On May 5, 2026, threat intelligence analysis identified sustained malicious infrastructure activity primarily associated with two distinct malware campaigns: ClearFake and Mozi botnet operations. URLhaus data revealed 50 malicious indicators, with ClearFake accounting for 36 malware distribution URLs and Mozi/Mirai botnet variants responsible for 13 indicators. The ClearFake campaign demonstrates sophisticated social engineering targeting users through fake browser update prompts, distributing DLL payloads via multiple domains including vexon3ar.surf, xam1riel.surf, pavl9ore.surf, 1dorelax.surf, vexo3nar.surf, and sorix7en.surf. Meanwhile, Mozi botnet activity continues exploiting IoT devices through MIPS and ARM architecture targeting, primarily from IP addresses in Asian network ranges (China-based infrastructure). No critical vulnerabilities, KEV additions, or law enforcement actions were reported during this period, indicating routine threat landscape activity focused on commodity malware distribution and IoT compromise.
Large-scale ClearFake malware distribution campaign leveraging multiple domains to deliver malicious DLL payloads through fake browser update schemes.
Multiple malicious URLs on vexon3ar.surf domain delivering kwtor.dll payloads through fake update prompts. Subdomains include oiyksxf, quorvale4et, podcasdeliv, and crystalreef, indicating distributed infrastructure for redundancy.
Six distinct subdomains on xam1riel.surf hosting usr294-verif.confirm payloads: src-get, mod-bus, pkg-run, ext-net, pwr-log, and dom-reg. Campaign uses technical-sounding subdomain names to appear legitimate.
Five malicious subdomains identified on pavl9ore.surf (autbox, refid-1, com-web, task-id, ioflow, syncit) delivering usr294-verif.confirm payloads. Domain naming suggests targeting enterprise or technical users.
ClearFake campaign expanded to 1dorelax.surf, vexo3nar.surf, sorix7en.surf, and izyob7rickets.digital domains, demonstrating threat actor's extensive domain registration for operational resilience and evasion.
Ongoing Mozi botnet activity targeting IoT devices through MIPS and ARM-based malware distribution, primarily from compromised Asian infrastructure.
Multiple IP addresses distributing 32-bit ELF MIPS Mozi variants via /i and /bin.sh endpoints. Targeted IPs include 42.56.148.42, 110.37.42.62, 125.41.222.213, 123.5.114.95, 115.54.130.57, 115.56.157.83, 115.52.176.207, 110.36.76.43, 110.36.30.198, 123.10.38.47, and 175.149.150.170, suggesting compromised routers and IoT devices in China-based networks.
Mozi botnet delivering ARM-based payloads with Mirai characteristics from IPs 125.26.202.113 and 58.23.87.246, indicating cross-architecture targeting to maximize IoT device compromise across different embedded systems.
Mozi distribution from IP 81.237.177.104 in European address space, potentially indicating lateral spread or compromised European IoT infrastructure being leveraged for botnet operations.
Analysis of threat actor infrastructure and techniques reveals sophisticated domain generation, social engineering, and IoT exploitation methodologies.
Threat actors behind ClearFake demonstrate operational maturity through deployment of 36+ malicious URLs across 7 distinct domains with multiple subdomains. The .surf TLD preference and systematic subdomain naming patterns suggest automated infrastructure generation. Path obfuscation (e.g., /sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/) indicates anti-analysis measures.
Mozi operators utilize non-standard high ports (38202, 55970, 54563, 46614, etc.) for malware distribution, likely to evade basic firewall rules and security monitoring focused on common service ports. This technique enables persistent access to compromised IoT infrastructure.