On April 17, 2026, threat intelligence monitoring identified 51 active malware distribution URLs across multiple campaigns. The day's activity was dominated by ClearFake social engineering operations (27 URLs) and SmartLoader malware hosted on compromised GitHub repositories (13 URLs). Additionally, Mozi botnet infrastructure remained active with 8 URLs targeting IoT devices, while commodity malware families including Amadey, Vidar, and LummaC2 Stealer continued distribution operations. No critical vulnerabilities, KEV additions, or infrastructure seizures were reported during this period.
The ClearFake campaign leveraged multiple typosquatted domains with similar URI patterns, suggesting coordinated infrastructure managed by a single threat actor group. The SmartLoader GitHub abuse represents a concerning trend of attackers weaponizing legitimate code hosting platforms for malware distribution. Organizations should implement URL filtering for the identified indicators and monitor for similar domain patterns. The continued Mozi botnet activity targeting ARM and MIPS architectures underscores ongoing risks to unpatched IoT devices.
Large-scale ClearFake malware distribution campaign utilizing typosquatted domains and consistent URI patterns across 27 malicious URLs
Multiple URLs distributing ClearFake fake update pages leading to NetSupport RAT deployment. Domains include cacpulse.dax8sovel.in.net, grandalign.bex5loran.in.net, retailmicro.bex5loran.in.net, and 2vb5.bex5loran.in.net using identical URI patterns.
Additional ClearFake infrastructure identified across gypsyw0od.in.net, nelma-report.in.net, and qyx7darem.in.net domain clusters. Consistent UUID-based URL structure suggests centralized campaign management.
Threat actors leveraging GitHub repositories to host SmartLoader malware in ZIP archives, exploiting platform trust
13 malicious ZIP files containing SmartLoader distributed via GitHub repositories including industrialintelligence/homestead, 45d5r/databricks-mcp-server, wndaalol/DoorsScript, and others. Files disguised as legitimate software releases and beta versions.
Attackers using both raw.githubusercontent.com and github.com direct download URLs to distribute identical SmartLoader payloads. Repository names include technical terms (databricks-mcp-server, scrappe-tout, aios-core) to appear legitimate.
Active Mozi botnet infrastructure distributing ELF malware targeting ARM and MIPS IoT devices
Multiple IP addresses (42.225.206.215, 123.14.99.250, 115.61.45.79, 182.119.15.169, 222.137.145.70) distributing Mozi bot payloads for MIPS-based IoT devices via bin.sh scripts.
ARM architecture Mozi variants distributed from 221.11.172.25 and 123.11.207.106, targeting vulnerable routers and embedded systems. Mirai-based code detected in samples.
Multiple information stealer and dropper malware families active including Amadey, Vidar, and LummaC2
Amadey malware dropper infrastructure at 62.60.226.159 and 85.239.147.6 distributing secondary payloads (spd.exe, qHmB2YG.exe) with c2-monitor-auto and fbf543 tags indicating active command and control monitoring.
Vidar information stealer distributed via microservisetrue.vip with obfuscated PHP delivery mechanism. LummaC2 Stealer (bot_x86.exe, bot.exe) and opendir-tagged malware hosted on 45.135.193.114.
Analysis of common techniques and infrastructure patterns observed across multiple campaigns
Threat actors utilizing in.net TLD with consistent subdomain patterns (bex5loran, gypsyw0od, qyx7darem, nelma-report, dax8sovel) combined with UUID-based URI paths for ClearFake distribution. Suggests automated domain generation and campaign orchestration.