On May 4, 2026, threat intelligence collection identified 50 malicious URLs actively distributing malware, with no RSS articles, CVE entries, or law enforcement seizures reported during this 24-hour period. The dominant threats observed include ClearFake malware campaigns leveraging social engineering techniques and continued botnet activity from Mozi and Mirai variants targeting IoT devices. The malware distribution infrastructure demonstrates sophisticated adversary tactics including the use of randomly-generated subdomains and geographically distributed hosting to evade detection.
ClearFake campaigns account for 30 malicious URLs (60% of activity), utilizing domains with varied subdomains across three primary infrastructure clusters (potion5vealy.lat, rollers-faced.lat, and bureauc-diachiha.lat). IoT-focused botnet malware (Mozi, Mirai) represents 17 URLs (34%), primarily targeting MIPS and ARM architectures through compromised routers and embedded devices. Additionally, Amadey malware dropper infrastructure was observed distributing secondary payloads via batch scripts. These threats collectively demonstrate active exploitation of user trust, vulnerable IoT devices, and established botnet infrastructure.
Large-scale ClearFake malware distribution campaign using multiple domain infrastructure clusters with typosquatting and legitimate-sounding subdomains
Multiple subdomains under potion5vealy.lat serving ClearFake malware through URLs designed to mimic system verification and software update processes. Subdomains include hotfix, ipnode, getcfg, sslkey, sshbin, and tmpdir.
ClearFake distribution through rollers-faced.lat utilizing subdomains cmdset, skyvpn, dbinst, apidoc, metalt, and osbase. URLs contain obfuscated paths suggesting access verification themes.
Additional ClearFake infrastructure observed across quirky-shedding.lat, pas5eruharsky.lat, bureauc-diachiha.lat, and goldembr0idery.lat domains, indicating distributed and redundant malware delivery infrastructure.
Ongoing botnet malware distribution targeting IoT devices, primarily MIPS and ARM architectures, with active C2 infrastructure across Asian IP ranges
Multiple IP addresses distributing Mozi botnet malware targeting MIPS architecture IoT devices. Active distribution observed from Chinese IP ranges (115.x.x.x, 182.x.x.x, 42.x.x.x) using shell script droppers (bin.sh) on high-numbered ports.
Mirai botnet variants observed targeting ARM architecture devices from IP addresses 42.237.17.240 and 196.189.68.239, expanding botnet infrastructure across multiple geographic regions.
Active Amadey malware dropper infrastructure delivering secondary payloads through batch script execution
IP address 62.60.226.140 hosting Amadey dropper infrastructure distributing multiple BAT files and executables. Observed files include randomly named batch scripts (KSGIUCN.bat, SzM66Qy.bat, 2fh2tbR.bat, gmKTIHA.bat, P6qauiK.bat) and random.exe, suggesting automated payload generation and distribution.
Analysis of adversary tactics, techniques, and procedures observed in malware distribution infrastructure
ClearFake campaigns demonstrate sophisticated domain infrastructure using legitimate-sounding subdomains (hotfix, sslkey, apidoc, osbase, getcfg) combined with unusual TLDs (.lat) to evade detection and establish trust. Randomly generated path parameters suggest automated campaign generation.
Botnet infrastructure consistently uses high-numbered ports (34550, 42617, 44666, 47004, 51355, 51636, 58514, 60523) for malware distribution, likely targeting vulnerable IoT devices with weak authentication on non-standard service ports.