On May 13, 2026, malicious infrastructure activity revealed active distribution campaigns for multiple malware families, with no critical vulnerabilities or law enforcement actions reported during this 24-hour period. The threat landscape was dominated by the ClearFake malware distribution network and the persistent Mozi botnet, alongside Formbook information stealer campaigns and emerging VenomRAT activity.
ClearFake campaigns utilized compromised .wiki domains with sophisticated social engineering tactics, while Mozi botnet activity continued targeting IoT devices through MIPS-based ELF binaries across Asian IP ranges. Additional threats included Formbook distribution via URL shorteners and phishing lures, Mirai botnet variants, and VenomRAT remote access trojan deployment. Organizations should prioritize IoT device security, implement robust email security controls, and monitor for ClearFake-related domains targeting end users with fake browser update schemes.
The absence of CVE or KEV entries during this period suggests either a quiet day in vulnerability disclosure or potential data collection gaps. However, the volume and diversity of malware distribution activity (50 distinct malicious URLs) indicates sustained threat actor operations across multiple campaigns, requiring continued vigilance in defensive monitoring and threat hunting activities.
Widespread ClearFake malware distribution observed across multiple compromised .wiki domains using fake browser update social engineering tactics
Multiple URLs detected distributing ClearFake malware through domains including secure-remote-access-method-file.wiki, eaglefungustourismscreen.wiki, prime-object-container-task-archive.wiki, and others. These domains use technical-sounding names to appear legitimate while delivering fake browser update pages that deploy malware.
Additional ClearFake distribution detected through subdomains 9nl6t4w2.estradaannivers.digital and 4bklvfdi.estradaannivers.digital with URL parameters suggesting tracking or campaign management capabilities.
Extensive Mozi botnet activity targeting IoT devices through MIPS architecture ELF binaries across Asian IP address ranges
Multiple IP addresses (182.117.76.23, 110.36.12.61, 124.29.223.148, 219.155.201.184, 42.234.71.42, and others) actively distributing 32-bit ELF MIPS binaries associated with Mozi botnet. Distribution via standard IoT exploitation patterns targeting vulnerable routers and embedded devices.
Shell scripts (bin.sh) detected on multiple IPs serving as initial infection vectors for Mozi botnet deployment, indicating automated exploitation of IoT vulnerabilities.
Formbook distribution observed through URL shorteners and phishing lures masquerading as Veeam backup software
Formbook malware detected on IP 107.173.9.85 and through linkku.me shortener service. Attack chain includes HTA files (weneedbetterthingsforbest.HtA) and PNG files serving as downloaders, with lures impersonating Veeam backup solution trial offers.
VenomRAT distribution infrastructure identified with multi-stage delivery mechanism
Domain solar-sanat.net identified distributing VenomRAT (MDClient.exe) alongside supporting infrastructure including fake transfer advice documents, CMD scripts, and multiple PNG image files likely serving as stagers or data exfiltration mechanisms.
Mirai botnet variants observed targeting additional IoT device populations
Multiple IPs (218.16.164.153, 119.167.1.193, 193.32.162.225) distributing Mirai botnet variants including x86_64 and MPSL architecture binaries with wget user-agent characteristics, indicating continued botnet expansion efforts.
Additional malicious URLs detected without specific malware family attribution
IP 209.54.103.178 hosting multiple malicious payloads including HTA files and PNG-based downloaders with Veeam-themed phishing lures, likely part of broader information stealer or loader campaign.
Domain sycoreltd.yzz.me distributing MSI_173518.png file, suggesting steganography or disguised payload delivery mechanism.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.