On May 2, 2026, threat intelligence monitoring identified 50 active malware distribution URLs, with no critical vulnerabilities, KEV updates, or infrastructure seizures reported. The predominant threats observed include ClearFake social engineering campaigns, Mozi botnet activity targeting IoT devices, and suspicious ConnectWise ScreenConnect executable distributions. The ClearFake campaign shows continued use of typosquatted domains for credential harvesting, while Mozi botnet infrastructure remains active with multiple MIPS-based payload delivery endpoints. A concerning pattern of ConnectWise-related executable distribution from multiple IP addresses suggests potential supply chain compromise or tooling abuse for initial access operations.
The threat landscape for this period indicates persistent botnet operations and social engineering campaigns rather than exploitation of newly disclosed vulnerabilities. Organizations should prioritize monitoring for Mozi botnet indicators on IoT devices, validate legitimate ConnectWise installations, and implement enhanced web filtering for ClearFake-associated domains. The absence of law enforcement actions or major infrastructure disruptions suggests these threats will continue unabated in the near term.
Multiple ClearFake malware distribution URLs detected using typosquatted domains designed to impersonate legitimate services and harvest credentials.
Six distinct ClearFake distribution URLs identified on notice-ohlamon.surf subdomains (bala6-forge, 82db, merfluxar4, ultrafal) using UUID-based paths targeting user credential theft through fake update prompts.
Five additional ClearFake distribution URLs on breadpotho1e.surf subdomains (wildlan, summitdawn, gj5n, rq6yosv, 0gf8) utilizing identical UUID-based URL structure for social engineering attacks.
Active Mozi botnet distribution infrastructure detected with multiple payload delivery endpoints targeting IoT devices with MIPS and ARM architectures.
Seven active Mozi distribution URLs delivering 32-bit ELF MIPS binaries from compromised IoT devices (87.110.15.80, 221.15.188.45, 42.233.138.220, 182.117.76.28, 61.54.192.198, 136.60.32.162, 115.49.65.41) indicating ongoing botnet propagation.
ARM-based ELF payload with Mirai characteristics distributed from 168.227.163.32:47953, suggesting cross-botnet infrastructure sharing or hybrid botnet variants.
Multiple hosts distributing ConnectWise ScreenConnect executables via wget, potentially indicating compromised legitimate software or trojanized remote access tools.
Fourteen URLs in the 178.16.x.x IP range distributing ScreenConnect.ClientSetup.exe and support.client.exe via wget user-agent, suggesting automated deployment or potential supply chain compromise for remote access.
ConnectWise executables distributed from 158.94.211.92 and 91.92.241.x range, expanding geographic footprint of suspicious remote access tool deployment.
Miscellaneous malware distribution endpoints including shellcode loaders and obfuscated payloads.
Dynamic malware delivery system on 178.16.52.194 serving architecture-specific payloads (a32, a64, l32, l64) via query parameters, indicating automated victim profiling and targeted payload delivery.
Base64-encoded PowerShell script distributed from 130.12.180.141, typical of fileless malware delivery and obfuscated initial access techniques.
Shell script delivering ELF malware from 31.211.189.87, likely targeting Linux systems for post-exploitation or lateral movement.