On April 19, 2026, threat intelligence sources identified sustained malicious activity primarily centered around IoT botnet operations. Analysis of 49 malicious indicators reveals two distinct threat campaigns: widespread Mozi botnet activity targeting IoT devices and a separate ClearFake malware distribution campaign. The Mozi botnet continues to exploit vulnerable IoT devices across multiple architectures (MIPS, ARM) with distribution servers primarily located in Asian IP ranges. Concurrently, the ClearFake campaign demonstrates sophisticated social engineering through fake browser update mechanisms.
The Mozi botnet activity represents the most significant volume of threats observed, with 38 malicious URLs distributing ELF binaries for MIPS and ARM architectures. These campaigns leverage compromised IoT devices as both victims and distribution infrastructure, creating a self-perpetuating infection cycle. The ClearFake campaign, while smaller in volume with 11 indicators, represents a higher-sophistication threat utilizing compromised domains with consistent URI patterns suggesting centralized command infrastructure. No critical vulnerabilities (KEV/NVD entries) were identified during this period, and no RSS-sourced threat intelligence articles were available for correlation.
Organizations should prioritize IoT device security hygiene, implement network segmentation for IoT infrastructure, and enhance user awareness training regarding fake browser update social engineering tactics. The absence of new vulnerability disclosures suggests threat actors are primarily exploiting known weaknesses in unpatched systems rather than zero-day vulnerabilities.
Extensive Mozi botnet distribution infrastructure targeting IoT devices across multiple architectures
38 malicious URLs identified distributing Mozi botnet payloads for MIPS and ARM architectures. Distribution servers predominantly located in Asian IP ranges (China, Pakistan) using high-numbered ports (35009-59139). Binaries include both standalone Mozi and hybrid Mozi/Mirai variants targeting IoT devices.
Multiple 32-bit ELF binaries compiled for MIPS architecture distributed via compromised IoT devices. URLs include bin.sh and /i endpoints suggesting shell script and binary payload delivery mechanisms. Source IPs across Chinese ISPs indicate compromised consumer networking equipment.
ARM-based ELF binaries identified with dual Mozi/Mirai characteristics targeting ARM-based IoT devices. Distribution pattern consistent with self-propagating botnet behavior where infected devices serve as distribution points for additional infections.
ClearFake malware campaign utilizing fake browser update mechanism for payload delivery
11 HTTPS URLs identified distributing ClearFake malware through social engineering. All URLs follow consistent pattern using subdomains under compromised or malicious domains (de1xpamil.in.net, bovlare6n.in.net, qi8morlen.in.net, 5zoramel.in.net) with identical URI structure containing UUID and Google-themed parameters to increase victim trust.
Campaign infrastructure demonstrates centralized control with four distinct domain clusters (de1xpamil, bovlare6n, qi8morlen, 5zoramel) all using .in.net TLD. Consistent UUID (05fe317c-0981-4de2-bc8a-930d369db441) across all URLs suggests single campaign identifier. Google-themed URI parameters (ck-3d80df5d12cdfe6450a782fc87bf66b444.google) designed to appear legitimate.
Analysis of observed attack methodologies and infrastructure patterns
Mozi botnet leveraging known IoT device vulnerabilities for initial access and lateral movement. High-numbered ports (35009-59139) suggest exploitation of various IoT device management interfaces. Self-replicating behavior enables rapid spread across vulnerable device populations.
ClearFake campaign employs fake browser update prompts to deceive users into downloading malicious payloads. Technique mimics legitimate browser update interfaces and leverages user trust in security updates to bypass security awareness.
Both campaigns utilize compromised systems as distribution infrastructure. Mozi-infected IoT devices serve payloads to new victims, while ClearFake leverages compromised web infrastructure for HTTPS-based delivery, complicating attribution and takedown efforts.