During the 24-hour period from June 19-20, 2026, threat intelligence monitoring detected significant malicious infrastructure activity focused on IoT botnet operations. A total of 47 malicious URLs were identified distributing multi-architecture malware payloads, indicating active IoT botnet campaigns targeting embedded devices. The dominant threat families observed were Mirai and Gafgyt botnets, along with continued Mozi botnet activity and ClearFake malware distribution.
Three primary malware distribution servers were identified hosting comprehensive multi-architecture payload sets spanning ARM, MIPS, x86, PowerPC, SPARC, and other embedded architectures. This broad architecture support indicates adversaries are conducting widespread scanning and exploitation campaigns against diverse IoT devices including routers, IP cameras, DVRs, and network-attached storage devices. The presence of shell scripts alongside compiled binaries suggests automated infection workflows designed for rapid propagation.
Additionally, two ClearFake malware distribution URLs were detected, representing ongoing social engineering campaigns likely targeting end users through fake browser update prompts. Organizations should prioritize securing IoT devices, implementing network segmentation, and monitoring for suspicious outbound connections to the identified malicious infrastructure.
Multiple malware distribution servers actively hosting multi-architecture IoT botnet payloads for Mirai, Gafgyt, and Mozi malware families
Server hosting 16 different architecture-specific Mirai and Gafgyt botnet payloads targeting ARM, MIPS, x86, PowerPC, SPARC, SuperH, m68k, and ARC processor architectures. All payloads flagged with 'opendir' and 'ua-wget' characteristics indicating automated distribution methods.
Infrastructure hosting 11 malware payloads across multiple architectures (ARM, MIPS, x86, PowerPC) with shell script 'tp.sh' for automated deployment. Targets embedded Linux devices through wget-based download mechanisms.
Server hosting 17 Mirai botnet payloads with dedicated '/bins/' directory structure containing variants for all major embedded architectures. Includes payload.sh shell script for automated infection chains targeting IoT devices.
Four distinct hosts distributing 32-bit MIPS and ARM variants of the Mozi botnet malware through bin.sh shell scripts. Mozi is a peer-to-peer botnet known for targeting IoT devices and network equipment with weak credentials.
Two active ClearFake distribution URLs identified using unique session identifiers. ClearFake is a malware family that uses fake browser update prompts to trick users into downloading malicious payloads, often leading to information stealer or remote access trojan infections.
Analysis of observed malware distribution methods and targeting strategies employed by threat actors
Threat actors are deploying comprehensive architecture coverage with payloads compiled for 10+ different processor types (ARM variants, MIPS, x86/x64, PowerPC, SPARC, SuperH, m68k, ARC). This indicates automated scanning and exploitation targeting maximum IoT device diversity without prior reconnaissance of specific target architectures.
Multiple shell scripts (bin.sh, tp.sh, payload.sh) observed facilitating automated malware deployment. These scripts typically detect system architecture, download appropriate binaries, set execution permissions, and establish persistence—enabling rapid, hands-off botnet expansion.
The 'ua-wget' and 'opendir' tags indicate adversaries are exploiting wget utility availability on embedded Linux systems for malware retrieval. This technique leverages legitimate system tools for malicious downloads, often bypassing basic security controls and blending with normal device update behavior.
Network-based indicators for detection and blocking of identified malicious infrastructure
Block outbound connections to identified malware distribution servers: 194.48.251.24, 137.220.242.60, 217.60.195.146, 27.44.146.69, 110.39.237.192, 115.205.177.57, 118.232.137.101. Monitor for any internal systems attempting to communicate with these addresses as indicators of potential compromise.
Block access to ClearFake malware distribution domains: fvkyh2up.testpaye.xyz and 2rvmsbh4.bet303.download. These domains serve fake browser update pages and should be added to DNS blocklists and web filtering policies. Monitor for similar domain patterns using DGA-like naming conventions.
Hunt for suspicious files matching known IoT botnet naming patterns: executables named 'arm', 'arm5', 'arm6', 'arm7', 'mips', 'mpsl', 'i486', 'i586', 'i686', 'x86_64', 'ppc', 'sh4', 'sparc', 'm68k', 'arc', 'aarch64', or scripts named 'bin.sh', 'tp.sh', 'payload.sh' downloaded from external sources.