This daily threat intelligence briefing for April 29, 2026, identifies significant malware distribution activity with 52 malicious URLs detected across multiple threat campaigns. The landscape is dominated by three primary threats: IoT-focused botnet infrastructure (Mozi and Mirai variants), browser-based social engineering campaigns (ClearFake), and commodity malware loaders (Amadey/SmokeLoader). The absence of new CVE or KEV entries suggests a shift toward exploitation of existing vulnerabilities and social engineering tactics.
The most concerning trend is the sustained IoT botnet activity, with Mozi and Mirai malware targeting multiple architectures (MIPS, ARM, x86) across geographically diverse infrastructure. ClearFake campaigns remain active with 17 malicious URLs utilizing consistent naming patterns across multiple domains, indicating coordinated infrastructure. Amadey loader activity demonstrates continued use of this malware-as-a-service platform for second-stage payload delivery, including SmokeLoader.
Organizations should prioritize IoT device security, implement browser-based threat protection, and maintain vigilance against commodity malware loaders. The geographic distribution of malicious infrastructure spans Asia-Pacific, Europe, and suggests compromised residential and small business networks are being weaponized for malware distribution.
Significant malware distribution activity targeting IoT devices with Mozi and Mirai variants across multiple architectures and geographic regions.
GuruIT DDoS botnet distributing Mirai malware across 11 different architectures (ARM, ARM7, ARM6, x86, MIPS, MPSL, ARC, SH4, SPC) from two IP addresses (92.88.98.199 and 92.88.98.92). Targets multiple IoT device types with architecture-specific binaries using wget-based user agents.
Active Mozi botnet infrastructure identified across 13 unique IP addresses in APAC region, distributing 32-bit ELF binaries for MIPS and ARM architectures. Mozi continues to exploit IoT vulnerabilities for botnet recruitment despite P2P network disruption efforts.
Additional Mirai distribution activity identified on compromised hosts using non-standard high ports. Infrastructure suggests compromised residential routers and IoT devices being repurposed for malware distribution.
Sustained ClearFake malware distribution leveraging fake browser update social engineering across multiple domains with consistent infrastructure patterns.
17 malicious URLs identified across three distinct domain clusters (grov9essa.garden, flo5renth.garden, verda7lya.garden) distributing ClearFake malware. All URLs use identical file paths (/cdk-msdn-3457325-null/load-file0dsdf567.chk), indicating centralized campaign management and infrastructure rotation strategy.
Amadey loader infrastructure actively distributing secondary payloads including SmokeLoader and unidentified malware families.
Three URLs on two distinct IP addresses (62.60.226.140 and 91.92.241.243) distributing payloads dropped by Amadey loader. One payload identified as SmokeLoader (54e64e family), indicating multi-stage infection chains and malware-as-a-service operations.
Analysis of observed tactics, techniques, and infrastructure management strategies employed by threat actors during this period.
ClearFake operators demonstrate sophisticated infrastructure management using algorithmically generated subdomains across three .garden TLDs. This technique complicates blocklist-based defenses and enables rapid infrastructure rotation while maintaining centralized campaign control.
Both Mirai and Mozi campaigns demonstrate capability to compile and deploy malware binaries for 8+ CPU architectures, maximizing IoT device compatibility. This approach significantly expands attack surface and complicates detection efforts requiring architecture-specific analysis.
Analysis of IP addresses and port patterns suggests threat actors are compromising residential and small business networks to host malware distribution infrastructure. Use of non-standard high ports (38303-57030 range) indicates exploitation of IoT devices and routers with exposed management interfaces.