This intelligence briefing covers threat activity observed on May 16, 2026. The primary activity consists of malware distribution infrastructure, with 50 malicious URLs identified through abuse.ch feeds. The threat landscape is dominated by IoT-targeting botnets, particularly Mirai and Gafgyt variants, alongside information stealer campaigns leveraging GitHub/GitLab repositories and ClearFake malware distribution. The continued prevalence of Mirai botnet infrastructure across multiple architectures indicates sustained targeting of vulnerable IoT devices and embedded systems. Additionally, WsgiDAV-based malware distribution servers suggest ongoing use of WebDAV protocols for malicious payload delivery, likely targeting enterprise environments.
Extensive Mirai and Gafgyt botnet distribution infrastructure observed targeting multiple CPU architectures, indicating large-scale IoT device compromise campaigns.
Domain cdn-assets.xyz hosting Mirai botnet payloads for multiple architectures including ARM, MIPS, x86, and SH4. This represents a comprehensive IoT compromise toolkit targeting diverse embedded systems.
IP address 176.65.139.186 serving Mirai malware binaries for ARM, MIPS, x86, PowerPC, and SH4 architectures. Multi-architecture support indicates targeting of routers, cameras, and other IoT devices.
Server at 178.18.147.174 distributing both Mirai and Gafgyt botnet variants across multiple architectures. User-agent filtering (ua-wget) suggests automated infection chains targeting devices with wget capabilities.
Multiple IP addresses (61.137.202.42, 112.93.203.60, 112.248.187.52) distributing Mozi botnet payloads specifically targeting MIPS-based devices. Mozi is a peer-to-peer botnet known for persistence and resilience.
Domain de.cloud.dxang.com hosting Mirai malware for MIPS architectures with soft-float support, indicating targeting of specific embedded Linux systems.
GitHub and GitLab repositories hosting encoded stealer malware, alongside ClearFake browser update scams and WsgiDAV-based distribution infrastructure.
GitHub repository 'Respalditoxd122/cmd' hosting multiple encoded VBS stealer scripts with filenames mimicking legitimate .NET executables (RegSvcs, RegAsm, AddInProcess32, cvtres). This technique abuses trusted code repositories to host malware.
GitLab repository hosting encoded stealer malware disguised as legitimate Windows system files. Use of both GitHub and GitLab suggests campaign redundancy and evasion of single-platform takedowns.
Domains space-debris-trajectory.garden and meteorite-crater-safari.garden hosting ClearFake malware, a social engineering attack that presents fake browser update prompts to deliver malware.
Multiple servers (dev1-revitavive.com, 3bra.solonettochka.ru, 87.120.219.224, slotmy-send.tech) using WsgiDAV protocol to distribute MSI installers and malicious LNK files. WebDAV abuse enables remote file access and execution.
Observed campaigns utilize diverse delivery mechanisms including repository abuse, WebDAV protocols, and multi-architecture payload distribution.
IoT botnet operators distributing payloads for ARM, MIPS, x86, PowerPC, M68K, and SH4 architectures ensures maximum device compatibility across heterogeneous IoT environments including routers, cameras, DVRs, and industrial systems.
Threat actors leveraging GitHub and GitLab to host encoded malware payloads, exploiting trust in legitimate development platforms. This technique complicates detection and takedown efforts while bypassing traditional web filtering.
New research published on phishing email analysis tooling for 2026.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.