For April 26, 2026, threat intelligence collection identified 48 malicious URLs actively distributing malware, with no new CVEs, KEV entries, or RSS articles during this period. The malware landscape is dominated by two primary threats: Mozi botnet variants (54% of activity) and ClearFake campaigns (42% of activity), with minimal Mirai and Gafgyt activity observed. The Mozi botnet continues to aggressively target IoT devices across multiple architectures, particularly MIPS-based systems, with C2 infrastructure primarily hosted on compromised devices in the Asia-Pacific region. ClearFake social engineering campaigns remain active with distribution infrastructure spread across multiple domains using consistent naming patterns, indicating coordinated threat actor activity.
The threat activity demonstrates continued exploitation of IoT device vulnerabilities for botnet recruitment, with Mozi showing particular sophistication in multi-architecture targeting. ClearFake operations maintain their focus on browser-based social engineering attacks, likely leveraging fake update prompts to distribute follow-on payloads. Organizations should prioritize IoT device security hardening, network segmentation, and user awareness training regarding fake browser updates. The absence of new vulnerability disclosures during this period does not indicate reduced risk, as threat actors continue exploiting known IoT vulnerabilities for initial access and lateral movement.
Twenty-six URLs identified distributing Mozi botnet malware targeting IoT devices, primarily MIPS architecture. Activity concentrated in Asia-Pacific region.
Active distribution of Mozi botnet payloads across 26 compromised hosts, primarily targeting MIPS-based IoT devices. C2 infrastructure spans IP addresses in Asia-Pacific region including China, Taiwan, and South Africa. Binary delivery via standard shell script methodology indicates automated exploitation and propagation.
Multiple compromised IoT devices in China and Taiwan serving as distribution points for Mozi malware (IPs: 182.121.9.195, 123.10.158.9, 42.228.35.148, 112.246.10.205, 113.236.10.66, 27.215.84.219, 182.112.254.225, 175.165.70.211, 125.41.106.205, 115.55.226.192). Payloads delivered via HTTP on high-numbered ports, consistent with compromised device behavior.
IP 105.184.239.179 identified distributing both Mozi and Mirai botnet malware, suggesting multi-family botnet operation or compromised system co-opted by multiple threat actors. This dual-purpose infrastructure indicates sophisticated adversary coordination or opportunistic secondary infections.
Twenty ClearFake malware distribution URLs detected across three coordinated domain clusters, indicating active browser-based social engineering operations.
Active ClearFake distribution campaign utilizing three distinct domain patterns (dex2lavel.in.net, bexla8rin.in.net, qiv5moren.in.net, zex1liron.in.net, rax7pavel.in.net) with consistent subdomain naming conventions. All URLs follow identical path structure '/cdk-msdn-3457325-null/load-file0dsdf567.chk', indicating centrally managed infrastructure. ClearFake typically uses fake browser update prompts to social engineer victims into downloading malware.
Subdomain naming follows consistent patterns using color and geographical terms (iron, blue-fire, wald-baum, gold-star, etc.), suggesting automated domain generation or organized infrastructure management. HTTPS usage across all ClearFake URLs indicates effort to appear legitimate and bypass basic security controls.
Infrastructure at 176.65.139.177 distributing Mirai and Gafgyt variants across 14 different architectures, indicating sophisticated IoT targeting capabilities.
Single IP address (176.65.139.177) hosting comprehensive IoT malware distribution infrastructure with binaries for 14 different CPU architectures including x86, ARM, MIPS, PowerPC, RISC-V, SuperH, and LoongArch. Delivery script 'run.sh' suggests automated victim profiling and architecture-specific payload delivery. This represents sophisticated IoT botnet recruitment infrastructure.
Distribution infrastructure includes binaries for emerging architectures (RISC-V 32/64-bit, LoongArch64), demonstrating threat actor adaptation to evolving IoT hardware landscape. Targeting of these newer architectures indicates proactive botnet expansion strategy and sophisticated compilation capabilities.
Analysis of delivery mechanisms and infrastructure patterns reveals consistent threat actor methodologies across campaigns.
Consistent use of 'bin.sh' and 'i' filenames across Mozi campaigns indicates standardized delivery methodology. High-numbered dynamic ports (40000-60000 range) suggest compromised devices maintaining ephemeral C2 channels. This delivery pattern facilitates rapid propagation across vulnerable IoT device populations.
All ClearFake URLs utilize HTTPS with legitimate-appearing subdomains, exploiting user trust in encrypted connections and domain naming psychology. The consistent path structure suggests backend infrastructure designed for campaign tracking and victim profiling.