Weekly Threat Advisory: Top Cyber Adversaries May 04 – 10, 2026

⚠ Weekly Threat Advisory — Key Cybersecurity Trends You Should Know

The week of 04 May – 10 May 2026 closed with 9,366 fresh indicators of compromise mapped to 114 distinct adversaries across our intelligence pipeline. The signal is heavy in three directions: a sustained Mirai-family IoT botnet surge, a multi-cluster North Korean (DPRK, Kimsuky, ScarCruft) espionage push, and the now-familiar ClickFix / Clearfake social-engineering delivery chain dropping commodity stealers and loaders at scale. State-aligned actors from Iran (MuddyWater) and China (UAT-8302, Silver Fox, MustangPanda, PlugX) were all active in the same window — a rare alignment that warrants attention from any SOC running blue-team rotations this week.

This advisory is built directly from our ML-scored threat intelligence feed (04-May–10-May IOC-Weekly batch). Every adversary count, severity tag, CVE link, and targeted-sector breakdown below is sourced from observed indicators in the last seven days — not republished from upstream advisories. If you operate a SOC, incident-response retainer, or managed detection service, the queries at the bottom are designed to plug straight into your CloudTrail, EDR, NDR, or SIEM data lake.

For continuity with our running cyber-defence coverage, this advisory pairs naturally with our earlier deep dives on threat hunting for cloud attacks, hunting AWS identity attacks, and network threat hunting with outbound traffic. New readers should start there; returning readers can jump straight to the Featured Adversary Profiles section.

This Week in Numbers

• 9,366 IOCs indexed across 5 indicator types — URLs lead at 5,427, hashes at 3,200, domains at 613, IPs at 121, and a small set of email artifacts.
• 114 distinct adversaries active in the week — a busier week than the September 2025 average of ~85.
• Severity skew is alarming: 7,601 IOCs (81%) carry a High severity rating; 1,703 are Medium; only 62 are Low.
• By category: Malware leads with 4,487 IOCs (81 distinct families), Malware Campaigns at 1,988 (5 active campaigns), C2 infrastructure at 1,679 (17 frameworks), Threat Actors at 1,126 (7 named groups).
• State-sponsored fingerprint: DPRK alone accounts for 987 IOCs at average confidence 97 — almost certainly the highest-quality cluster in the dataset this week.

Key Trends This Week

• IoT botnet activity remains the volume leader. Mirai (2,205 IOCs) and Mozi (1,251 IOCs) together represent 37% of the week’s total — both targeting routers, DVRs, cameras, and exposed IoT gateways through weak/default credentials and a familiar bundle of CVEs (CVE-2017-17215, CVE-2018-10561, CVE-2018-10562, CVE-2014-8361, CVE-2016-6277, CVE-2015-2051, CVE-2008-4873).
• North Korean APT clusters are operating in parallel. DPRK (987 IOCs), ScarCruft (24 IOCs, including a confirmed supply-chain compromise of a Yanbian-region gaming platform), and Kimsuky / APT43 (19 IOCs) all generated fresh telemetry this week. ScarCruft’s gaming-platform trojanisation is particularly notable — it is the first time we have seen the group pivot to multi-platform (Windows + Android) supply-chain delivery at this scale.
• ClickFix / Clearfake social-engineering chains have surged. Clearfake alone contributed 1,922 IOCs — virtually all of them malicious URLs — confirming that the “paste-this-into-PowerShell” lure pattern is now the dominant initial-access route for commodity stealers (Lumma, Vidar, RemcosRAT, AgentTesla, GuLoader).
• Iranian state-sponsored activity wore ransomware clothing. A Chaos-ransomware incident in early May was traced — with moderate confidence — to MuddyWater (Seedworm/MOIS-affiliated) operating a false-flag operation. Code-signing certificates and C2 infrastructure linked the activity back to the APT.
• China-nexus operators were diverse. UAT-8302 (external research teams disclosure) deployed a new C# variant of FinalDraft/SquidDoor against South American and southeastern European governments. Silver Fox targeted India with Income-Tax-themed phishing lures. MustangPanda and PlugX appeared in the long tail.
• Phishing-via-RMM continues to be a blind spot. The VENOMOUS#HELPER cluster (41 IOCs) abuses legitimate RMM tools — ITarian (Comodo), PDQ, SimpleHelp, Atera — for hands-on-keyboard intrusion. Detection requires baselining RMM tool usage per identity, not blocking the tools outright.
• The Oman “Nexus Operation” incident stands out: 26,000+ Ministry of Justice user records, judicial case data, registry hives (SAM and SYSTEM), and a dedicated gov.om exploit folder containing Exchange spraying and SQL Server escalation scripts. Persistent operator C2 sessions logged as recently as 10 April 2026.

Threat Distribution by Severity and Category

The severity-to-volume relationship in this week’s data is consistent with what we have seen across recent advisories — the long tail is dominated by High-severity malware hashes, while Medium severity reflects the largely automated C2 sinkholing and Low severity captures unattributed phishing infrastructure.

By severity

• High: 7,601 IOCs across 93 adversaries
• Medium: 1,703 IOCs across 18 adversaries
• Low: 62 IOCs across 3 adversaries

By adversary type

• Malware (commodity + targeted): 4,487 IOCs · 81 unique families
• Malware Campaigns: 1,988 IOCs · 5 named campaigns (Clearfake, ClickFix, Nexus Operation, Operation Silent Rotor, InstallFix)
• C2 Infrastructure: 1,679 IOCs · 17 frameworks (Mozi, NanoCore, AsyncRAT, remote-monitoring tools-abused, CobaltStrike, open-source C2 frameworks, njrat, Gh0stRAT, Meterpreter, VShell, DCRat, QuasarRAT, others)
• Named Threat Actors: 1,126 IOCs · 7 groups (DPRK, UAT-8302, Silver Fox, ScarCruft, Kimsuky, MuddyWater, MustangPanda)
• Phishing Campaigns: 62 IOCs · 3 named campaigns (VENOMOUS#HELPER, Operation GriefLure, code-of-conduct phishing)
• Phishing Kits: 24 IOCs · 1 kit (Phoenix)

Featured Adversary Profiles — Top 10 by IOC Volume

1. Mirai — IoT Botnet (Malware · 2,205 IOCs · High · Confidence 85)

Linux-based IoT botnet family scanning the public internet for cameras, routers, DVRs and embedded devices with weak or default credentials. Infected nodes are enrolled into operator-controlled botnets capable of large-scale DDoS and continued lateral expansion. Long-running CVE arsenal: CVE-2017-17215, CVE-2018-10561, CVE-2018-10562, CVE-2014-8361, CVE-2016-6277, CVE-2015-2051, CVE-2008-4873. MITRE TTPs: T1110, T1071, T1105, T1498.

2. Clearfake — Social-Engineering Malware Delivery (Campaign · 1,922 IOCs · High · Confidence 80)

Delivery technique that tricks users into copying attacker-supplied commands from fake error pages, “verify you are human” prompts, or compromised legitimate websites. Bypasses many automated controls because the victim executes the payload manually. Currently delivering Lumma, Vidar, RemcosRAT, and loader chains. MITRE TTPs: T1566, T1204, T1059, T1105.

3. Mozi — Peer-to-Peer IoT Botnet (C2 · 1,251 IOCs · Medium · Confidence 44)

P2P IoT botnet using a DHT-based protocol to coordinate nodes and issue commands. Spreads through brute-force on telnet and exploitation of known router/DVR/gateway vulnerabilities. Continues to operate despite the 2021 takedown attempts — nodes still beacon, still propagate. MITRE TTPs: T1190, T1110.001, T1046, T1583.005, T1105, T1498, T1071.

4. DPRK — North Korean APT Cluster (Threat Actor · 987 IOCs · High · Confidence 97)

State-aligned threat actor conducting targeted espionage against South Korea, Japan, and regional governments. Operates spearphishing with weaponised documents and LNK loaders to deliver RokRAT and custom implants. Heavy use of zero-day exploits (CVE-2018-4878, CVE-2016-4117), living-off-the-land techniques, in-memory execution, and modular backdoors. MITRE TTPs: T1190, T1105, T1041, T1082.

5. SnappyClient — Remote Access Trojan (Malware · 857 IOCs across casing variants · High · Confidence 85)

RAT enabling full remote control of compromised hosts, command execution, and data theft over persistent C2. We tracked 657 IOCs under the canonical name and 200 more under a casing variant — recommend SIEM correlation rules treat both as the same threat. MITRE TTPs: T1059, T1071, T1041.

6. NanoCore — Modular RAT (C2 · 135 IOCs · Medium · Confidence 44)

Modular Windows RAT delivered via malicious documents and trojanised installers. Provides remote shell, file transfer, keylogging, webcam access, persistence, and encrypted exfiltration. MITRE TTPs: T1566.001, T1204, T1059, T1105, T1071, T1041, T1056.001, T1055.

7. AgentTesla — .NET Spyware (Malware · 128 IOCs · High · Confidence 85)

Long-running .NET-based spyware in active circulation since 2014. Delivered via phishing attachments to capture keystrokes, screenshots, clipboard data, browser/email-client credentials, and system information. MITRE TTPs: T1566, T1056, T1113, T1555, T1082, T1041.

8. RemcosRAT — Commercial RAT-Abused (Malware · 126 IOCs · High · Confidence 85)

Commercial remote-administration tool repeatedly abused as a RAT in phishing campaigns. Operators use it for keylogging, credential collection, screenshots, file transfer, and command execution. MITRE TTPs: T1566, T1059, T1056, T1113, T1105, T1071, T1041.

9. Formbook — Commodity Info-Stealer (Malware · 122 IOCs · High · Confidence 85)

Long-running commodity stealer with keylogging, form-grabbing, screenshot capture, and data exfiltration. Frequently bundled with Clearfake / ClickFix lures this week. MITRE TTPs: T1056, T1005, T1105.

10. UAT-8302 — China-Nexus APT (Threat Actor · 44 IOCs · High · Confidence 97)

external research teams-disclosed China-nexus APT targeting government entities in South America (since late 2024) and southeastern Europe (in 2025). Deploys NetDraft — a C# variant of the FinalDraft/SquidDoor backdoor family — alongside an updated CloudSorcerer backdoor previously seen against Russian government entities in 2024. The cluster overlaps with Jewelbug/REF7707/CL-STA-0049/LongNosedGoblin.

State-Sponsored Activity Spotlight

ScarCruft — North Korea-Aligned Supply-Chain Compromise

external threat researchers uncovered a multiplatform supply-chain attack by ScarCruft (APT37) targeting the Yanbian region in China — home to ethnic Koreans and a crossing point for North Korean refugees and defectors. The attack, probably ongoing since late 2024, compromised both Windows and Android components of a Yanbian-themed video-game platform, trojanising them with a backdoor. This is one of the rare publicly documented cases of a North Korean APT executing a full multi-OS supply-chain compromise of a niche regional platform. (24 IOCs · High · Confidence 97).

Kimsuky / APT43 — Credential Harvesting Against Policy and Research Orgs

North Korea-linked espionage cluster running phishing and malware campaigns against policy think-tanks, academic researchers, and journalists covering Korean Peninsula affairs. Lower volume this week (19 IOCs) but consistent activity. MITRE TTPs: T1566, T1056, T1105, T1041.

MuddyWater — Iranian APT under Ransomware False-Flag

A Chaos-ransomware incident in early May was assessed by external research teams (with moderate confidence) to be a MuddyWater (Seedworm) operation operating under Chaos RaaS branding as a false flag. Code-signing certificates and C2 infrastructure linked the activity to the Iranian MOIS-affiliated APT. (19 IOCs · High · Confidence 97). Pattern matches the IRGC playbook of using cybercriminal cover for state operations.

Silver Fox — Chinese APT Targeting India with Tax Lures

external research teams team attributed a sophisticated Indian Income-Tax-themed phishing campaign to Silver Fox (China-aligned). The campaign had previously been misattributed to SideWinder (India-aligned) by other vendors — a misattribution that would have caused defenders to focus on the wrong actor while the real adversary operated undetected. (32 IOCs · High · Confidence 97).

Geographic Targeting This Week

• Global / multi-region: 6,328 IOCs — primarily IoT botnet sweeps and commodity stealer chains.
• South Korea & Japan: 987 IOCs — almost entirely DPRK activity.
• Russia & Global: 82 IOCs — predominantly CloudSorcerer-style espionage tooling.
• Germany: 74 IOCs — financial-sector-aligned commodity malware.
• USA: 30 IOCs — diverse, includes RMM-abuse phishing.
• Netherlands, France, Argentina, Poland, Sweden, Australia, Canada, Singapore: single- and low-double-digit IOC counts each.

Top Targeted Industries

The “Industry Targeted” tagging across this week’s adversaries clusters into the following top profiles (counts represent IOC volumes attributed to adversaries whose victimology touches that sector):

• IoT, Telecom, Cloud Services, Enterprises, Critical Infrastructure: 2,205 (Mirai-driven)
• Enterprises, Healthcare, Government, Individuals: 1,936 (Clearfake + commodity stealers)
• ISPs, Telecom, Small Enterprises, Home Networks: 1,251 (Mozi)
• Enterprises, Individuals: 1,048 (broad RAT/stealer campaigns)
• Government, Defense: 987 (DPRK)
• Finance, Cryptocurrency, Enterprises, Individuals: 73 (Lumma/Vidar/wallet-targeting stealers)

How to Hunt These Threats in Your Environment

The seven principles below convert the dataset above into actionable detection and response posture. If you operate a mature SOC, you can lift these as scheduled hunts; if you are running a single analyst rotation, treat them as the priority queue.

1. Block the Mirai/Mozi CVE bundle at perimeter and segmentation layers. If you still have unpatched Huawei, Realtek, GPON, or D-Link devices on the network, treat them as compromised until proven otherwise.
2. Watch for outbound DNS to attacker domains. The ClickFix/Clearfake URL spike is unusual — a passive DNS sweep over the last 7 days against the supplied indicator list will surface infections that endpoint AV missed. We covered this hunt pattern in detail in Network Threat Hunting with Outbound Traffic.
3. Baseline RMM tool usage per identity. ITarian, PDQ, SimpleHelp, Atera, remote-monitoring platforms — these are legitimate tools. The detection trick is identifying which identities should be using them, then alerting on the rest. See our authentication-events hunting guide for the baseline methodology.
4. Hunt for North Korean APT TTPs even if you are not in their stated target geography. Yanbian-style supply-chain compromise spreads via dependency graphs and partner ecosystems — South-Korean software your supply chain depends on is enough.
5. Verify Iranian APT attribution before responding. The MuddyWater-as-Chaos-ransomware false flag is a textbook example of why incident response decisions made on adversary identity should pause for cert and infra forensics before commitment.
6. Re-baseline your AWS / Azure identity and CloudTrail activity — China-nexus operators are running cloud-based espionage tooling (CloudSorcerer variants, NetDraft). Cross-reference this advisory with our Hunting AWS Identity Attacks playbook and the AWS Bedrock Threat Hunting companion piece for AI-service surfaces.
7. Patch the long-tail CVEs. EternalBlue (CVE-2017-0144), Follina (CVE-2022-30190), and Equation Editor (CVE-2017-11882) are still being weaponised in 2026. Year-old patches still matter.

Full Weekly IOC Summary — Top 30 Adversaries

A complete 114-adversary IOC export is available on request via the contact page — we make this dataset available to qualified SOC and CERT teams free of charge.

Top 20 IOCs Per Type — 04–10 May 2026

The tables below surface the highest-priority indicators of compromise observed in this week’s feed, broken down by IOC type. Ranking combines severity (High over Medium over Low) and ML-derived confidence score, breaking ties by most-recent detection. IOC types with no observations for the week are intentionally omitted.

Top 20 IP Addresses

Top 20 Domains

Top 20 File Hashes

Top 20 URLs

Detection ranking note: every row in the IP, DOMAIN, HASH, and URL tables above carries a confidence score of 97 — these are the named-threat-actor indicators from DPRK, Kimsuky, MuddyWater, ScarCruft, MustangPanda, and Silver Fox campaigns. The volume of Mirai, Clearfake, and Mozi IOCs (commodity malware and botnet families) is far higher, but they carry lower per-indicator confidence and are best consumed in bulk via the full feed export.

Related Reading on HACKFORLAB

• AWS Bedrock Threat Hunting — CloudTrail Log Analysis Playbook
• Threat Hunting for Cloud Attacks
• Attack Hunting Using AWS VPC Flow Logs
• Hunting AWS Identity Attacks
• Cloud Snooping Attacks
• Linux Threat Hunting using CUT, SORT, UNIQ, DIFF
• Previous Weekly Threat Advisory — 13–19 October 2025

HACKFORLAB Threat Hunt Intelligence Platform

Every adversary, indicator, and technique referenced in this advisory is operational right now on our hosted threat-hunting workbench. SOC, CERT, MSSP, and detection-engineering teams use the platform to pivot indicators against live telemetry, enrich on demand, query historical adversary attribution, and track campaign evolution week over week.

Sign in to start hunting: https://huntintel.hackforlab.com/login.html

Happy Threat Hunting

If this advisory helped your team, share it with your peers, subscribe to the feed, and send us your war stories — the more we hear from the field, the sharper the next edition gets. Stay paranoid. Stay patched. Happy threat hunting.

#threathunting #threatintelligence #cybersecurity #threatactor #malware #CVE #campaign #ransomware #phishing #threatadvisory #threatfeeds #APTGroups #InfosecIntel #CTI #IOC #CyberThreatIntel #TTPs #CyberThreatReport #OSINT #CyberDefense #weeklythreatbriefing #CyberResilience #RAT #C2 #confidencescore #ML #AI #Mirai #DPRK #ScarCruft #Kimsuky #MuddyWater #UAT8302 #SilverFox #Clearfake #ClickFix #LLMjacking #BedrockSecurity