Threat intelligence analysis for May 23, 2026 reveals sustained botnet activity dominated by Mozi and Mirai malware families targeting IoT devices across multiple architectures. The threat landscape shows 50 malicious URLs actively distributing malware payloads, with a notable concentration on MIPS and ARM-based IoT devices. Additional activity includes ClearFake social engineering campaigns and Phorpiex dropper operations. The continued prevalence of Mozi botnet infrastructure, despite law enforcement disruptions in previous years, indicates persistent threat actor interest in IoT compromise for DDoS and cryptomining operations.
The technical indicators reveal a multi-architecture attack strategy, with threat actors deploying payloads for MIPS, ARM, x86, PowerPC, SPARC, SuperH, and m68k architectures—demonstrating broad targeting of diverse IoT ecosystems. A cluster of 13 related Mirai variants hosted on 160.119.71.16 suggests active botnet recruitment campaigns. Additional concern stems from credential harvesting operations via Vidar stealer distributed through Amadey loader infrastructure, and ClearFake campaigns leveraging typosquatting domains for malware delivery.
Organizations should prioritize IoT device hardening, implement network segmentation for embedded systems, and monitor for the identified indicators. The absence of new critical vulnerabilities or KEV entries suggests threat actors are leveraging existing attack vectors rather than zero-day exploitation.
Significant IoT-focused malware distribution activity with Mozi and Mirai variants dominating the threat landscape across multiple device architectures.
Over 35 active URLs distributing Mozi botnet payloads targeting MIPS and ARM architectures. Infrastructure spans multiple compromised IoT devices across Asian IP ranges, indicating ongoing botnet expansion activities.
Coordinated Mirai campaign hosted on 160.119.71.16 delivering 13 architecture-specific payloads (MIPS, ARM, x86, PowerPC, SPARC, SuperH, m68k). Shell script dropper (sssss.sh) suggests automated cross-platform infection methodology.
Vidar information stealer (9d2ca3 variant) distributed through Amadey loader infrastructure at 91.92.242.236. Vidar targets credentials, browser data, cryptocurrency wallets, and two-factor authentication tokens.
Active ClearFake malware distribution via typosquatted domain holisticdetective.christmas using verification-themed lure. ClearFake typically impersonates browser update prompts to deliver malware payloads.
Active Phorpiex dropper infrastructure observed at 130.12.180.190. Phorpiex typically distributes ransomware, clippers, and additional malware payloads while establishing persistence for spam operations.
Analysis of observed distribution methods reveals IoT exploitation techniques and multi-stage infection chains targeting embedded systems.
Mozi and Mirai campaigns leverage known default credentials and weak authentication on IoT devices. High-numbered ports (32919-57021) suggest dynamic port scanning for vulnerable telnet/SSH services on compromised devices.
Threat actors demonstrate sophisticated understanding of IoT ecosystem diversity by pre-compiling malware for 7+ architectures. Shell script droppers detect architecture and download appropriate binary, maximizing infection success rates.
New research published on IOC enrichment strategies for security operations teams.
Analysis of available indicator enrichment services comparing free and commercial options for security operations centers. Relevant for teams investigating the malware distribution campaigns identified in this briefing.