On April 25, 2026, threat intelligence monitoring identified 50 malicious indicators from abuse.ch data, with no CVE disclosures, KEV additions, or RSS-sourced articles for this 24-hour period. The dominant threat activity centers on SmartLoader malware distribution via compromised GitHub repositories and IoT-targeting botnets (Mirai and Mozi). SmartLoader campaigns leverage legitimate GitHub infrastructure to host malicious ZIP archives, representing a significant abuse of trusted development platforms. Concurrently, Mirai and Mozi botnet operators continue targeting IoT devices through multiple architectures, with Mirai infrastructure delivering cross-platform payloads for ARM, x86, MIPS, PowerPC, and SuperH systems. ClearFake malware distribution was also observed through phishing infrastructure. The absence of new vulnerability disclosures suggests threat actors are primarily exploiting known weaknesses and relying on social engineering rather than zero-day exploitation during this period.
30 malicious URLs distributing SmartLoader malware through compromised or attacker-controlled GitHub repositories, abusing trusted development infrastructure for malware delivery.
Threat actors are hosting SmartLoader malware as ZIP archives on GitHub repositories (ziebwon/cnmsb, techgyan123, Websyze, theenemylost, and others). These repositories masquerade as legitimate software projects with names like 'community-design-resources', 'gestion_voluntario', and 'solana-dev-skill' to deceive victims into downloading malicious payloads. This technique abuses GitHub's trusted domain reputation for malware distribution.
Multiple SmartLoader variants observed with software development-themed repository names including 'full-stack-fastapi-mongodb', 'genshin-ts', 'solana-dev-skill', and 'bloom'. This social engineering approach targets developers and technical users who may trust GitHub-hosted content, with version numbering schemes (v1.8-beta.1, v2.5, v3.5-beta.3) mimicking legitimate software releases.
17 malicious URLs associated with Mirai and Mozi botnet operations targeting IoT devices across multiple architectures, indicating sustained botnet recruitment efforts.
Infrastructure at 176.65.139.141 distributing Mirai botnet payloads ('jade' variant) compiled for 10 different architectures: ARM (multiple versions), x86/x86_64, MIPS, PowerPC, SuperH, and m68k. This comprehensive targeting enables infection of diverse IoT devices including routers, cameras, DVRs, and embedded systems. All payloads identified with wget user-agent signatures indicating exploitation of command injection vulnerabilities.
Seven distinct IP addresses (27.207.213.78, 5.79.147.245, 61.52.105.63, 182.126.195.10, 42.229.218.145, 125.43.32.245, and others) serving Mozi botnet payloads primarily targeting MIPS-based IoT devices. Mozi remains active despite previous law enforcement disruptions, leveraging DHT peer-to-peer infrastructure for resilience. Observed activity includes both direct payload delivery ('/i' endpoints) and shell script loaders ('/bin.sh').
Three malicious URLs hosting ClearFake malware through phishing infrastructure using subdomain generation techniques.
ClearFake malware distributed through domains using algorithmic subdomain generation (blue-star-2m.ales1ine.in.net, kalt-4.ales1ine.in.net, zeit-9.ales1ine.in.net, iron-mond-7x.archit-physiol.in.net, bleu-1.archit-physiol.in.net). All URLs follow identical path structure '/cdk-msdn-3457325-null/load-file0dsdf567.chk', suggesting centralized campaign infrastructure with rotating subdomains for evasion. ClearFake typically delivers fake browser update prompts leading to information stealer deployment.
Analysis of observed tactics, techniques, and procedures reveals reliance on trusted platform abuse, multi-architecture targeting, and domain generation algorithms.
Threat actors extensively leveraging GitHub's trusted infrastructure for malware hosting, exploiting both organizational trust in the platform and GitHub's content delivery capabilities. This technique provides attackers with free, high-bandwidth hosting, SSL encryption, and inherent reputation benefits. Defenders should implement GitHub-specific monitoring and treat GitHub raw content URLs with increased scrutiny in security controls.
Observed Mirai infrastructure demonstrates sophisticated approach to IoT compromise by maintaining simultaneous payloads for 10+ processor architectures. This ensures maximum infection potential across heterogeneous IoT environments. Security teams managing IoT deployments should implement architecture-agnostic security controls and network segmentation regardless of device type.