On May 8, 2026, the threat landscape showed sustained activity from established malware campaigns and a critical vulnerability requiring immediate attention. A SQL injection vulnerability (CVE-2026-42208) in BerriAI LiteLLM poses high risk to organizations using this proxy solution, potentially exposing managed credentials. Malware distribution infrastructure remained active with 50 malicious URLs identified, primarily serving Mozi botnet variants and ClearFake malware. The Mozi botnet continues targeting IoT devices through multiple architectures (MIPS, ARM, ELF), while ClearFake campaigns leverage sophisticated social engineering through fake update prompts. The distribution infrastructure shows professional compartmentalization with distinct domain patterns for different malware families. Organizations should prioritize patching the LiteLLM vulnerability and implementing network-level blocking of identified indicators.
One critical vulnerability added to CISA KEV catalog requiring immediate remediation
SQL injection vulnerability in BerriAI LiteLLM allows attackers to read and potentially modify data in the proxy's database, leading to unauthorized access to the proxy and managed credentials. Organizations using LiteLLM for API gateway or credential management face immediate risk of data exfiltration and unauthorized access.
50 malicious URLs identified distributing Mozi botnet and ClearFake malware through compromised infrastructure
18 URLs distributing Mozi botnet variants targeting IoT devices across multiple architectures (32-bit MIPS, ARM, ELF). Infrastructure hosted on compromised devices in Asian IP ranges (China, South Korea) using high-numbered ports (35000-56000 range). Payloads delivered via shell scripts and direct binary downloads targeting embedded Linux systems.
28 URLs serving ClearFake malware (including SnappyClient variant) through fake browser update notifications. Distribution infrastructure uses consistent domain naming patterns across multiple TLDs (.lat domains): radio-technic, comforter-panel, nomination5yak, overdoitework, tribun-triptych. URL paths mimic legitimate system files (updates.gstate, access.fltr, verification paths) to deceive victims.
Multiple URLs distributing Mirai botnet variants across various architectures (x86, ARM, MIPS, SH4, PPC, M68K) from European infrastructure (85.239.151.41, 217.60.245.90, 45.148.10.210). Shell scripts (microc2.sh, ccl, wwg) used for initial compromise followed by architecture-specific binary downloads. Infrastructure appears coordinated with systematic naming conventions (nexus.*, micro.*).
Analysis of observed attack techniques and infrastructure patterns from active campaigns
Threat actors demonstrate sophisticated capability to compile and distribute malware for diverse processor architectures (MIPS, ARM, x86, SH4, PPC, M68K, SPARC). This broad architecture support indicates targeting of heterogeneous IoT environments including routers, DVRs, IP cameras, and industrial control systems. The systematic approach suggests automated build pipelines for cross-compilation.
ClearFake operators employ compartmentalized infrastructure with distinct domain patterns for different stages of infection. Domains use .lat TLD with themed naming (system utilities, DNS services, VPN services) to appear legitimate. Multiple subdomains per base domain provide redundancy and complicate takedown efforts. This professional infrastructure management indicates well-resourced threat actor.
Mozi botnet infrastructure consistently uses non-standard high-numbered ports (35000-56000 range) for malware distribution from compromised IoT devices. This technique evades basic firewall rules focused on well-known ports and indicates exploitation of devices with limited security configurations. Asian IP space concentration suggests regional targeting or successful compromise patterns in those networks.
Published security research and guidance for defensive operations
New practical guide published for security teams on implementing attack surface management programs. Relevant for organizations seeking to identify and reduce exposure to threats like those observed in today's malware distribution campaigns and vulnerability exploitation attempts.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.