On May 17, 2026, threat intelligence monitoring identified 50 malicious URLs actively distributing malware, primarily targeting IoT devices and Linux systems. The dominant threat vectors include Mirai botnet variants and the Mozi botnet, with multiple infrastructure hosts serving payloads compiled for diverse processor architectures including ARM, MIPS, PowerPC, and x86. This activity indicates ongoing campaigns to compromise vulnerable embedded devices for DDoS botnets and other malicious purposes.
Three primary distribution infrastructures were observed: 43.251.116.156, 192.109.200.122, and multiple dynamic DNS domains (js.byxly.eu.cc, toomanyways.duckdns.org). The attackers demonstrate sophisticated operational security by hosting multiple architecture-specific binaries, enabling broad device compromise across heterogeneous IoT ecosystems. One ClearFake campaign URL was also identified, representing a separate social engineering threat vector. Organizations with exposed IoT devices, embedded systems, or Linux infrastructure should implement immediate defensive measures including network segmentation, firmware updates, and enhanced monitoring for connections to the identified malicious infrastructure.
Multiple active malware distribution servers hosting Mirai and Mozi botnet variants targeting IoT and embedded devices across diverse processor architectures.
Active malware distribution server at 43.251.116.156:82 hosting Mirai botnet payloads for ARM7, ARM5, MIPS, PowerPC, SPARC, and ARC architectures. Eight distinct payload variants identified, indicating targeting of diverse IoT device types.
Distribution server hosting malware binaries for x86, ARM7, MIPS, and MIPSLE architectures, including Windows executables (bot.exe, bot_x86.exe). Cross-platform targeting suggests broad IoT and desktop compromise objectives.
Two dynamic DNS domains (js.byxly.eu.cc and toomanyways.duckdns.org) hosting comprehensive Mirai payload collections targeting 10+ processor architectures including ARM, MIPS, x86_64, PowerPC, SPARC, and SH4. Download scripts suggest automated infection capability.
Multiple IP addresses (183.23.130.117, 125.47.69.118, 110.37.68.65, 125.45.10.78, 110.36.2.23) distributing Mozi botnet shell scripts (bin.sh) targeting 32-bit MIPS and ARM architectures. Mozi is a peer-to-peer botnet known for aggressive IoT propagation.
Multiple servers (45.153.34.93, 176.65.139.114, 176.65.139.121, 94.26.106.137, 64.89.163.218) distributing ELF malware including Mirai and Gafgyt variants. User-agent strings indicate wget-based download mechanisms common in IoT exploitation.
ClearFake malware distribution URL identified at cntainrs-folders-giped-green-hub.garden. ClearFake campaigns typically use fake browser update prompts to deliver malware, targeting end users through social engineering.
Analysis of malware distribution infrastructure reveals sophisticated operational patterns including multi-architecture payload staging and dynamic DNS abuse.
Threat actors demonstrate advanced capability by pre-compiling malware for 10+ processor architectures (ARM5/6/7, MIPS/MIPSLE, x86/x86_64, PowerPC, SPARC, SH4, m68k, ARC). This enables exploitation across diverse IoT ecosystems including routers, cameras, DVRs, and embedded Linux systems.