On May 9, 2026, threat intelligence monitoring identified significant malware distribution activity with no critical vulnerabilities or law enforcement actions reported. The day's activity was dominated by two distinct malware campaigns: ClearFake malware distribution through compromised infrastructure and Mozi botnet activity targeting IoT devices. A total of 49 malicious URLs were identified through abuse.ch feeds, representing active threat actor infrastructure.
The ClearFake campaign demonstrates sophisticated infrastructure use with multiple domains employing systematic subdomain patterns (cloud, proxy, edge, host, meta, node, core, path, arg, list, proc, main, test, val, row, lock, dbms, idx, key) across three primary domains: cloudproxyserv.pics, fielddie.pics, systemlogicops.pics, argsleg.pics, webdataprocess.pics, and rowlocks.pics. The Mozi botnet continues targeting IoT devices with MIPS and ARM architectures through direct IP-based distribution. Organizations should prioritize blocking identified indicators and implementing detection rules for similar infrastructure patterns.
Extensive ClearFake malware distribution infrastructure identified across multiple domains with systematic subdomain rotation patterns
Multiple subdomains (host, proxy, cloud, edge, link) under cloudproxyserv.pics serving google.ocx payload with identifier c2cb43a1-3db9-486a-a707-ee88bcdb4813. Infrastructure suggests organized campaign with redundant distribution nodes.
Seven subdomains (xml, fld, run, meta, node, core, path) under fielddie.pics distributing check.rock payload with identifier 99c7fa93-4d32-47c2-84f9-163f7755f5e3. Pattern indicates automated subdomain generation for resilience.
Six subdomains (sys, log, core, logic, main, proc) under systemlogicops.pics serving google.ocx payload. Naming convention suggests technical targeting or social engineering themed around system operations.
Six subdomains (arg, list, proc, main, test, val) under argsleg.pics distributing check.rock payload. Technical naming suggests developer-focused social engineering.
Combined infrastructure under webdataprocess.pics (web, data, proc, base, xml, json) and rowlocks.pics (row, lock, dbms, idx, key) distributing google.ocx and check.rock payloads. Database-themed naming suggests targeting of technical personnel.
Mozi botnet infrastructure actively distributing payloads targeting MIPS and ARM IoT devices through direct IP-based distribution
Multiple IP addresses (39.89.133.37, 42.224.96.242, 182.118.147.12, 110.37.120.17, 115.54.102.66, 42.56.191.203, 77.79.160.210) distributing 32-bit ELF MIPS Mozi botnet payloads via bin.sh and /i endpoints. Indicates active scanning and exploitation of vulnerable IoT devices.
IP 110.37.108.54 distributing 32-bit ARM ELF Mirai/Mozi hybrid payload. Cross-architecture capability demonstrates botnet's broad IoT targeting scope including routers, cameras, and embedded devices.
Analysis of observed infrastructure reveals systematic approaches to malware distribution resilience
Threat actors employing systematic subdomain generation across multiple domains with .pics TLD. Pattern includes technical terms (proxy, cloud, edge, node, core, proc, sys, log, data, xml, json) suggesting targeting of technical users. Infrastructure design provides redundancy and complicates takedown efforts.
Mozi botnet operators utilizing compromised IoT devices as direct distribution points, bypassing DNS infrastructure. IP addresses span multiple geographic regions and ISPs, indicating distributed command and control model typical of P2P botnets.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.