This briefing covers threat intelligence findings for May 21, 2026. The primary concerns identified include two critical vulnerabilities requiring immediate attention and sustained malware distribution activity targeting IoT infrastructure. Trend Micro Apex One and Langflow platforms have disclosed vulnerabilities that enable pre-authenticated attacks, with the Trend Micro flaw allowing malicious code injection across managed endpoints. Concurrently, threat actors continue exploiting internet-facing devices through Mozi botnet variants and ClearFake campaigns, with 50 malicious indicators detected across URLhaus feeds.
The Mozi botnet remains the dominant IoT threat, comprising approximately 70% of observed malware distribution activity. Multiple architecture variants (MIPS, ARM, ELF) demonstrate continued targeting of diverse embedded systems and routers. ClearFake campaigns utilizing fake browser update prompts represent the second major threat vector, leveraging compromised infrastructure across multiple domains. Additional commodity malware distribution includes Mirai variants, Amadey droppers, and ScreenConnect RMM tool abuse.
Organizations should prioritize patching the identified Trend Micro and Langflow vulnerabilities, particularly in environments with Apex One deployments where the directory traversal flaw could enable widespread agent compromise. Network defenders should implement enhanced monitoring for IoT device communications and block the identified malicious infrastructure to prevent botnet enrollment and malware delivery.
Two significant vulnerabilities disclosed affecting enterprise security and application development platforms, both enabling pre-authenticated attacks.
Pre-authenticated local attackers can exploit directory traversal vulnerability to modify key tables on Apex One servers, enabling malicious code deployment to all managed agents across the installation. This vulnerability poses severe risk to organizations using on-premise deployments as it could enable enterprise-wide compromise.
Overly permissive CORS configuration combined with SameSite=None cookie settings allows malicious webpages to perform authenticated cross-origin requests against the refresh endpoint. Attackers can exploit this to hijack user sessions and gain unauthorized access to Langflow instances.
Extensive Mozi botnet infrastructure continues targeting IoT devices across multiple architectures, accompanied by ClearFake browser update scams and commodity malware campaigns.
35 unique Mozi botnet distribution URLs detected delivering payloads for MIPS and ARM architectures. Targeting routers, cameras, and embedded systems through known vulnerabilities. Infrastructure spans multiple geographic regions with campaigns utilizing ports in the 30000-60000 range for payload delivery.
Seven ClearFake malware distribution URLs identified using social engineering tactics to trick users into downloading malicious payloads disguised as browser updates. Domains utilize Christmas-themed subdomains (runtime-nexus.digital, christmas TLD) to appear legitimate during distribution.
Four Mirai-related distribution URLs detected targeting vulnerable IoT devices. Overlapping infrastructure with Mozi campaigns suggests shared exploitation techniques and potential infrastructure reuse by multiple threat actors.
Two Amadey-dropped payloads identified on 91.92.242.236 infrastructure, indicating active infection chains. Amadey typically serves as initial access mechanism for ransomware and information stealers, representing potential precursor to more severe compromises.
ScreenConnect MSI installer hosted on suspicious infrastructure (app.idanburuku.sbs), indicating potential abuse of legitimate RMM tool for unauthorized remote access. This technique increasingly used by ransomware operators and APT groups for persistence.
Multiple compromised and purpose-built domains serving malicious JavaScript and PowerShell payloads for initial access and execution.
Six legitimate business domains compromised to host malicious JavaScript files (Aj.js, Lorgnon.pcz), including fele.com.de, franklinfuelings.com, variovac.com.de, and cantieridelmediterraneo.it.com. These scripts likely serve as initial infection vectors for drive-by downloads or credential harvesting.
PowerShell installer script (install.ps1) and batch command file (AC.cmd) hosted on 89.124.94.238:8888 with authentication key parameter, indicating sophisticated multi-stage infection process. Likely used for initial access establishment and follow-on payload delivery.