The 24-hour period from June 18-19, 2026 reveals a critical authentication bypass vulnerability in Splunk Enterprise alongside sustained malware distribution campaigns targeting IoT devices and end-user systems. The Splunk vulnerability (CVE-2026-20253) poses immediate risk as it allows unauthenticated attackers to manipulate arbitrary files through a PostgreSQL sidecar service, potentially leading to system compromise in enterprise environments.
Malware distribution activity remains dominated by Mozi botnet variants and ELF-based payloads targeting Linux and IoT infrastructure, with 50 malicious URLs identified. A secondary threat vector involves stealer malware disguised as gaming tools and cryptocurrency utilities distributed through GitHub and file-sharing platforms. The concentration of Mozi activity suggests continued exploitation of unpatched IoT devices, while social engineering campaigns leverage popular gaming platforms to deliver information-stealing malware.
Organizations running Splunk Enterprise should immediately assess their exposure to CVE-2026-20253 and implement compensating controls. Network defenders should block indicators associated with the 5.182.210.61 infrastructure serving multiple ELF payloads, and maintain vigilance against malware masquerading as legitimate gaming utilities or cryptocurrency tools.
Authentication bypass vulnerability in Splunk Enterprise enables unauthenticated file manipulation
Splunk Enterprise contains a missing authentication for critical function vulnerability allowing unauthenticated users to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. This represents a critical security control failure in enterprise logging infrastructure.
Extensive Mozi botnet activity and ELF payload distribution targeting Linux-based IoT devices
Infrastructure at 5.182.210.61 serving 20+ distinct ELF malware payloads using wget user-agent, indicating automated infection of Linux systems and IoT devices. Multiple hash-named payloads suggest dynamic payload generation or targeting diverse architectures.
Eleven distinct IP addresses distributing Mozi botnet variants targeting MIPS and ARM architectures. Activity spans residential ISP ranges in China, indicating compromised consumer IoT devices being weaponized for botnet operations.
Additional malware distribution at 162.248.101.153 serving ELF payloads via wget, indicating coordinated campaign with multiple distribution nodes to ensure resilience and geographic coverage.
Social engineering campaigns distributing stealer malware through gaming and cryptocurrency lures
Multiple GitHub repositories hosting stealer malware disguised as Valorant cheats, casino predictors, and crypto game APIs. Repositories include 'Valorant-External-Latest-3-0', 'EtherCrash.io-Casino-Predictor', and 'Mines-Predictor-Casino-Strategies'. Targets gaming community and cryptocurrency enthusiasts.
Stealer malware distributed via MediaFire using filename disguised with Cyrillic characters. Hosted at legitimate file-sharing platform to evade reputation-based blocking.
Two domains (dancebetyek.app, pinbahiskade.com) hosting ClearFake malware, likely using browser-based social engineering to trick users into downloading malicious payloads disguised as updates.
Executable dropped by Amadey botnet loader hosted at 91.92.242.236, indicating multi-stage infection chain. Amadey typically delivers secondary payloads including ransomware, stealers, and cryptocurrency miners.
SmartLoader malware packaged as ZIP archive hosted on GitHub repository 'Mines-Predictor-Casino-Strategies'. SmartLoader serves as initial access malware often leading to information theft and credential harvesting.
Analysis of attacker methodologies and infrastructure patterns observed during this period
Threat actors extensively leveraging GitHub, MediaFire, and domain generation for malware distribution to bypass reputation-based security controls. This technique complicates detection and blocking efforts as organizations must balance security with legitimate business use of these platforms.