This threat intelligence briefing covers May 12, 2026, and identifies 50 malicious indicators reported to abuse.ch URLhaus. The primary threats observed include active ClearFake malware distribution campaigns and persistent Mozi botnet infrastructure targeting IoT devices. No CVE disclosures, KEV entries, or infrastructure seizure events were recorded during this period.
ClearFake malware, a social engineering toolkit used to distribute information stealers and remote access trojans, demonstrates continued operational capability through compromised infrastructure on datapulse.wiki, netvector.wiki, and stackforge.wiki domains. The Mozi botnet, despite its original operators' arrests in 2021, continues autonomous propagation through peer-to-peer architecture, targeting vulnerable routers and IoT devices across multiple architectures. Additionally, multiple GitHub repositories are being abused to host malicious payloads, indicating active exploitation of trusted code hosting platforms for malware delivery.
Two primary malware families dominate the threat landscape: ClearFake social engineering framework and Mozi IoT botnet. GitHub abuse for malware hosting also identified.
Multiple ClearFake malware download URLs identified across datapulse.wiki, netvector.wiki, and stackforge.wiki domains. ClearFake is a social engineering attack framework that mimics browser update prompts to deliver infostealers, RATs, and other malware payloads. The use of wiki TLDs and UUID-based paths suggests compromised legitimate infrastructure being leveraged for distribution.
Extensive Mozi botnet activity detected with 28+ malicious URLs serving ELF binaries targeting MIPS and ARM architectures. Distribution infrastructure spans Chinese IP address space (39.x, 110.x, 115.x, 118.x IP ranges). Mozi continues autonomous operation despite 2021 takedown of original operators, leveraging P2P architecture and targeting vulnerable routers, DVRs, and IoT devices through DHT protocol and known exploits.
Multiple GitHub accounts (ud-pd, rouskiiu, rouskii126, pd1-pd, dcm-t1) identified hosting malicious ZIP and PNG files for malware distribution. Repositories include 'ut1-26', 'PD-9-11125', 'hihi', 'd', 't1-26', and '101125'. This technique abuses GitHub's trusted domain reputation to bypass security controls and deliver malicious payloads disguised as legitimate files.
ARM-based ELF binaries tagged with both Mirai and Mozi indicators detected from IP 171.37.125.151:41472. This suggests either hybrid botnet capabilities or misclassification. The targeting of ARM architecture specifically threatens Android devices, set-top boxes, and embedded systems beyond traditional router targets.
Analysis of distribution methods reveals abuse of trusted platforms, social engineering frameworks, and botnet command-and-control patterns.
Threat actors are systematically abusing GitHub's infrastructure for malware hosting, leveraging raw.githubusercontent.com and github.com URLs. This technique provides SSL encryption, trusted domain reputation, and resilience against takedowns. Organizations should implement GitHub IOC monitoring and consider blocking raw.githubusercontent.com access where not business-critical.
ClearFake continues using fake browser update prompts via compromised websites. The observed UUID-based URL structure (e.g., /516b5f87-d872-40da-bda8-d20b31c2a180/google.ct) indicates campaign tracking and victim segmentation capabilities. The .ct file extension and 'google' filename suggest mimicry of legitimate Chrome or Google services to increase victim trust.
Despite 2021 law enforcement action against Mozi operators, the botnet continues self-propagating through DHT-based P2P architecture. Distribution of bin.sh shell scripts and multi-architecture ELF binaries (MIPS, ARM) indicates targeting of diverse IoT device ecosystem. High-port C2 communication (ports 36506-60263 range) may evade basic firewall rules.
While no specific CVEs were disclosed today, observed malware distribution patterns indicate ongoing exploitation of known IoT vulnerabilities.
Mozi botnet historically exploits known vulnerabilities in routers and IoT devices including CVE-2017-17215 (Huawei HG532), CVE-2014-8361 (Realtek SDK), and weak/default credentials. The continued activity observed today suggests thousands of vulnerable devices remain exposed. Organizations should prioritize IoT asset inventory, firmware updates, and network segmentation.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.