On May 18, 2026, malware distribution activity remained elevated with 49 malicious URLs identified through abuse.ch feeds. The threat landscape was dominated by IoT-targeting botnets, particularly Mozi and Mirai variants, alongside browser-based social engineering campaigns using ClearFake malware. No critical vulnerabilities, KEV additions, or law enforcement infrastructure seizures were reported during this 24-hour period.
Mozi botnet infrastructure exhibited the highest activity volume with 32 distinct malware distribution endpoints targeting IoT devices across multiple architectures including MIPS, ARM, and x86 platforms. The VaxBot malware variant demonstrated cross-platform capabilities with payloads compiled for 14 different processor architectures. ClearFake social engineering campaigns continued using typosquatted garden TLD domains to distribute fake browser update prompts. Organizations should prioritize securing internet-facing IoT devices and implementing network-based blocking of identified indicators.
Extensive Mozi and Mirai botnet distribution activity targeting vulnerable IoT devices across multiple processor architectures
32 active Mozi botnet distribution URLs identified targeting primarily MIPS-based IoT devices. Infrastructure spans Chinese IP space with endpoints serving both shell scripts and compiled ELF binaries. Indicators suggest ongoing propagation through known IoT vulnerabilities.
Single distribution server (142.248.80.144) hosting VaxBot malware compiled for 14 different processor architectures including x86_64, ARM, MIPS, RISC-V, and embedded platforms. Suggests automated cross-compilation infrastructure for broad IoT device targeting.
Mirai botnet infrastructure active on domain isellchildren.online distributing ELF payloads. Domain naming suggests threat actor using provocative naming conventions. Multiple architecture variants available.
Traditional Mirai distribution endpoint on IP 42.233.91.26 serving malware payloads. Represents ongoing commodity botnet activity targeting default credentials and unpatched IoT devices.
Multiple ClearFake campaign URLs using typosquatted .garden TLD domains to deliver fake browser update prompts
Seven distinct ClearFake distribution URLs identified using .garden TLD domains with randomly generated subdomains. Campaigns impersonate Google services (google.cl references) to deliver malicious payloads through fake browser update social engineering. Additional signal-vault.digital domain also observed.
Analysis of threat actor methodologies and infrastructure patterns observed in malware distribution campaigns
VaxBot distribution demonstrates sophisticated build infrastructure capable of producing malware for 14 distinct processor architectures from single codebase. Indicates professional development environment with automated cross-compilation toolchains targeting maximum IoT device compatibility.
Mozi and related botnet infrastructure consistently uses non-standard high-numbered ports (35000-60000 range) for malware distribution. Technique likely employed to evade basic firewall rules and network monitoring focused on common service ports.
Significant concentration of malware distribution infrastructure within Chinese IP address ranges, particularly for Mozi botnet operations. May indicate compromised residential/SOHO routers being leveraged for malware hosting and distribution.