On May 11, 2026, threat intelligence monitoring detected significant IoT botnet malware distribution activity, with 45 malicious URLs identified distributing Mirai, Gafgyt, and Mozi botnet variants. The activity represents ongoing campaigns targeting Internet of Things (IoT) devices across multiple architectures including MIPS, ARM, x86, PowerPC, and others. Three primary distribution infrastructure clusters were identified at IP addresses 176.65.139.79, 176.65.139.152, and 176.65.139.112, suggesting coordinated botnet operations.
The observed malware samples specifically target embedded Linux systems and IoT devices through wget-based download mechanisms, indicating exploitation of devices with weak or default credentials. Mozi botnet activity remains prominent with 15 distinct indicators, while Mirai variants account for 20 indicators across the 176.65.139.0/24 network range. This infrastructure demonstrates multi-architecture payload delivery capabilities, enabling threat actors to compromise diverse device types including routers, security cameras, and network-attached storage devices.
Organizations with exposed IoT devices should immediately audit their attack surface, implement network segmentation, disable unnecessary services, change default credentials, and monitor for indicators of compromise related to the identified distribution infrastructure. The concentration of malicious activity within specific IP ranges suggests potential targeting of specific geographic regions or ISP infrastructure.
Multiple botnet malware families actively distributed through coordinated infrastructure, targeting IoT devices across diverse architectures
Major Mirai distribution server hosting 11 malware payloads targeting ARM, MIPS, x86, PowerPC, SH4, M68K, and SPC architectures. Infrastructure includes shell scripts for automated infection (a.sh, build.sh, kla.sh) suggesting automated deployment capabilities.
15 unique Mozi botnet indicators detected across Chinese IP space (42.x.x.x, 61.x.x.x, 112.x.x.x, 123.x.x.x, 182.x.x.x, 222.x.x.x ranges) serving 32-bit ELF payloads for MIPS and ARM architectures. High-port communications (33589-59643) suggest P2P botnet coordination.
Comprehensive multi-architecture payload distribution serving 13 different bot variants (bot.mips, bot.armv7l, bot.x86_64, etc.) covering all major embedded architectures including ARC processors. Indicates sophisticated cross-platform botnet operation.
Infrastructure hosting both Mirai (manji.spc, manji.ppc440) and Gafgyt (manji.mpsl) variants, suggesting either multi-malware operation or compromise by multiple threat actors. PowerPC and MPSL targeting indicates focus on network equipment.
Additional malware distribution endpoints identified with jaws.sh shell script and ARM7 payloads, potentially part of the same 176.65.139.0/24 botnet operation infrastructure cluster.
HTTPS-based malware distribution through biteblob.com domain and direct IP 71.179.14.4, representing different delivery vector from primary HTTP-based campaigns. Download path structure (SL3zs40jUnoLna) suggests automated generation or obfuscation.
Analysis of observed malware distribution methods, targeting patterns, and technical infrastructure characteristics
Five distinct malware distribution servers identified within single /24 subnet (176.65.139.79, .112, .152, .159, .167), suggesting either bulletproof hosting provider, compromised infrastructure cluster, or threat actor-controlled address space. Subnet likely represents persistent malicious infrastructure.
All observed samples utilize wget user-agent for payload retrieval, indicating exploitation of IoT devices with wget utility installed. Attack likely follows pattern of credential brute-forcing or vulnerability exploitation followed by scripted payload download and execution.
Threat actors demonstrate sophisticated capabilities with payload compilation for 15+ architectures including ARM variants (v4l, v5l, v6l, v7l), MIPS/MIPSel, PowerPC, SH4, M68K, ARC, and x86/x64. Build.sh script presence suggests automated cross-compilation infrastructure.
Mozi botnet samples exclusively distributed from Chinese IP ranges with non-standard high ports (30000-60000 range). Port randomization and geographic concentration suggest P2P botnet nodes rather than centralized C2 infrastructure, complicating takedown efforts.
Actionable threat intelligence for detection, investigation, and response operations
Monitor for HTTP GET requests with wget user-agents to unusual ports or IP addresses, particularly targeting /bin/, /bins/, and .sh file extensions. Alert on ELF file downloads to embedded devices. Watch for connections to 176.65.139.0/24 subnet and identified Chinese IP ranges on non-standard ports.
Search for unexpected ELF binaries in /tmp, /var/tmp, /dev/shm, or /var/run directories. Monitor for processes with names matching observed patterns (bot.*, manji.*, p[architecture]). Check for unauthorized cron jobs or startup scripts. Investigate unusual wget processes or network connections from IoT devices.
Immediate actions: Audit exposed IoT devices, change default credentials, disable unnecessary services (telnet, SSH with default configs), implement network segmentation isolating IoT devices. Apply vendor security updates, enable logging, deploy network-based IPS signatures for identified IOCs. Consider blocking 176.65.139.0/24 and listed Chinese IP ranges at perimeter.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.