On May 19, 2026, threat intelligence monitoring identified 51 malicious indicators from URLhaus, representing active malware distribution campaigns with no critical vulnerabilities, KEV entries, or major threat actor infrastructure disruptions reported during this period. The dominant threat activity consists of IoT-targeted Mozi botnet propagation and ClearFake social engineering campaigns. Mozi malware continues exploiting IoT devices through multiple architectures (MIPS, ARM, ELF), while ClearFake leverages compromised or malicious domains using .garden TLDs to deliver fake browser update prompts. Additional threats include Mirai botnet variants, Amadey dropper activity, and RAT deployments (PureHVNC/PureRAT). The concentration of IoT malware and social engineering attacks highlights the persistent targeting of under-secured network devices and end-users through low-sophistication but effective distribution methods.
Significant IoT malware distribution targeting embedded devices across multiple architectures
41 distinct Mozi malware download URLs identified targeting IoT devices with MIPS and ARM architectures. Infrastructure spans multiple ASNs with Chinese IP space predominance. Mozi continues self-propagation despite botnet controller seizure in 2021, indicating P2P resilience.
Multiple indicators show Mirai botnet variants co-existing with Mozi infections on ARM-based IoT devices. Dual infections suggest compromised devices being recruited into multiple botnets simultaneously.
Active ClearFake operations using fake browser updates to distribute malware
Eight ClearFake indicators detected using .garden TLD domains with obfuscated paths. Campaign targets users with fake browser/system update prompts. Domains follow naming pattern suggesting automated generation (e.g., 'bagansi-wild-flowr-manage-form.garden').
Additional ClearFake distribution identified on .digital TLD (gothiccathedralblueprint.digital), indicating campaign diversification beyond .garden domains to evade detection and domain blocking.
Remote access trojans and dropper malware observed in active distribution
RAT payload hosted on Cloudflare Workers infrastructure (fsocietyandtools.workers.dev) delivering PureHVNC and PureRAT. Use of legitimate CDN services complicates blocking and indicates adversary infrastructure abuse.
Amadey botnet dropper observed downloading secondary executable payload (random.exe) from compromised infrastructure. Amadey typically delivers ransomware, stealers, or additional backdoors as follow-on payloads.