During the period of June 7-8, 2026, threat activity focused primarily on IoT-targeted malware distribution and high-severity vulnerabilities in enterprise and consumer software. Mirai botnet variants dominated the malware landscape with 50 malicious URLs identified, primarily targeting IoT devices through remote code execution vulnerabilities. The Mozi botnet continued operations with 13 distinct infection vectors identified across multiple architectures. Nine high-severity CVEs were disclosed affecting enterprise software, IoT routers, and development libraries, with CVSS scores of 7.3-7.5. Command injection and SQL injection vulnerabilities were the most prevalent attack vectors. No critical infrastructure seizures or law enforcement operations were reported during this period. Organizations should prioritize patching GL.iNet router vulnerabilities (CVE-2026-11450, CVE-2026-11451, CVE-2026-11452) and implement network-based detection for Mirai/Mozi botnet activity.
Significant Mirai and Mozi botnet distribution activity targeting IoT devices across multiple architectures
45 malicious URLs hosted on 45.205.1.59 distributing Mirai variants targeting multiple architectures. ELF binaries weaponized with wget user-agent strings for automated propagation across compromised IoT devices.
13 active Mozi botnet distribution URLs identified across IP ranges 112.248.101.161, 196.189.3.1, 222.141.185.211, and others. Targeting ARM and MIPS architectures with 32-bit ELF payloads through automated scanning and exploitation.
Multiple ClearFake malware distribution domains identified (po6drihx.onexprobet.com, xsutsu.jamjahani2026.football, rd7o3xct.parsgoal90.com, jrekcyl.pasoor11.bet) using HTTPS for malware delivery, likely targeting browser exploitation.
TitanuimXross01.exe payload hosted on solar-sanat.net delivering PureHVNC, PureRAT, and VenomRAT trojans. Multi-stage remote access trojan delivery indicates sophisticated access maintenance capabilities.
Mirai variant with opendir capability distributed via 94.183.232.247 targeting ARM and x86 architectures, indicating file system enumeration and data exfiltration capabilities.
Nine high-severity vulnerabilities disclosed affecting IoT routers, enterprise software, and open-source libraries
Command injection vulnerability in GL.iNet GL-MT3000 router (versions up to 4.4.5) via SET_USER_PWD handler password parameter. Remotely exploitable with CVSS 7.3. Patch available in version 4.8.x.
Command injection in GL-MT3000 router (version 4.4.5) FTP protocol handler via media_dir parameter manipulation. Remote exploitation possible. Fixed in version 4.8.x.
Command injection vulnerability in GL-MT3000 router (version 4.4.5) via dev_name parameter in path normalization handler. Affects /usr/lib/oui-httpd/rpc/ library. Remote exploitation confirmed. Patched in version 4.8.x.
Integer underflow in Comodo Internet Security firewall driver (Inspect.sys) IPv6 packet parser. Allows manipulation of payload length field without validation, potentially bypassing firewall rules. CVSS 7.5.
SQL injection vulnerability in Chanjet CRM 1.0 via gblOrgID parameter in HTTP GET requests to /tools/jxf_dump_systable.php. Publicly exploitable remotely with CVSS 7.3.
Improper authorization vulnerability in erzhongxmu JeeWMS (commit 141740afb2ba14d441c82a833d0a418d07ca2d69) affecting JimuReport test-connection endpoint. Manipulation of dbType/dbDriver parameters. CVSS 7.3.
Improper authorization in Chengdu Everbrite BeikeShop (up to 1.6.0.22) Stripe plugin callback function. Request parameter manipulation allows unauthorized access. CVSS 7.3.
Type confusion vulnerability in USCiLab Cereal library (up to 1.3.2) shared pointer handler. Remotely exploitable with public exploit available. CVSS 7.3. Affects serialization/deserialization operations.
Improper validation of specified type of input in Boost Serialization (up to 1.91). Remote exploitation possible with public exploit. CVSS 7.3. Maintainer notified but no patch status confirmed.
Analysis of observed attack methodologies and malware delivery infrastructure
Coordinated use of wget user-agent strings in Mirai samples indicates automated propagation frameworks. Attackers leveraging command injection vulnerabilities (similar to disclosed GL.iNet CVEs) for initial access and lateral movement across IoT networks.