During the 24-hour period from May 23-24, 2026, URLhaus identified 50 malicious URLs actively distributing malware, with the Mozi botnet dominating the threat landscape. This IoT-targeting botnet accounted for 88% of observed malware distribution activity, primarily through compromised routers and IoT devices in Asian IP ranges. The activity demonstrates continued exploitation of vulnerable embedded devices for botnet expansion.
Mirai variants also emerged during this period, representing 12% of malicious URLs, with infrastructure hosted on European servers (62.169.16.83) distributing multi-architecture payloads. One Windows-based threat (Amadey dropper) was observed on Ukrainian infrastructure. The concentration of Mozi activity suggests ongoing automated scanning and exploitation campaigns targeting unpatched IoT devices, particularly those with exposed management interfaces on non-standard ports.
No critical vulnerabilities, KEV additions, or infrastructure seizures were reported during this period. Security operations teams should prioritize IoT device hardening, network segmentation, and monitoring for the specific IP addresses and behavioral patterns associated with these botnet families.
Massive Mozi botnet campaign identified with 44 malicious URLs distributing ELF binaries primarily targeting MIPS architecture IoT devices across Asian networks.
44 URLs identified distributing Mozi botnet malware, primarily 32-bit ELF MIPS binaries via shell scripts (bin.sh). Source IPs concentrated in Chinese IP ranges (42.x.x.x, 61.x.x.x, 110.x.x.x, 115.x.x.x, 119.x.x.x, 182.x.x.x, 221.x.x.x, 222.x.x.x) using non-standard high ports (33016-59243). Distribution pattern indicates compromised routers and IoT devices serving as distribution infrastructure.
Mozi campaign utilizing two-stage infection with bin.sh shell scripts followed by architecture-specific payloads. The '/i' endpoint pattern suggests automated infection tooling distributing architecture-appropriate binaries to maximize IoT device compatibility.
European-hosted infrastructure distributing Mirai botnet variants targeting multiple architectures through coordinated download campaigns.
Infrastructure at 62.169.16.83 distributing Mirai variants compiled for multiple architectures (x86, MIPS, MPSL, M68K, SPC, ARM6) under '/luxzzxzzx/' directory. User-agent filtering (ua-wget) suggests targeted delivery to Linux-based systems. Cross-architecture compilation indicates sophisticated botnet operation preparing for diverse IoT device compromise.
Two URLs on Chinese IP 110.37.117.9 port 41453 distributing Mirai malware through standard bin.sh and '/i' endpoint pattern. Represents additional Mirai distribution node separate from European infrastructure.
Single Windows-based malware delivery event identified on Ukrainian server distributing Amadey dropper payloads.
Malicious executable (file_32112d735f99e00e.exe) hosted on 91.92.242.236 identified as Amadey dropper payload (hash prefix 9d2ca3). Amadey is a loader malware typically used to deploy secondary payloads including ransomware, stealers, and banking trojans. File naming convention suggests automated payload generation system.
Malicious Android shell script distribution identified, suggesting mobile device targeting or cross-platform attack toolkit.
URL 176.65.139.188/3bi6zyc9/android.sh distributing shell script with wget user-agent filtering. Filename explicitly targets Android devices, indicating potential mobile botnet recruitment or exploitation framework deployment targeting Android-based IoT devices.
Educational content published regarding indicator enrichment APIs for security operations centers.
Blog post analyzing available indicator of compromise enrichment API options for security operations teams. Relevant to processing the high volume of malicious URLs identified in current threat landscape, particularly for automating triage of botnet infrastructure indicators.