This threat intelligence briefing covers activity observed on May 22, 2026. The most critical finding is CVE-2026-9082, a SQL injection vulnerability in Drupal Core that enables privilege escalation and remote code execution. Organizations running Drupal should prioritize patching this vulnerability immediately. Additionally, significant malware distribution activity was detected across 49 malicious URLs, primarily delivering IoT botnet malware including Mirai and Mozi variants targeting multiple architectures, as well as ClearFake malware campaigns using compromised Christmas-themed domains.
The threat landscape shows continued targeting of IoT devices through ELF malware variants compiled for ARM, MIPS, x86, and other embedded system architectures. The Mozi botnet remains highly active with 18 distinct download URLs observed. ClearFake campaigns demonstrate ongoing social engineering efforts using seasonal domain themes. The combination of a critical CMS vulnerability and aggressive IoT botnet activity indicates elevated risk for both web-facing applications and network-connected devices.
One critical vulnerability affecting Drupal Core CMS was added to the Known Exploited Vulnerabilities catalog, indicating active or imminent exploitation.
Drupal Core contains a critical SQL injection vulnerability in the database abstraction API that allows attackers to escalate privileges and achieve remote code execution via specially crafted requests. This vulnerability poses significant risk to all Drupal installations and has been added to CISA's KEV catalog.
Extensive malware distribution infrastructure was observed delivering multiple IoT botnet families targeting embedded devices across various architectures.
18 active URLs distributing Mozi botnet malware compiled for ARM and MIPS architectures. Delivery infrastructure spans IP ranges in China (123.188.88.173, 39.74.106.57, 218.91.141.211, and others). Mozi continues to target vulnerable IoT devices for DDoS and proxy operations.
Multiple Mirai and DDoS agent variants delivered from IP 176.65.139.182 under the 'phantom' naming scheme. Binaries compiled for x86, i686, ARM (multiple versions), MIPS, and PowerPC architectures. This broad architecture targeting indicates comprehensive IoT device compromise attempts.
Distribution server at 165.227.155.54 hosting 'Space' malware family with binaries for 14 different architectures including SPARC, M68K, SH4, and standard ARM/MIPS/x86 variants. The breadth of architecture support suggests targeting of diverse embedded systems and IoT devices.
Seven malicious URLs on Christmas-themed domains distributing ClearFake malware, including trading-academyexpert.christmas, vintagevinylrestoration.christmas, pixelart-canvas.christmas, and others. ClearFake typically uses fake browser update social engineering to compromise victims. The use of seasonal domains suggests targeting during holiday shopping periods.
Analysis of observed threat activity reveals key adversary techniques focused on IoT exploitation, web application attacks, and social engineering.
CVE-2026-9082 demonstrates continued adversary focus on exploiting web application vulnerabilities, specifically SQL injection flaws, to gain initial access and escalate privileges in content management systems. Organizations should review database query implementations and input validation.
Threat actors are deploying ELF malware compiled for 10+ processor architectures to maximize IoT device compromise success rates. This technique enables botnet operators to recruit devices regardless of underlying hardware, significantly expanding their potential victim pool across routers, cameras, DVRs, and other connected devices.
ClearFake operators registered multiple Christmas-themed domains (.christmas TLD) to enhance credibility of fake update notifications and increase victim trust during holiday seasons. This demonstrates adversary adaptation of social engineering lures to temporal and cultural contexts.