On April 27, 2026, threat intelligence monitoring detected 49 malicious URLs actively distributing malware, with no new CVEs, KEV entries, or infrastructure seizures reported for this period. The threat landscape was dominated by two primary malware families: ClearFake and Mozi botnet variants. ClearFake operations showed continued activity across multiple infrastructure domains using consistent URL patterns, suggesting an active campaign targeting users through fake browser update schemes. The Mozi botnet demonstrated persistent IoT targeting through ELF binaries compiled for multiple architectures (MIPS, ARM), indicating ongoing exploitation of vulnerable network devices.
The malware distribution infrastructure revealed sophisticated adversary tactics, with ClearFake utilizing multiple domains with similar naming patterns (*.in.net) to evade takedowns, while Mozi operators leveraged compromised IoT devices across Asian IP ranges for malware hosting. An Amadey dropper-related payload was also observed, suggesting commodity malware operations remain active. The absence of new vulnerabilities in this reporting period indicates either a slower disclosure cycle or potential exploitation of existing unpatched vulnerabilities.
Organizations should prioritize patching IoT devices against known Mozi exploits, implement network segmentation for IoT infrastructure, and educate users about fake browser update social engineering tactics. Security teams should monitor for ClearFake-related domains and block the identified malicious infrastructure at network perimeters.
Multiple ClearFake malware distribution URLs detected across compromised infrastructure using consistent patterns
29 ClearFake malware download URLs identified across multiple domains (tov6larek.in.net, kyr1vomen.in.net, nol7sirex.in.net, pax4moren.in.net, tal4miren.in.net, sydo9marel.in.net) using identical URI patterns (/cdk-msdn-3457325-null/load-file0dsdf567.chk). This suggests an active social engineering campaign leveraging fake browser updates to deliver malware payloads.
Extensive Mozi botnet infrastructure observed distributing ELF malware for IoT device compromise
19 unique URLs hosting Mozi botnet payloads targeting IoT devices with ELF binaries for MIPS and ARM architectures. Distribution servers located primarily in Asian IP ranges (China Telecom, China Unicom networks). Malware delivered via /bin.sh and /i endpoints, typical of automated IoT exploitation campaigns targeting routers, cameras, and DVRs.
Amadey dropper payload observed in active distribution
Malicious executable (file_6f1ef49e8c12f566.exe) identified as Amadey-dropped payload hosted on 91.92.241.243. Amadey is a modular trojan used for initial access and follow-on payload delivery, often distributed through malvertising and exploit kits.
Analysis of techniques employed across detected malware campaigns
Mozi botnet operations demonstrate persistent scanning and exploitation of IoT devices using known vulnerabilities. The multi-architecture payload support (MIPS, ARM) indicates targeting of diverse device types including routers, IP cameras, and DVRs.
ClearFake campaigns continue to abuse user trust in browser security updates, using convincing fake update pages to trick victims into executing malicious payloads. The consistent URL patterns suggest automated infrastructure deployment.