On April 24, 2026, threat intelligence monitoring identified sustained malware distribution activity across multiple threat vectors, with no critical vulnerabilities or law enforcement actions reported during this 24-hour period. The primary threat landscape was dominated by IoT-targeting botnets and browser-based social engineering campaigns. A total of 50 malicious indicators were observed from abuse.ch feeds, highlighting active malware distribution infrastructure.
Mirai and Mozi botnets continued aggressive targeting of IoT devices across multiple architectures (ARM, MIPS, x86, PowerPC), with two distinct C2 infrastructures (45.135.193.118 and 45.131.108.107) distributing polyglot ELF binaries for widespread device compromise. Simultaneously, ClearFake malware campaigns leveraged compromised domains using sophisticated DNS techniques to deliver fake browser update social engineering attacks. The absence of new CVE disclosures or KEV additions suggests a tactical shift toward exploiting known vulnerabilities and targeting poorly secured IoT ecosystems rather than zero-day exploitation.
Two active Mirai botnet C2 servers distributing multi-architecture malware payloads targeting IoT devices
Active Mirai C2 infrastructure hosting 12+ architecture-specific ELF binaries (ARM5/6/7, MIPS, x86, x86_64, PowerPC, M68K, SPC, SH4) indicating broad IoT device targeting capability. Server uses wget user-agent for delivery.
Secondary Mirai C2 infrastructure at path /LjEZs/ distributing identical multi-architecture payload set (uYtea.* naming convention). Represents coordinated botnet expansion effort targeting diverse IoT hardware platforms.
Multiple compromised hosts in Asian IP ranges (China, Brazil) distributing Mozi botnet payloads via HTTP on non-standard ports. Ten distinct compromised hosts observed serving ARM and MIPS binaries, indicating successful initial compromise and pivot to distribution nodes.
Browser-based fake update campaign using compromised domains with DNS-based evasion techniques
ClearFake malware distribution via multiple subdomains across three parent domains (polyate-eye.in.net, through7esid.in.net, alexand-trouble.in.net). Campaign uses unique session identifiers (05fe317c-0981-4de2-bc8a-930d369db441) and Google-themed file naming to deliver fake browser updates. 15 distinct distribution URLs identified.
Analysis of malware distribution methods and infrastructure patterns from April 24 activity
Threat actors deploying comprehensive architecture coverage (9-10 different CPU architectures per campaign) to maximize IoT device compromise success rates. Indicates sophisticated understanding of global IoT device diversity and automated build pipelines.
Mozi botnet operators converting compromised IoT devices into secondary distribution nodes on non-standard high ports (32000-60000 range), enabling distributed and resilient malware delivery infrastructure that complicates takedown efforts.
ClearFake operators using dynamic subdomain generation across multiple parent domains to evade domain-based blocking. Subdomains use random alphanumeric patterns combined with legitimate-sounding keywords (partner-sync, meta, hyper) for evasion.