This briefing covers threat intelligence for April 18, 2026, focusing exclusively on malware distribution infrastructure activity. The primary threat observed during this period involves active malware distribution campaigns targeting Internet of Things (IoT) devices and enterprise systems. A total of 51 malicious URLs were identified distributing multiple malware families including Mirai, Gafgyt, Mozi, and remote access trojans.
The most significant activity centers on IP address 65.87.7.5, which hosts at least 34 malicious payloads targeting multiple architectures (ARM, MIPS, x86, SPARC, SuperH). This represents a sophisticated IoT botnet distribution infrastructure with cross-platform capabilities. Additional concerning activity includes ClearFake campaign delivering NetSupport RAT, PureRAT/PureHVNC distribution via compromised legitimate websites, and ongoing Mozi botnet propagation. Organizations should immediately block identified indicators and enhance monitoring for IoT device compromise attempts.
Extensive malware distribution infrastructure identified hosting Mirai and Gafgyt variants targeting multiple IoT device architectures.
Single IP hosting 34+ malicious payloads distributing Mirai and Gafgyt variants across ARM, MIPS, x86, SPARC, and SuperH architectures. Multiple payload naming schemes (geometric shapes, 'hik' directory structure) indicate sophisticated multi-stage infection campaigns targeting diverse IoT devices.
Four distinct IP addresses (125.47.234.58, 115.60.253.126, 42.236.221.151, 125.45.64.44) distributing Mozi botnet payloads targeting MIPS-based IoT devices. Mozi utilizes DHT networks for C2 and is known for persistence and resilience.
Active Mirai distribution endpoint serving MIPS-architecture payloads, likely targeting routers and network devices for DDoS botnet recruitment.
Distribution point for Hajime malware detected at 50.83.204.239. Hajime is a decentralized botnet that typically competes with Mirai for IoT device control and has anti-Mirai capabilities.
ARM64 architecture payload distribution targeting newer generation IoT and embedded devices.
Multiple RAT families identified being distributed through compromised websites and malicious campaigns targeting Windows systems.
Five compromised legitimate websites identified hosting PureRAT and PureHVNC payloads (shcgroup-vn.com, allsydevs.com, zorvex.life, corwineagles.com, solar-sanat.net). This RAT provides full remote desktop access and is typically used for espionage and data theft.
Three domains under kiv6darem.in.net and rav2piren.in.net subdomains distributing NetSupport RAT via ClearFake fake browser update social engineering campaign. ClearFake uses compromised websites to display fake update prompts.
PowerShell script payload hosted at vame.be indicating potential fileless malware deployment or second-stage payload retrieval mechanism.
Analysis of observed malware distribution methods, infrastructure patterns, and attacker techniques.
Threat actors demonstrate sophisticated understanding of IoT ecosystem by deploying payloads for ARM (5/7 variants), MIPS/MIPSEL, x86/x86_64/i586/i686, SPARC, SuperH, and ARC architectures. This comprehensive approach maximizes infection success across diverse device types including routers, cameras, DVRs, and industrial systems.
Legitimate websites across multiple sectors (corporate, development, creative) compromised to host malware disguised as image files (PNG extensions). This technique leverages trusted domains to bypass reputation-based security controls.