On May 10, 2026, threat intelligence collection identified 50 malicious URLs actively distributing malware, representing sustained campaigns by known threat actors. The primary threat observed is ClearFake malware distribution infrastructure spanning multiple domains with consistent naming patterns, indicating organized operations. Additionally, Mirai and Mozi botnet variants continue targeting IoT devices through compromised infrastructure in the APAC region. No critical vulnerabilities, law enforcement actions, or major policy developments were observed during this 24-hour period.
The ClearFake campaign demonstrates sophisticated infrastructure management with coordinated domains across bytevector.pics, cryptowave.ink, cloudstack.pics, systemforge.ink, logicframe.pics, framevector.ink, and pixelmesh.pics TLDs. The consistent use of system-sounding subdomain names (cpuprocessormgr, ipnodeclisys, sslkeybasepoint) suggests social engineering tactics designed to appear legitimate. Simultaneously, legacy IoT botnet threats persist with multiple distribution points originating from compromised devices in Asia-Pacific IP ranges, targeting ARM and MIPS architectures commonly found in routers and embedded systems.
Extensive ClearFake malware infrastructure identified across seven distinct domain clusters with 42 active distribution URLs
Multiple subdomains under bytevector.pics actively serving ClearFake malware payloads (auth.dll, verify.check). Subdomains include vpsrun, cpuprocessormgr, run, opsmgr, and topsvc, using system-themed naming for legitimacy.
Four subdomains under cryptowave.ink distributing ClearFake auth.dll payloads. Infrastructure uses SSL-themed naming (sslkeybasepoint, sshbin) to evade detection and increase victim trust.
Additional ClearFake distribution infrastructure identified across cloudstack.pics, systemforge.ink, logicframe.pics, framevector.ink, and pixelmesh.pics domains. Consistent payload naming (auth.dll, verify.check) and UUID-based path structure indicate centralized operation.
Eight malicious URLs distributing Mirai and Mozi botnet payloads targeting ARM and MIPS architectures from compromised APAC infrastructure
Multiple compromised hosts in Chinese IP space (59.42.88.140, 115.54.127.247, 218.60.190.100, 42.239.148.10, 115.55.193.33) serving Mozi botnet payloads via bin.sh scripts. Targeting MIPS and ARM architectures for IoT device compromise.
ARM-based Mirai malware distributed from compromised host 42.56.116.81:53725, indicating continued exploitation of IoT devices for botnet expansion.
Analysis of delivery methods and evasion techniques employed in observed campaigns
ClearFake operators utilize systematic domain registration across multiple TLDs with consistent subdomain patterns. System-themed naming conventions (cpuprocessormgr, ipnodeclisys, sslkeybasepoint) designed to appear as legitimate system services, reducing user suspicion during social engineering attacks.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.