During the 24-hour period from May 25-26, 2026, threat intelligence monitoring identified 49 malicious URLs actively distributing malware, with no CVE disclosures, KEV additions, or RSS articles reported. The threat landscape was dominated by two primary malware families: Mozi botnet (32 instances, 65%) and ClearFake (11 instances, 22%), with additional Amadey dropper activity and Mirai variants observed. The Mozi botnet continues to demonstrate persistent IoT targeting through exploitation of vulnerable devices, primarily affecting MIPS and ARM architectures across Asian IP ranges. ClearFake campaigns utilized compromised Hungarian domains (.hu TLD) for malware delivery, suggesting a targeted social engineering operation. The Amadey malware dropper was observed deploying secondary payloads including MaskGramStealer, indicating multi-stage infection chains designed for credential theft and persistence. The concentration of malicious activity in IoT/embedded systems and the continued abuse of legitimate infrastructure (Discord CDN) for malware hosting represent ongoing tactical trends requiring defensive attention.
Extensive Mozi botnet activity targeting IoT devices across MIPS and ARM architectures with 32 distribution URLs identified
Multiple Mozi distribution URLs targeting 32-bit MIPS architecture IoT devices, primarily hosted on Asian IP ranges (China, India). Distribution via shell scripts and direct binary downloads indicates automated exploitation of vulnerable embedded systems.
Mozi variants compiled for ARM architecture detected, expanding botnet's device compatibility. ARM targeting increases threat surface to include routers, cameras, and other embedded systems commonly deployed in enterprise and residential networks.
32 unique IP addresses distributing Mozi malware indicate continued expansion of peer-to-peer botnet infrastructure. Geographic concentration in Asian regions (China IP ranges 110.x, 115.x, 123.x, 42.x) suggests regional exploitation campaigns targeting ISP customers with vulnerable CPE devices.
11 ClearFake malware distribution URLs identified utilizing compromised Hungarian domains for fake update delivery
ClearFake malware distributed through compromised Hungarian (.hu) domains with randomized UUID patterns in URLs. Campaign leverages fake browser update prompts to socially engineer victims into downloading malware. Domains include lestyanesfiai.hu, levelupadventure.hu, levivilaga.hu, lifealigned.hu, lifemax.hu, liftoff.hu, lilbaukft.hu, and lillafunfit.com.
Additional ClearFake distribution observed via proxy-harbor.digital and network-vector.digital infrastructure with UUID-based URL parameters. These domains likely serve as proxy/redirection layers to obscure actual malware hosting locations and complicate takedown efforts.
Amadey malware loader observed deploying multiple secondary payloads including credential stealers from compromised infrastructure
MaskGramStealer credential theft malware identified as Amadey dropper payload (file_a3b77118f5c75b2f.exe). This stealer targets browser credentials, cryptocurrency wallets, and messaging application data, representing significant data exfiltration risk.
Multiple executables dropped by Amadey loader detected on IP 91.92.242.236 under /files-129312398/ directory path. Automated C2 monitoring systems flagged these as secondary payloads, indicating multi-stage infection designed for persistence and payload modularity.
Amadey-dropped payload hosted on Discord CDN (cdn.discordapp.com), demonstrating continued abuse of legitimate content delivery networks for malware distribution. This technique bypasses reputation-based security controls and exploits trust in legitimate cloud services.
Additional Amadey payload distribution from IP 62.60.226.140 with randomized directory structure (/files/7782139129/). File naming pattern (O2LyUcP.exe) suggests obfuscation attempts to evade signature-based detection.
Mirai malware variants targeting ARM and MIPS architectures for IoT botnet recruitment
Mirai botnet infrastructure distributing malware via shell scripts (bins.sh, bin.sh) targeting Linux-based IoT devices. Observed on IPs 45.90.98.190 and 85.239.151.41 with user-agent-specific targeting (ua-wget) and directory traversal capabilities (opendir).
Mirai variants compiled for both ARM and MIPS architectures detected, indicating broad IoT device targeting. ELF binaries optimized for embedded systems suggest exploitation of default credentials or known CVEs in routers, DVRs, and IP cameras.