were observed: SmartLoader deployed via 41 weaponized ZIP archives hosted on GitHub, and ClearFake/NetSupport distributed through 6 URLs using the 'imperturbs1av.in.net' infrastructure. Additionally, 3 Mozi botnet samples targeting IoT devices and a Vidar information stealer campaign were detected.
The SmartLoader campaign demonstrates sophisticated abuse of legitimate developer platforms, with threat actors compromising multiple GitHub accounts to host malicious payloads disguised as development tools, machine learning models, and system utilities. The ClearFake campaign continues its social engineering tactics to deploy NetSupport remote access tools. The Vidar distribution leverages the 'armour-inc-down.net' domain with gaming mod menu lures, indicating continued targeting of gaming communities for credential theft.
Organizations should implement enhanced monitoring for GitHub-hosted executables, block the identified IOCs at network perimeters, and educate users about the risks of downloading software from unofficial sources. The absence of seized infrastructure suggests these campaigns remain actively operational and pose ongoing risks to enterprise and consumer environments.
Extensive malware distribution campaign leveraging compromised GitHub repositories to host 41 malicious ZIP archives disguised as legitimate software tools and development frameworks.
Threat actors compromised multiple GitHub accounts including KnigthFrodo, Bladerex24, GGplayerp, kunalkalia2610, enescoban43, adidasyadebiras228, TMGYTOFFICIAL, and lavadood6909 to distribute SmartLoader malware. Malicious ZIP archives are disguised as cryptocurrency miners, machine learning models, development tools, and system utilities with version numbers to appear legitimate.
SmartLoader malware distributed via GitHub repository 'KnigthFrodo/xmrig' masquerading as OpenCL mining software (Software-2.8.zip). Targets users searching for cryptocurrency mining tools.
Malicious ZIP file (simple_llm_v3.7.zip) hosted in 'Bladerex24/simple-llm' repository, targeting developers and data scientists seeking language model implementations.
Multiple repositories hosting malware disguised as legitimate development tools including amp-contrib, pebblecreek-laravel, docker-nvidia-gpu-ml, and mql5-jetbrains projects. Targets software developers across multiple technology stacks.
Active ClearFake campaign deploying NetSupport remote access tool through infrastructure utilizing 'imperturbs1av.in.net' domain with multiple subdomains.
Six malicious URLs detected across subdomains (xcmw, euwt, mer-crestal, brave-sens, oassyn) of imperturbs1av.in.net and parchm-susyuka.in.net, distributing ClearFake fake browser update payloads delivering NetSupport RAT. Uses consistent URI pattern with UUID and obfuscated file extension (.google).
Three Mozi botnet samples targeting IoT devices detected, indicating continued exploitation of embedded systems and network devices.
Three malicious URLs hosting Mozi botnet payloads detected from Chinese IP addresses (42.224.168.31, 42.238.138.85, 182.129.145.2). Samples include 32-bit ELF binaries for MIPS and ARM architectures, also includes Mirai variant. Targeting routers, cameras, and other embedded devices via shell script downloaders.
Information stealer campaign targeting gaming community members through fake game modification tools.
Six password-protected ZIP archives (password: 4DKCUJ4DDXS) hosting Vidar information stealer distributed via armour-inc-down.net domain. Uses gaming mod menu lure (KIDDIONSMODMENU) to target Grand Theft Auto V players seeking cheating tools. Designed to harvest credentials, cryptocurrency wallets, and browser data.