On May 1, 2026, the threat landscape was characterized by significant IoT botnet activity and critical infrastructure vulnerabilities. A new Linux kernel privilege escalation vulnerability (CVE-2026-31431) was added to CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. This vulnerability affects resource transfer controls and poses a critical risk to Linux-based systems.
Concurrent with this vulnerability disclosure, substantial malicious infrastructure was observed distributing Mirai and Mozi botnet variants targeting IoT devices. Multiple distribution servers hosted dozens of architecture-specific malware binaries, indicating ongoing large-scale IoT compromise campaigns. Additionally, ClearFake malware distribution infrastructure remained active with numerous fake browser update delivery domains. The combination of a critical kernel vulnerability and aggressive IoT botnet campaigns suggests an elevated risk period for Linux-based infrastructure and connected devices.
Organizations should prioritize patching Linux kernel vulnerabilities, implement network segmentation for IoT devices, and monitor for indicators associated with the identified malware distribution infrastructure. The targeting of multiple CPU architectures by Mirai/Mozi variants demonstrates threat actors' commitment to maximizing IoT device compromise at scale.
One critical Linux kernel vulnerability was added to CISA KEV catalog indicating active exploitation
Linux Kernel contains an incorrect resource transfer between spheres vulnerability enabling privilege escalation. Added to CISA KEV catalog indicating confirmed exploitation in the wild. Affects core kernel resource management, allowing attackers to escalate privileges on compromised Linux systems.
Significant Mirai and Mozi botnet distribution activity observed across multiple infrastructure servers targeting diverse IoT architectures
Infrastructure at 142.248.80.144 hosting 'vaxbot' Mirai variant binaries for 16 different CPU architectures (ARM, MIPS, x86, PowerPC, SH4, ARC, SPARC, m68k). Indicates large-scale IoT targeting campaign with comprehensive architecture coverage. Uses wget user-agent for downloading.
Multiple Chinese IP addresses (123.4.139.83, 120.28.194.160, 182.116.49.166, 182.113.26.199, 220.202.91.126, 58.47.105.142, 42.227.151.143, 110.36.93.182, 123.9.111.83, 123.11.7.160) distributing Mozi botnet payloads. Primarily targeting MIPS and ARM architectures common in routers and IoT devices. Uses shell scripts ('bin.sh') and direct binary downloads.
Infrastructure at 89.144.31.35 serving six different ELF malware payloads with obfuscated filenames (LZL4, wJV1, VEO7, 3Ap, MDHH, BiG). Generic ELF classification suggests either unidentified malware family or polymorphic variants. Uses wget user-agent for distribution.
Multiple domains (tari8lax.surf, foersteron.work, rolfgrassinger.work) hosting ClearFake fake browser update malware under 'verify-token-7a1f/runtime.validator' paths. Infrastructure uses various subdomain patterns (api-secured, dev-node1, api-v12, srv-secure, web-access7, root-hub, proxy-gate, m-cache90, data-sync, rolf-admin, status-check, edge-v6, user-portal) to evade detection. Delivers malware disguised as browser security updates.
Analysis of observed adversary methods reveals extensive use of automated delivery systems and multi-architecture targeting
Threat actors demonstrate sophisticated capability to compile and distribute malware for 16+ CPU architectures, enabling compromise of diverse IoT device types including routers, cameras, DVRs, and embedded systems. This approach maximizes botnet recruitment across heterogeneous IoT ecosystems.
Observed malware campaigns predominantly use wget user-agent indicators, suggesting exploitation of devices with wget capabilities or command injection vulnerabilities enabling wget execution. This technique is common in IoT compromise where curl may not be available.
New analysis tools and methodologies published for security operations teams
New blog post comparing two email analysis platforms for phishing investigation workflows. Provides guidance for security teams evaluating email forensics tooling for SOC and incident response operations.