On April 23, 2026, threat intelligence sources identified significant malicious infrastructure activity despite limited reporting from traditional news sources. The primary threat landscape was dominated by two distinct malware campaigns: a sophisticated Mirai botnet variant targeting IoT devices with HTTP/2 and HTTP/3 DDoS capabilities, and an ongoing ClearFake malware distribution operation. Additionally, the Mozi botnet continued its persistent targeting of MIPS and ARM-based IoT devices, while a SmartLoader campaign leveraged compromised GitHub repositories for malware distribution.
The Mirai campaign represents a notable evolution in botnet capabilities, with 29 malware URLs identified hosting specialized DDoS attack binaries compiled for multiple architectures (x86, ARM, MIPS, PowerPC, RISC-V, s390x). These variants specifically implement HTTP/2 Rapid Reset and HTTP/3 flood attack techniques, indicating threat actors are adapting to exploit modern web protocol vulnerabilities. The malware distribution infrastructure was centralized at IP 176.65.139.11, suggesting a coordinated campaign with significant cross-platform impact potential.
The secondary threats include ClearFake malware distributed through typosquatting domains and SmartLoader payloads hosted on GitHub, demonstrating threat actors' continued abuse of legitimate platforms. The Mozi botnet activity, while persistent, followed established patterns targeting poorly secured IoT devices. Organizations should prioritize patching IoT devices, implementing network segmentation, and monitoring for indicators associated with these campaigns.
A sophisticated Mirai botnet variant with specialized HTTP/2 and HTTP/3 DDoS attack capabilities was identified, targeting multiple device architectures from a centralized infrastructure.
29 malicious URLs identified on 176.65.139.11 distributing Mirai variants compiled for x86, ARM, MIPS, PowerPC, RISC-V, and s390x architectures. Binaries implement HTTP/2 Rapid Reset (CVE-2023-44487) and HTTP/3 flood attack capabilities, representing advanced DDoS botnet infrastructure.
Eight variants of Mirai 'h2stream' module identified across multiple architectures, designed to weaponize HTTP/2 streaming for volumetric DDoS attacks against web infrastructure.
Nine HTTP/3 flood attack binaries distributed across architectures including RISC-V and ARM64, indicating threat actors are targeting next-generation protocol implementations in IoT devices and edge infrastructure.
Continued Mozi botnet activity targeting MIPS and ARM-based IoT devices through multiple command and control servers.
Multiple Mozi botnet distribution URLs identified targeting 32-bit MIPS architecture IoT devices through ports 36218, 44369, and 52150. Delivers shell scripts and ELF binaries for device compromise and botnet enrollment.
ARM-based IoT devices targeted by Mozi botnet through IPs 119.113.187.91 and 120.28.162.208, distributing 32-bit ARM ELF malware for device takeover and DDoS capability enrollment.
ClearFake malware distributed through typosquatting domains mimicking legitimate services, targeting user systems through social engineering.
Six malicious domains identified (po4vaxel.in.net, wi9sorin.in.net) distributing ClearFake malware through subdomains mimicking authentication flows. Uses unique session identifiers (05fe317c-0981-4de2-bc8a-930d369db441) and Google branding to deceive victims.
SmartLoader malware distributed through compromised or malicious GitHub repositories, leveraging trusted platform for malware delivery.
Seven GitHub repositories identified distributing SmartLoader malware as ZIP archives disguised as legitimate development tools (Hash_Buster, cursor-reset, social-bar, DevCrack, CrackFtp). Repositories use technical naming to appear credible to developer communities.